Data Breaches and the Dilemmas in Notifying Customers

While the discussion about a federal law on data breach notification is ongoing and a rash of large, costly data breaches has galvanized public interest in the issue, this paper investigates on the phenomenon of data breach notification letters. In case of any data breach a company faces a number of dilemmas on how to inform the customers. The choices that a company makes on the missive content result decisive in having a prompt customers’ reaction against identity theft and eventually in shaping the relations between customers and the organization itself. Starting from the various regulations in place in US, the analysis has been performed focusing on the content of over 210 letters sent in US in the first semester of 2014. In particular letters are classified based on elements that can be isolated and analysed, e.g. the level of transparency used in communicating the event causing the breach or the time span between data breach identification and its notification to customers. In the end we labeled the data breach notifications according to the message customers might perceive when reading them. As a result six message types have been identified. This investigation contributes to the ongoing debate on the federal law on data breach notifications, highlighting limitations and effects of the already implemented State laws.