IT pros believe data breach harm assessment is more valuable than victim notification, study says

The study was published as the EU proposed 24-hour data breach disclosure deadlines

IT professionals believe that assessing the potential harm caused by data breaches is more useful to mitigating the effects of such incidents than notifying affected individuals, according to a survey published on the day the European Union's proposed a 24-hour deadline for data breach disclosures.

Entitled "Aftermath of a Data Breach," the study was sponsored by information services company Experian and was conducted by the Ponemon Institute, which surveyed 584 experienced IT professionals working for companies that suffered a data breach involving consumer records during the past 24 months.

The questions asked by the Ponemon Institute tried to establish the circumstances leading to the data breach, the company's response and the incident's impact on the affected organization's data protection practices.

One of the study's most interesting conclusions was that while notifying victims and regulators are the most common steps taken by companies in the aftermath of a data breach, IT professionals don't view them as the most important actions for reducing the negative consequences of such incidents.

Only 6 percent of survey participants said that victim notification is helpful for reducing the impact of a breach, a significant change of opinion compared to 2007 when 54 percent of IT professionals chose it as an important mitigation step.

Retaining outside legal counsel, carefully assessing the harm to victims and hiring forensic experts to investigate the breach were viewed as the most valuable actions a company can take in the aftermath of a breach by approximately half of respondents.

By comparison, contracting computer forensic experts was considered important by only 5 percent of survey participants in 2007. This suggests that IT professionals today are much more interested in learning how a breach happened before taking action.

Legislators in both the U.S. and the European Union are pushing for legislation that would require companies to alert victims about data breaches in a more timely and uniform manner.

The European Commission proposed significant changes to the E.U.'s data protection laws Wednesday that include a 24-hour deadline for companies to report data breaches. While the proposal was largely welcomed by consumer protection groups, it attracted criticism from the U.S. Department of Commerce and business associations, which described the deadline as too short.

The Aftermath of a Data Breach survey also revealed that, despite making improvements to their data breach response practices, companies still have a long way to go as far as prevention is concerned. Only half of respondents believed that their companies made the best possible effort to protect customer and consumer information in advance of a data breach.

Negligent staff, disgruntled employees and third-party contractors remain the primary source of data breaches. Despite the large wave of cyberattacks that targeted companies last year, only 7 percent of respondents named such attacks as the cause for a data breach in their organization.

According to the study, companies continue to avoid offering free credit monitoring or identity protection services to data breach victims, and when such services do get offered, they rarely exceed periods of one year.

Nearly half of respondents said that their companies suffered data breaches that involved log-in credentials and credit card or bank payment information. Sixty percent of them said that the data was not encrypted, while 16 percent were unsure.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?