Data breach regulations, and data breach fatigue
Since the General Data Protection Regulation came into force on 25th May 2018, it’s been put to the test with a number of high profile breaches – from British Airways to Facebook to Superdrug. In some quarters the regulation is seen as working: in September the FT carried the headline “The BA data breach shows that regulation works”. Its point was that historically companies have waited months, even years to tell their customers about data breaches – whereas now there is a deadline to notify regulators within 72 hours of a breach being declared and thereafter inform consumers as soon as is feasibly possible.
However, whilst businesses may have (to a certain extent) put their houses in order, there is a fundamental question: Do consumers even care about data breaches anymore?
As data breaches become more ‘common’, next year we may start to see ‘breach fatigue’ with consumers unable to keep up with the number of notifications landing in their inboxes and simply resigning themselves to the fact that their information is ‘out there’. They may even be more forgiving because of their frequency.
In the meantime, regulators are likely to up the ante on expectations for businesses to protect consumer data and, when there is a breach, do everything they can to inform consumers and encourage action – be that being more vigilant, calling a helpline for advice or taking up credit monitoring.
The challenge for businesses and communicators next year will be how to meet regulators’ demands around consumer notification when the consumers they are trying to reach have switched off. Unfortunately, the businesses that fail to convince regulators there’s been an adequate public response to their notification are likely to feel the fall-out, both in their reputation and finances.
Judith Moore, Partner, Corporate and Crisis