2016 may be the year of the data breach. Headlines in major media outlets across the country constantly feature companies affected by data breaches and by now, everyone has read one of these articles and thought, “I’ve shopped there” or “I use their services.” So are Americans worried? Do they think data breaches are a given? And how do consumers want these incidences to be handled?
Public Opinion Strategies explored answers to these questions and more in a recently completed national survey of American voters, conducted for the Institute for Legal Reform. These polling results will be featured today at ILR’s Legal Reform Summit during a panel titled Zipcar or Zeppelin? The Direction of Data Privacy Liability.
We chatted with the key researchers, Bill McInturff and Lori Weigel, to get the scoop on this presentation and what people are thinking about data breaches, liability, and notification standards.
Do Americans worry about security of their personal information?
Voters are increasingly concerned about the security of their personal information while shopping on-line. Almost three-quarters (74 percent) say they worry “a lot” or “some” about the security of their personal information while shopping on-line. This is an increase of ten points from September 2014 when a CNBC survey found that 64 percent worry a lot or some about this.
However, their concern is not limited just to on-line information. Nearly two-thirds also indicate that they worry about the security of their personal information while shopping at retailers in person.
It is important to keep in mind that the vast majority of Americans think that data breaches are frankly unavoidable. Seventeen percent say that data breaches are “inevitable,” while another 63 percent say such an event will “probably” happen. Only 16 percent say that data breaches will only happen to companies that are negligent or incompetent in handling this information.
How do Americans want companies to respond following a data breach?
First and foremost, voters want to be notified that their information may have been compromised. When we asked respondents in focus groups to tell us the first step a company should take, almost all pointed to notification as being one of the primary steps. However, there is little sense among these respondents that notification standards vary from state to state, nor a desire to retain that system once informed of the fact.
We provided a brief explanation of the status quo prior to asking about a proposal to establish a single national notification standard: “Today, there are varying state and local laws with different rules for how a company must legally notify customers of a data breach, based on where a customer lives. Three states have no rules at all. One proposal would create a single, national standard for notifying people of a data breach and holding companies accountable for keeping their customers’ data secure.” Fully 86 percent indicate support for a national notification standard, with a majority (57 percent) strongly in support. A mere 12 percent oppose this.
Perhaps even more illuminating, support extends across the partisan spectrum: 83 percent of Republicans, 77 percent of independents, and 93 percent of Democrats indicate support.
How do Americans feel about class action lawsuits and regulatory actions following data breaches?
Voters say that companies who make investments up-front in cyber-security but still suffer a database breach should not be subject to litigation (70 percent). Similarly, three-quarters (75 percent) say that companies that respond afterward by quickly notifying its customers, providing free credit monitoring, and fixing the security problems in its systems also should not be sued.
In fact, more than two-thirds (69 percent) say that they would “limit class action lawsuits to people who have personally suffered identity theft, fraudulent activity in bank or credit card accounts or other financial harm.” Exposure would not constitute harm, therefore.
Moreover, we saw that American voters view these hacks as very different in nature than any issues that have come before, and therefore should be regulated by specific laws that take into account the aspects of data breaches. Four-in-five (84 percent) support ensuring “that we have consumer protection laws that specifically address data privacy, and not allow government regulators and lawyers to rely on older laws.” Support is not only significant but also fairly intense as 45 percent say they strongly support only using laws specifically drafted regarding data breaches to apply to these cases
Overall, the data shows us that Americans are concerned about data privacy, regardless of political orientation, and regulations, such as a national standard for data breach notification, should address this specific issue and widespread concern.