To many people, the claim that consumers are bored and unmotivated by data breaches is self-evident. However, when we dig beneath the surface, it becomes clear that the answer is more nuanced.
Are we using the right definition of breach fatigue?
There is an accepted definition of breach fatigue which is that data breaches have become so common that many consumers don't react to news of a breach and aren't motivated to protect themselves.
However, this commonly held definition focusses too much on consumers. When we think about reputation management, we need to assess the views and responses of all the different stakeholders in the company’s eco system. This includes everyone from employees and shareholders to commercial partners and regulators.
If we look beyond just consumers, we are much less likely to conclude that breach fatigue exists because we see that organisations still face great reputational threat from data breaches. Particularly when we examine the response of regulators who have shown more – rather than less – appetite for punishing companies and imposing eye-watering fines.
What is the future of breach fatigue?
Breach fatigue is commonly associated with incidents where the data stolen is financial. However, we have seen changes to the type and sensitivity of data which consumers are now offering up. Companies are increasingly collecting health data and genetic data which to many consumers is far more emotive and highly valued than financial data. While we can cancel and replace a credit card, genetic and health data are at the very heart of our identity meaning that this is where the future of reputational risk lies for organisations, and there won’t be ‘fatigue’ if this data is hacked.
Adding to that, from the perspective of organisations, future reputational risk lies in breaches being used for whistleblowing – particularly around environmental impact. For example, Extinction Rebellion is actively encouraging employees to leak green-washing to them, and they have created a partnership with the International Consortium of Investigative Journalists – the organisation behind the Panama Papers. Therefore, it’s easy to see how leaked data on a corporate’s environmental impact would be hugely reputationally damaging.
To sum up…
We need to look at the proposition of breach fatigue through the lens of whether data breaches still cause loss of trust among the variety of stakeholders that an organisation relies on to succeed.
In terms of predictions for the future – we will find that consumers remain sensitive to breaches that involve their health or genetic data. On the other hand, organisations should also take care to avoid breaches which expose any failings relating to their sustainability policies as this would be highly damaging.
All of this means that we have by no means reached a position of general breach fatigue. Organisations should be very wary of assuming that breach fatigue affects all types of data and stakeholders.