By: Amanda Booth

If a notification lands in someone’s inbox but they can’t understand it, does it make a sound? That’s the question at the heart of some concerns about the usefulness of current data breach notification regulations.

From 2005 to 2019, 61.55% of all data breaches reported to the Privacy Rights Clearinghouse database occurred in the health care sector. Those reported data breaches impacted over 249 million people. People impacted by these breaches ideally would have been notified with information about how their data has been compromised and how they can protect their data going forward.

However, some research suggests data breach notifications fall short of their intended purpose. A study found that 97% of the 161 data breach notifications sampled were “difficult” or “fairly difficult” to read, according to several readability metrics. The researchers noted that the notifications “downplay or obscure the likelihood of the receiver being affected by the breach and associated risks.” A co-author on this study, Florian Schaub, believes that “We need to rethink and rework consumer protection laws such as these to ensure that companies’ notifications are actually helpful to consumers.” 

In a survey conducted by the Identity Theft Resource Center, those who did not act after receiving a data breach notification did so because they either: 1) felt their data was already “out there,” 2) believed the organization that experienced the data breach would address any issues, 3) thought the notice was a scam, or 4) simply didn’t know what to do.

Federally, health data breaches fall under the regulatory purview of the Health Insurance Portability and Accountability Act (HIPAA) and the FTC’s Health Breach Notification Rule. HIPAA’s breach notification rule requires covered entities — health care providers and health insurance companies — to notify individuals impacted by a breach. The FTC’s Health Breach Notification Rule aims to hold non-HIPAA-covered entities accountable for health data breaches through similar breach notification requirements. Entities like wellness and period tracking apps must comply with the FTC’s rule. Non-covered entities with health care data have far fewer privacy and security requirements. Therefore, data breach notifications arguably play a more central role in consumer protection for your average wellness app than for a doctor’s office.

Unfortunately, many companies do not write health breach notifications that enable consumers to act in their own best interest. When companies write these notifications, there are no incentives for them to put in the extra work to make them useful. The FTC should make adjustments to its already existing data breach template to create a health data breach notification template. The revised template should prioritize clarity and actionable tasks to reduce consumer burden and incentivize companies to make the stakes of the breach clearer.

The FTC should change the existing template based on findings from the readability study mentioned earlier. For example, the template could format actions consumers can take to protect their data in a bulleted list with relevant linked resources instead of buried in long paragraphs. The template could also require a company to clarify the level of risk an individual faces due to the breach. The FTC should also add health data-related components and conduct user experience research studies to ensure most consumers can quickly understand the implications of the breach. The regulator can utilize user experience researchers from the United States Digital Services to conduct this study.

Additionally, the FTC should encourage adoption of the template by providing immunity from investigations related to the requirement that companies write notifications in “plain language.” This immunity would be granted on the condition that the notification does not provide false information or omit key details about the breach. Also, the scope of the immunity would still allow the FTC to investigate the breach itself and who received breach notifications. The existence of this immunity would send a signal to companies that the FTC will place more enforcement attention on the requirement of “plain language” in notifications.

In general, the FTC and the government at-large need to focus enforcement efforts on ensuring that required disclosures to consumers don’t reek of legalese. These required disclosures need to first and foremost provide value to their intended audience: the public. A health data breach notification template would be a good start.

Amanda Booth (MPP ’23) is a designer and product policy analyst. Her research focuses on consumer protection, artificial intelligence, and equitable product design.