Almost half of U.S. consumers reported having received a notification that their information was part of a breach, with 26 percent saying they had received such a notification in the last year. Surprisingly, though, few consumers severed ties with the offending company as a result. In fact, 89% said they continued doing business with the breached firm.

The data is just the latest survey to suggest that U.S. consumers are becoming accustomed to news of data breaches, as the effects of large breaches ripple through the U.S. economy and society.

Rand surveyed 6,000 adults between May and June, 2015 to collect information on the impact that data breaches were having (PDF). Exposure to a breach of some kind was common. Fully 44% of those surveyed had received a notification about their data being exposed at some point in their lives. More than a quarter – 26% – had received a notice in the last 12 months.

Extrapolating on those numbers, Rand estimated that more than 60 million Americans may have received such a notification in the last year. Affected Americans spanned all different age groups and were found in all regions of the country. However, wealthier Americans were far more likely to report having received such a notice. The wealthiest income group surveyed – those making more than $100,000 annually – were more than three times more likely to report having received such a breach notice.

Credit card information was the most common form of lost or stolen data, with 49 percent of respondents saying that they had credit card data lost or stolen. Twenty one percent reported having health data stolen and 17 percent said their Social Security Number was lost or stolen in a breach.

And, despite claims by industry that the theft of data such as credit card information is a victimless crime, those who reported having received a notice that their data was stolen believe that the theft cost them, personally. Sixty eight percent said that the incident cost them some money, with the median amount being $500. Median dollar values were higher if health information ($1,000), Social Security numbers ($1,000), or other financial information ($864) was compromised, Rand reported.

Still, for companies that are the source of lost or stolen data, there is good news in the survey’s numbers. The vast majority (89%) said they continued doing business with the company that was the source of the breach, while seven in ten gave the breached company high marks for their response. A surprising 60 percent said they recognized and took advantage of credit monitoring services and identity theft protection services offered in the wake of a breach. That’s far higher than the credit monitoring industry’s data would suggest. According to one industry executive, the percentage of affected consumers who register for credit monitoring services is reportedly lower than 10 percent – and often much lower.

What to make of this survey? Read between the lines and some familiar themes emerge. Consumers, we learn, are very likely to be the victims of some kind of data breach, and are not that surprised when they are victims. Beyond that, they’re not so sure what to do about it. In fact, only half of those who were affected by a breach took steps to protect themselves after learning about it, Rand noted.

In many cases, that lack of action was appropriate. As one respondent whose health data was stolen noted “I cannot change my health insurance.” Another response: “Because it was my employer’s site that was hacked, there was nothing any of us could do but wait and see what happens.”

Indeed, asking what individuals are going to do in response to data theft is kind of like asking what they’re going to do in response to air pollution. There might be some small gestures we can make as individuals to protect ourselves, but those are very different from the kinds of actions that will actually address the problem.

For data theft to really go away as a problem, much bigger and more systemic changes need to happen first. Among them: a federal data breach law that establishes a national standard for consumer notification of data theft incidents and that holds organizations accountable for leaks of sensitive and protected data. With no costs imposed on the firms that lose data, there are few incentives for them to make data protection a priority.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.