IT Pros Believe Data Breach Harm Assessment Is More Valuable Than Victim Notification, Study Says

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.pcworld.com/businesscenter/article/248724/it_pros_believe_data_breach_harm_assessment_is_more_valuable_than_victim_notification_study_says.html

IT professionals believe that assessing the potential harm caused by
data breaches is more useful to mitigating the effects of such
incidents than notifying affected individuals, according to a survey
published on the day the European Union's proposed a 24-hour deadline
for data breach disclosures.

Entitled "Aftermath of a Data Breach," the study was sponsored by
information services company Experian and was conducted by the Ponemon
Institute, which surveyed 584 experienced IT professionals working for
companies that suffered a data breach involving consumer records
during the past 24 months.

The questions asked by the Ponemon Institute tried to establish the
circumstances leading to the data breach, the company's response and
the incident's impact on the affected organization's data protection
practices.

One of the study's most interesting conclusions was that while
notifying victims and regulators are the most common steps taken by
companies in the aftermath of a data breach, IT professionals don't
view them as the most important actions for reducing the negative
consequences of such incidents.

Only 6 percent of survey participants said that victim notification is
helpful for reducing the impact of a breach, a significant change of
opinion compared to 2007 when 54 percent of IT professionals chose it
as an important mitigation step.

Retaining outside legal counsel, carefully assessing the harm to
victims and hiring forensic experts to investigate the breach were
viewed as the most valuable actions a company can take in the
aftermath of a breach by approximately half of respondents.

By comparison, contracting computer forensic experts was considered
important by only 5 percent of survey participants in 2007. This
suggests that IT professionals today are much more interested in
learning how a breach happened before taking action.

Legislators in both the U.S. and the European Union are pushing for
legislation that would require companies to alert victims about data
breaches in a more timely and uniform manner.

The European Commission proposed significant changes to the E.U.'s
data protection laws Wednesday that include a 24-hour deadline for
companies to report data breaches. While the proposal was largely
welcomed by consumer protection groups, it attracted criticism from
the U.S. Department of Commerce and business associations, which
described the deadline as too short.

The Aftermath of a Data Breach survey also revealed that, despite
making improvements to their data breach response practices, companies
still have a long way to go as far as prevention is concerned. Only
half of respondents believed that their companies made the best
possible effort to protect customer and consumer information in
advance of a data breach.

Negligent staff, disgruntled employees and third-party contractors
remain the primary source of data breaches. Despite the large wave of
cyberattacks that targeted companies last year, only 7 percent of
respondents named such attacks as the cause for a data breach in their
organization.

According to the study, companies continue to avoid offering free
credit monitoring or identity protection services to data breach
victims, and when such services do get offered, they rarely exceed
periods of one year.

Nearly half of respondents said that their companies suffered data
breaches that involved log-in credentials and credit card or bank
payment information. Sixty percent of them said that the data was not
encrypted, while 16 percent were unsure.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/