Abstract

Data breach notifications are letters that companies are required to sent to affected individuals after a data breach. However, these notifications are often ineffective in motivating affected individuals to take appropriate reactive and protective actions. We present an enhanced data breach letter design that aims to improve comprehension and actionability of included information. We conducted a small-scale, between-subjects experiment comparing our design to a current breach letter. Our preliminary findings indicate that our design increases comprehensions and actionability and further provides insights for further design improvements to make data breach notifications useful and usable consumer protection tools.

Letter Redesign

Breach Notification Design

We developed our design based on representative examples of existing breach notification letters. The design instantiation shown in Figure 1 is based on a breach notification letter sent by Rail Europe North America Inc. on April 30th, 2018. Our design makes improvements in the following four areas:

• Structure/overview: We increased the font size difference between headers and paragraphs to create more information hierarchy, allowing the reader to more effortlessly follow the information flow. Headers (e.g “What Happened?”) and recommended steps are highlighted in blue to mark the topic of each section and catch the reader’s attention.
• Conciseness: Current breach notifications are dense, which may intimidate and deter the reader from parsing through the information. On the front page of our design, information is condensed to a few lines under each header; on the back, a few sentences were used to describe each recommended action with checklisted steps beside it. Compared to the Rail Europe letter, we condensed the amount of text from four to two pages while retaining all key information.
• Prioritization: Presenting choices in dense paragraphs can overwhelm the reader. We remedy this by numerically ordering the recommended steps from most to least urgent/effective. We list provided compensation (a free credit monitoring service for one year) first, followed by credit freeze, fraud alert, self-monitoring on credit reports, and obtaining additional information. We further used stylized arrows to guide the reader through the letter and the steps.The reader would read the large, blue headers first, then read left to right, starting with “Why is this important?” and moving to the “What can I do?”
• Actionability: Dense text and jargon can result in recommendations being inactionable for affected individuals. Our redesign removes unnecessary jargon and explicitly lays out each recommended step in a checklist form. We also bulleted and highlighted the breached information in gray to increase the urgency of the situation. To instill credibility, we designed the front of our notification to appear formal (letterhead, formal address of recipient) while maintaining consistent formatting throughout (blue headers, bubbled icons, sans serif font).

Study Protocol

We conducted a preliminary between-subjects lab study comparing our improved design (treatment) to the original letter by Rail Europe North America Inc. (control).

• 12 participants recruit through online forums and university email lists. Screening survey used to balance participant demographics.
• Participants were asked to read the breach notification letter at their own speed. Afterwards, they took a short questionnaire that assessed their comprehension of the letter's content.
• Then, we interviewed participants regarding their intended reactions, as well as their opinions of certain design features.
• Participants were then compensated with 15 dollars in cash at the end of the interview.

After interviewing all 12 participants, we annotated the transcriptions and consolidated all of the key information into an affinity diagram. We sorted them by noticeable themes, and organized our findings through this method. Below are our control and treatment affinity diagrams, respectively.

Findings and Final Product

Attitudes toward the Breach
Participants in both treatment and control conditions were confused about the difference between fraud alert and credit freeze. Nine participants acknowledged that the exposure of their SSN was the most alarming motivating factor to enact the recommended protective actions. Interestingly, all noted that if the SSN remained secure, they would simply cancel the card breached, void any inaccurate transaction, or take other less precautionary measures. More participants in the control condition felt overwhelmed by the sheer amount of information they needed to read compared to the treatment condition. Four noted that they mostly skimmed through the letter after reading the type of information compromised in the front and the bolded words on the back.

We also asked to what extent participants felt the notification was personalized to them, and how the breach might impact their relationship with the company. The two groups shared similar thoughts; both believed that the notification was fairly impersonal. Because the company has compromised the user's trust, these participants said they would rather look elsewhere for guidance, like the Internet or over the phone.

Intended Reactions to Breach Notification:
Five participants from both groups, when asked what recommended steps they would take, admitted that they could not distinguish between a credit freeze and a fraud alert. Six participants were skeptical of a credit freeze, worrying that it would be overly burdensome to enact. The greatest factor that influenced our participants’ behavior was the time required to initiate the protective actions. Six participants mentioned that they have busy lives, and a letter like this would easily be ignored; the actions might require significant time and effort, especially when dealing with bureaucracy, and they would rather delay taking action.

Three participants in the control group mentioned that, after seeing long paragraphs of text, they would immediately save the letter for later. P4 mentioned that they would have “ambient anxiety” – still worrying about the breach, but being unwilling to take action. They also mentioned that they would probably call the company and speak to an individual to get more “layman terms” on what happened.

Opinions Toward Design Features
Participants in the treatment group emphasized design features that aided them with comprehension more frequently than the control group. All participants mentioned color, checkboxes, and headers as key features supporting comprehension. All treatment participants mentioned that the grey on the front page highlighting the compromised information drew their attention, effectively giving more weight to the subject matter.

Participants approved the use of headers and checkboxes. All treatment participants said the headers helped chunk the letter and more clearly partitioned the different sections. All treatment participants, excluding P7, found the checkboxes appealing and understood its intent to promote productivity.

By contrast, little was said about the control notification beyond its front page headers and its use of bolding.