I call them Dear John data letters, because of the bad news they bring and their decidedly warm and fuzzy tone.
"Dear Consumer. We've lost your personal information. It's fallen off a truck/was on a laptop that was lost/was stolen by a hacker. We're sorry and we promise to be better in the future. Good luck."
About one in nine consumers receives a Dear John data letter each year, and nearly half of all consumers have received at least one since the year 2000, when California law forced these kinds of disclosures on corporations and government agencies, according to a new study. The letters have become so familiar that many folks just ignore them and relegate them to the junk mail heap. But that's a big mistake. That same study shows consumers who receive such a notice are four times more likely to be hit with identity theft than members of the general population.
In fact, U.S. adults who get a Dear John data letter have a one in five chance of being victimized in the next 12 months, according to the survey, conducted by financial services research firm Javelin Research.
The researchers have concluded that consumers don't take the notices seriously enough. Even after they are victims of ID theft, most consumers don't blame the company for the leaked data. While 19.5 percent of those who received a fraud letter were victims of ID theft, only 2 percent linked the crime to the data leak, according to study author Mary Monahan.
"People don't connect the dots," said Monahan, Javelin's research director. "They don't understand the risk. ... People don't even seem to understand what the letters mean."
The results are consistent with previous research showing consumers don't react strongly to the announcements. In fact, the vast majority don't even take up a company's offer of free services like credit monitoring as apology for the transgression. After the infamous Lexis Nexis data leak in 2005, 305,000 letters went out with offers of free credit monitoring. Only 18,000 consumers, or 6 percent, signed up. In a similar incident, after Citibank sent out 4 million letters after a data leak, only 4 percent signed up.
Those results show consumers just aren't being helped by the notification letters, Monahan said.
"The letter is made so the consumer will take action, but the notification is not working because it's not clear enough, consumers don't understand and it's putting them at risk for fraud," she said. "This calls into question the effectiveness of the data breach notification laws in 45 states, as well as consumer education around data breaches in general."
It might be an oversimplification to simply declare consumers lazy, however. The quality of the letters varies widely. Some appear like urgent government notices. Some are easily-missed one-page letters in thin envelopes. Most have scant details, and don't tell consumers how their data was lost, or in some cases, even what specific data was put at risk.
The quality of free credit monitoring offers also varies. In many cases, the offers are thinly disguised marketing schemes for $10-a-month monitoring services offered by the nation's credit bureaus. Sometimes, the free offer is more like a free trial of three months, following by automated enrollment in the subscription program.
And there might be another reason: previous research, including one report by Javelin, suggested there was little connection between data breaches and identity theft. Monahan said improved research techniques account for the new finding.
With all these factors conspiring to lull consumers into ignoring the notices, a real opportunity to stem identity theft crime is being lost, the Javelin report concludes. Timing is critical for consumers who are victims. Those who discover the crime quickly have a far easier time cleaning up the mess than those who are in the dark for four or five months. According to the survey, victims who take up to five months to detect fraud suffer nearly three times the average consumer cost in lost time, wages and other expenses ($933) as those who discovered fraud within one day ($323) and double the cost of those who discover it in a week ($484).
Still, most consumers are befuddled when they get a Dear John data letter. They don't know which agencies to call, how to place credit freezes on their reports or the odds that they will become identity theft victims.
"Obviously consumers do need to have more guidance on what to do," Monahan said. "While the idea of notification is to provide an opportunity for consumers to take action, apparently they do not. This suggests that notification is not working."
Red Tape Wrestling Tips
A step-by-step list of "what to do if your ID is stolen can be found in this story.
And here's a what-to-do chart provided by Javelin: