Given the magnitude of security incidents, organizations typically put into place security measures. Nonetheless, data breaches still occur, leading to substantial negative consequences for customer users and organizations. While breached organizations will often reach out to the impacted customers to notify them of the incident and recommend protective measures, many users do not embrace those recommendations. As a result, the impacts become more dire. In this emergent research forum (ERF) paper, we build upon the information systems (IS) literature to put forth a theoretical framework that distinguishes between different taxa of inaction – unawareness, deliberate ignorance, and impotence. We propose a model to test specific antecedents for each taxon. This work paves the way for future research and informs the development of targeted post-breach communications.