Breach, Data Security, Vulnerability Management

Finding a cure for breach fatigue

Breach fatigue is the label experts are assigning to the apathy observed in some consumers victimized by a swarm of internet breaches. The thinking goes that because we recently have seen a crazy number of successful corporate network breaches that have exposed the personal data of millions, folks are simply starting to disregard news of and advice about them.

Whatever impact breach fatigue might truly be having on some individuals, the concept still leaves me skeptical. Could these incidents, especially when considering the likes of Sony which recently experienced a third exposure of customer data, actually be prompting at least some folks to discern just how their personal info is used or stored? Could now mainstream, cybercrime news actually be convincing some people to demand more privacy and security safeguards from the organizations with which they do business?

As we discuss in this month's edition, lawsuits have been filed after some breaches and then promptly thrown out of court. Change may be in the works. A federal judge in California chose to uphold the validity of a lawsuit filed against social media apps developer RockYou over a breach that exposed millions of users' private info. Bigger news would be that a jury rules in favor of complainants because their personal details were exposed at all – a nice antidote to breach fatigue.  

Still, there probably always will be some indifference to breach notifications. But I'd like to hope that today's average, technology-reliant consumer isn't blissfully trusting that businesses and the government have their best interests in mind. I'd like to think that the more data that is stolen by cybercriminals, the more that agencies like the Department of Justice demand that ISPs retain end-user data for their review or the more that wayward Congressmen create bills weakly trying to marry our privacy rights with companies' data collection/profiling practices, that some consumers take note and action.

Just last month, Sen. Jay Rockefeller, D-W.Va, introduced the Do-Not-Track Online Act of 2011, which would stop online businesses from collecting personal data from those wanting to retain their privacy. The bill includes penalties for rule breakers. And though regulation always has been viewed with some disdain by business leaders, history reveals that leaving companies to self-police doesn't work. On the flipside, mandates sans incentives or true penalties don't work either.

Neither do dismissed class-action lawsuits against businesses that have failed to take appropriate steps to avoid the exposure of their customers' data. Breach fatigue isn't merely about indifference. It's about the need to bolster consumers' privacy rights and recourse. Corporations, government agencies and the legal system can't go on forever shunning these.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.