UK consumers demand to be told of all data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/secworld.php?id=15940

The UK public wants to be informed whenever an organization suffers a data
breach, and that more needs to be done to punish companies that lose
sensitive information, according to LogRhythm.

The survey also shows that consumers call for breach notification laws that
make it mandatory for all breaches to be reported to all customers –
irrespective of scale.

In the survey of 1,000 consumers, conducted by OnePoll, two-thirds of
respondents (66 percent) said that there should be legislation forcing
organizations to declare any data breaches experienced, with the same
percentage stating that customers should be told immediately.

While current EU legislation requires only affected customers of telecoms
operators or ISPs to be notified, 64 percent of respondents reported a
desire for all customers to be informed, regardless of whether their data
was comprised. On a similar note, the majority of respondents feel that not
enough is being done to uniformly punish organizations that lose sensitive
data.

"The barrage of data breaches this year has clearly impacted the way in
which consumers perceive the security of their personal information, which
points to an urgent need for organizations to up the ante on data
protection," said Ross Brewer, VP and managing director for international
markets at LogRhythm.

"EU data privacy laws go some way toward mandating full breach disclosure,
but the feedback from consumers is that much more needs to be done – across
industries far beyond the telecoms sector. However, with 53 percent of
respondents admitting that they would think twice about doing business with
breached organizations, businesses face a very difficult dilemma indeed."
Brewer added.

When it comes to consumer confidence, the results were equally bleak, with
48 percent believing it inevitable that their data will be compromised by
hackers at some point. Echoing the results of a similar survey in November
2012, social media and gaming websites were deemed the least trusted
keepers of personal information, while healthcare providers and financial
services institutions were favored for security.

"Interestingly, when compared to last year’s results, the inevitability of
data breaches is more apparent, which could be signalling a worrying era of
data breach malaise. Perhaps, as initiatives such as the EU’s 24 hour
breach notification regulations develop, we’ll see confidence increase and
consumers becoming less resigned to the fate of their privacy. However,
organizations should not be motivated solely by the threat of regulatory
fines to keep data secure, and they must implement their own safeguards in
an effort to reassure customers their information is safe – particularly
with so many people willing to boycott the victim organizations."

In light of ongoing allegations of government-sponsored espionage,
respondents reported concern over the level of information sharing between
large organizations and internet companies – with 63 percent worried about
the impact this has on who sees their private data. In terms of national
cyber security, 16 percent of British consumers believe government
organizations are doing enough to protect national assets from cyber
security threats, compared to just 11 percent in 2012.

“This year, the UK government has been very outspoken about its drive to
commit more resources to cyber security, which could be a reason for the
slight increase in public confidence – however, it has been a tough few
months, and as NSA and GCHQ spying headlines continue to mount, confidence
is understandably still low,” continued Brewer. “In any case, the research
proves that more needs to be done by governments, industry regulators and
organizations themselves to restore the confidence of those who matter most
– the people handing over their private information. As consumers become
more wary of how their data is used, there really is no room for excuses or
lax security.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.