It's no longer a case of if but when a data breach will occur — and consumers are catching on. In the age of digital services, this is a critical development because it means the average US consumer is now demanding the power to make more informed decisions about the way their data is used, stored, and processed. And for US legislative bodies, it means data protection could soon be a major topic on the ballot.
According to the latest Thales Consumer Digital Trust Index, almost half (48%) of US consumers report being victims of a data breach — higher than their global counterparts, at 33%. The sheer volume of cyberattacks in the US has brought data security to the mainstream eye, and consumers are tuning into the legal fallout from breaches affecting millions, including T-Mobile's 2021 cyberattack and Drizly's 2020 hack. Now, they are starting to make more informed decisions about how they want their data handled going forward.
The Public Is Taking Data Security into Their Own Hands
Breaches and ransomware attacks have dominated headlines and news cycles, and one in 20 victims reported first hearing about a breach affecting them on the news. Eleven percent of those companies took up to six months to inform consumers about a data breach — a failure on the part of the companies in question.
This pattern of weak transparency has driven consumers to take security matters into their own hands, as they realize inaction is not an option. Just over a fifth have stopped using a company that suffered a data breach, with a large portion of those requesting the company delete their information altogether, while others are keeping a closer eye on their accounts for suspicious activity (21%).
These actions show that data security is a priority for consumers, and it's good practice for organizations to enable them to share this responsibility, in part. Allowing for extra security measures on digital accounts, such as two-factor authentication (2FA), gives consumers more of a sense of control over their information — and that peace of mind is a key element in building trust.
Paying a Fine Is Not Enough
As for what they expect from companies that fail to keep their data secure, financial compensation is a natural consequence. Of surveyed consumers, 53% believe companies should offer compensation to victims, but, when it comes to overseeing regulations, only 31% believe companies should receive large fines for breaches, meaning it is far from the biggest priority from a consumer perspective. What more consumers want is better data security measures — not big payouts.
However, the methods consumers believe should be used differ. More than half believe companies should be forced into mandatory data protection controls following a breach. This includes encryption and 2FA, which have long been favored options. And just under half believe companies should be subject to more stringent regulation — for example, being monitored for 12 to 14 months post-breach. Others believe companies should be required to employ more cyber specialists — but the reigning feeling is that regulatory oversight would be a major improvement.
We're Looking to the Future of US Data Privacy and Security
One possible contender for that oversight is the American Data Privacy and Protection Act (ADPPA). Similar to the European Union's General Data Protection Regulation (GDPR), which put in place necessary guidelines for European consumer data, ADPPA is a landmark US federal privacy proposal that could potentially meet sweeping demands for security and privacy. Proposed in July 2022, it could also face a number of barriers, including tension between federal and state privacy rights and blowback from tech giants.
While we wait to hear about the progression of this legislation, it is increasingly clear that if it does not become law in the near future, something will have to provide that modicum of oversight. To fully realize what kind of change will be effective, it is important to understand consumer perceptions around data security in the US, and for organizations to provide more visible safeguards in their digital services, in the meantime.
In a digital world, data privacy and security cannot take a backseat. With GDPR leading as example, there is not only a need for similar federal legislation in the US, but a calling for it from US consumers who are tired of finding out they are victim of another breach, leak, or attack. They are ready to take data protection seriously, and it is time we see some federal defenses put in place.