Breach notification letters have become so frequent that 48% of recipients do nothing because of notification fatigue, and 36% assume the letter itself is a scam

Americans received a record number of data breach notifications in 2025. Eighty percent of consumers received at least one breach notice in the past year, and forty percent received between three and five. The notices are written in dense legal language, minimize the severity of the breach, and often arrive months after the breach occurred. The recommended actions are always the same: monitor your credit, change your passwords, consider a credit freeze. Consumers who followed these steps after the first notice see no reason to act differently after the fifth. The result is that the breach notification system, which was designed to empower consumers to protect themselves, has become background noise. Of people who received a notice and did nothing, 48.3% cited breach fatigue from receiving too many notices. 46.1% felt helpless because they believed nothing they could do would help. 41.6% judged from the notification language that the breach was not serious. And 36% did not trust the notice and thought it was a scam. This last group is not irrational: phishing emails frequently impersonate breach notifications, so treating a real notice as a scam is a reasonable heuristic in an environment saturated with fraud. This persists because breach notification laws were written in a pre-breach-epidemic era when breaches were rare enough that each one warranted individual consumer action. Now that breaches are continuous and cumulative, the notification framework is structurally broken. Making it worse, only 30% of breach notifications in 2025 disclosed the root cause of the breach, down from nearly 100% in 2020. Companies have learned to use notifications as liability shields rather than genuine consumer warnings. The notifications technically comply with the law while being practically useless. Consumers who need to act the most, those whose SSNs were exposed in the National Public Data breach or similar catastrophic events, are the least likely to act because they have been desensitized by years of identical, toothless letters.