Protecting yourself, Research, regulation, industry reports

Consumers want national data breach notification policies

Sienna Kossman

In the case of a data breach, what consumers don’t know can hurt them.

A study conducted by the National Consumer League and Javelin Strategy and Research revealed that many victims of fraud don’t know how their information was compromised. As a result, they want more protection as they fear the unknown.

The online survey of 200 fraud victims from Chicago, Los Angeles, Miami and Minneapolis revealed that 49 percent of victims do not know where the information used to defraud them was collected. Additionally, an overwhelming 86 percent of respondents said that consumers should be notified of a data breach immediately, no matter what.

Consumers want national data breach notification policies

According to Al Pascual, senior analyst of fraud and security for Javelin Research and Strategy, if consumers are notified of a data breach sooner and more thoroughly, they can better protect themselves from fraud.

“Consumers take breach notifications seriously,” he said. “After comparing victims who were notified to those who were not, those who were notified actually suffered fewer instances of fraud than those who were not.”

Data breach victims who know how their information was stolen are also more likely to take more steps to prevent future fraud, according to the report.

Besides protecting themselves, consumers want the government to do more to protect their information. Survey results showed only 28 percent believe current federal regulations to be sufficient. Consumers want more information and guidance through the aftermath of a data breach and they feel the government should play a bigger role in that area.

As a result of these findings, the NCL has launched the #DataInsecurity Project to raise awareness of the effects of data breaches and to push for notification and policy updates. NCL is calling for a specific list of reforms, topped by a request that the federal government create a national data breach notification standard. Several such standards have been proposed to Congress but none has passed into law.

Since 2005, 47 U.S. states have taken on the responsibility of regulating their own data breach notification policies. But the policies vary in complexity, language and coverage. For example, definitions of personally identifiable information and what qualifies as a potentially harmful data breach differ from state to state. That complicates how affected corporations comply and means some consumers get more access to information than others.

And what about those three states that don’t have a policy at all? That’s a good question, said Mary Ellen Callahan, International Association of Privacy Professionals member and former chief privacy officer for the U.S. Department of Homeland Security.

“It’s an extraordinarily complex network of different regulations,” she said.

A nationwide data breach notification standard would not only give consumers the same level of notification coverage across all 50 states but also make it much easier for companies to comply and give consumers what they are asking for.

“Given the increasing scope and costs of data breaches, a hands-off approach by the government is not working well enough,” said John Breyault, NCL’s vice president of public policy, telecommunications and fraud. “A national security standard would be very helpful.”

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.