FREE DM Review Site Registration!
Sign-up today and access DM Review on the Web!

Your FREE registration entitles you to:
FREE email newsletters

FREE access to all DM Review content

FREE access to web seminars, resource portals, our white paper library and more!

   

Scott & Scott LLP and Ponemon Institute Survey: Data Security Breach

According to a new study commissioned by Scott & Scott, LLP (www.scottandscottllp.com) and conducted by privacy and information management research firm the Ponemon Institute (www.ponemon.org), 85 percent of businesses have experienced a data security breach. Despite the frequency of such security failures, 46 percent of businesses failed to implement encryption solutions even after suffering a data breach, and 82 percent did not seek legal counsel prior to responding to the incident despite having no prior response plan in place.

The survey, entitled "The Business Impact of Data Breach," examines the responses of more than 700 US-based C-level executives, managers and IT security officers in mid-size to large businesses spanning all industries.

Analysis of the results shows that businesses are struggling to implement the proper policies and controls required to prepare for and mitigate the legal, regulatory and financial risks associated with a security failure. In addition, many businesses may be discounting the long-term threat to customer retention and corporate reputation.

Key findings from the survey include the following:

  • More than 85 percent of respondent organizations reported that they have experienced a data breach event.
  • Of those organizations, less than 43 percent had an incident response plan in place, and 82 percent failed to consult with legal counsel before responding to the incident.
  • Following a breach, 46 percent of organizations still failed to implement encryption technology on portable devices.
  • 95 percent of businesses suffering a data breach were required to notify data subjects whose information was lost or stolen.
  • 97 percent were required to notify under state statutes.
  • 58 percent were required to notify under federal privacy acts such as HIPAA, GLBA and OCC.
  • Organizations that suffered data breach actually employ substantially more IT and data security measures than organizations that did not experience a data breach.
  • 37 percent of respondents say their organizations sent blanket notifications, rather than precise notifications.
  • Organizations experiencing a data breach incurred costs across the board.
  • 74 percent report loss of customers.
  • 59 percent faced potential litigation.
  • 33 percent faced potential fines.
  • 32 percent experienced a decline in share value.
  • Almost half of the breach incidents were attributed to lost or stolen equipment such as laptops, PDAs and memory sticks. The second largest threat came from negligent employees, temporary employees and/or contractors.
  • Despite the frequency of data breach events, 42 percent of respondents claim their organization's IT security spending will remain the same in the coming year.

With nearly 100 percent of businesses stating they were required under state or federal regulations to report the breach, respondents place careful assessment of potential harm to data subjects as their first priority following a breach. Most report little or no monetary harm to the data subjects.

These findings seem to highlight the need for reform of notification requirements, which can be detrimental to businesses especially when weighed against the perceived lack of real benefit to consumers.

This piece is brought to you by the DM Review editorial staff.

For more information on related topics, visit the following channels:



Industry Vendors