Fear always passes, and once it passes, it’s often replaced by fatigue. On an individual, biological level, anxiety drives the sympathetic nervous system into overdrive. Stress hormones surge. But there is an energy cost to repeatedly putting the body on high alert and a crash is inevitable.
Today, we are seeing these same effects across the anatomy of an industry. Digital marketers, cybersecurity experts, tech gurus, journalists, and regulators all went into overdrive in order to address a series of high-profile data breaches, privacy laws, public hearings, and cases of data misuse in 2018. Then “data breach fatigue” set in.
Large-scale hacks and exposures now elicit indifferent yawns, not alertness. Wired, WaPo, NBC News, The New York Times, and major outlets have all reported on this concept of data breach fatigue. Have people become desensitized to digital dangers?
The danger of apathy
Experts are worried that these fluttering eyelids will become closed to the importance of online security. If consumers are apathetic, they may overlook small, fraudulent charges being billed to their cards. In August, US officials announced the arrests of alleged leaders in the hacking group FIN7. The Department of Justice stated that this group successfully breached the computer networks of companies in 47 states, hacked thousands of systems, and stole 15 million credit and debit card numbers. According to a Wall Street Journal/NBC News poll, almost half of all Americans have received notifications from retailers and card issuers informing them that their payment card details were stolen.
The fatigue expresses itself in different ways. Consumers might not monitor their card activity. They could overlook appropriate options for identity theft protection. Sometimes, users rely on the same password across multiple sites and they might not even change their passwords or freeze their credit after receiving breach notifications. They might not take advantage of multi-factor authentication options if they just don’t see the point.
On social media, people are also engaging less with stories about breaches, with their outrage seemingly subsided. Facebook usage actually increased after the Cambridge Analytica scandal. This apparent apathy has created an opportunity for cyber criminals to compromise information and repeatedly exploit it on the black market.
Some data breaches have been extremely broad and others have undermined brands’ digital efforts. Data breaches are different than exposures, in which information is made accessible that should have been kept under lock and key, but the effects are oftentimes the same: an opportunity for cyber crime, the erosion of consumer trust, and the onset of fatigue.*
The erosion of trust
Vivek Lakshman, VP of Innovation at ThumbSignIn, told me, “Often consumers trust brands and trade-in personal information for better experiences or relevant offers. This trust is getting eroded only too frequently by the largest brands which don’t have thorough security or policies for handling customer data. Up until now, brands have taken an aggressive approach to collecting information from consumers but have been passive in protecting it. As more breaches surface, consumers are counter-intuitively becoming more desensitized to the loss.”
The attack on Yahoo in 2013 affected all of its user accounts, 3 billion in total. Under Armour acquired a food and nutrition application, likely with the hope that the gamification of caloric goals would pair well with its sports apparel brand, but a breach of that app affected 150 million users. Shares dropped 3.8 percent. The effort backfired, but digital marketing efforts can still be done right.
The modern digital marketing ecosystem allows companies to market and compete at low costs and in highly targeted ways. As it continues to evolve, consumers might find that they’re receiving more relevant offers, personalized communications, significant discounts, and better service, which may lessen any animosity they would otherwise harbor toward brands harvesting their digital data.
Breaches an “existential threat”
In an interview, Cory Cowgill, Chief Technology Officer at Fusion Risk Management, told me, “I don’t see this as an either-or situation with respect to data privacy, security, and a data-driven economy. Customers and businesses can have their cake and eat it too.”
Cowgill said that customers, or data subjects, have been empowered by recent legislation such as GDPR. Cowgill also asserted that the economics of data breaches have not yet compelled businesses to strongly invest in cybersecurity.
He continued, “As more of these large-scale data breaches come to light in the era of GDPR and the California Consumer Privacy Act (CCPA), the associated fines and lawsuits will make this a board level priority as an existential threat to a business. GDPR for example has the power to fine 4% of global revenue or 20 million euros, whichever is greater, for a company. The CCPA has a cap of $7,500 per violation, which if interpreted as per customer record, could easily reach millions.”
If news outlets and online discussions continue to focus on breaches, in spite of the numbing fatigue, regulators and legislators might respond by taking additional actions.
Cybersecurity expert Chuck Brooks told me that the fallout from the Marriott breach may serve as an indicator to see if targeted marketing combined with special offers and discounts can offset the bad PR resulting from a breach or exposure. “More training on the basics of cyber-hygiene should be the rule rather than the exception to counteract threats,” he added.
It’s now 2019. People have just finished looking back and are looking ahead. It’s the perfect time for renewed vigilance. Vivek Lakshman told me that brands can build up their security infrastructure by adopting biometrics wherever possible, proactively tracking intrusions with advanced technology, and creating a data-sensitive employee culture where employee accountability would also be critical.
Hacks will continue, but if consumers are able to stay awake during data breach fatigue, the damage can be contained.
* “(D)ata breaches are intrusions into sensitive systems perpetuated by a hacker(s) or unauthorized user. Data leaks, however, are incidents where this information is simply exposed as the result of a company’s internal processes or by a mistake.” NextAdvisor