Experian Data Breach Resolution and the Ponemon Institute release new study on corporate data breach preparedness
The majority of breached companies admit to consequences, including high business impact, yet they still struggle to take steps to mitigate future incidents
Costa Mesa, Calif., April 23, 2013 — Experian Data Breach Resolution and the Ponemon Institute today released a new study that finds that, despite the majority of companies experiencing or anticipating significant cost and business disruption due to a material data breach, they still struggle to take the proper measures to mitigate damage in the wake of an incident. The report, Is Your Company Ready for a Big Data Breach?, examines the consequences of data breach incidents and the steps taken to lessen future damage. Respondents include senior privacy and compliance professionals of organizations that experienced at least one data breach. The top three industries represented are retail, health and pharmaceuticals, and financial services.
“A majority of companies we surveyed indicate they have already or are very likely to lose customers and business partners, receive negative publicity and face serious financial consequences due to a data breach,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Yet, despite understanding the consequences, many companies struggle to take the right steps to mitigate the fallout following an incident, demonstrating a need for better awareness and investment in the tools that can alleviate negative customer perceptions.”
Key findings include:
Companies experience and anticipate harm due to breaches
Companies that suffer data breaches experience significant costs and business disruption, including the loss of business and trust from customers, negative media attention and legal action.
• Seventy-six percent of privacy professionals say their organization already had or expects to have a material data breach that results in the loss of customers and business partners.
• Similarly, 75 percent say they have had or expect to have such an incident that results in negative public opinion and media coverage.
• Sixty-six percent of companies have or believe they will suffer serious financial consequences as a result of an incident.
Despite consequences, incident response remains a challenge
Companies struggle to properly handle potential damage due to a data breach and implement technologies to help prevent future incidents, even after suffering an incident.
• Despite experiencing a breach, not all companies prepare for a future breach.
o Thirty-nine percent of companies say they have not developed a formal incident breach preparedness plan even after experiencing a breach.
o Only 10 percent of organizations have data breach or cyber insurance.
• A majority of organizations surveyed don’t provide clear communication and notification to victims following an incident.
o In fact, only 21 percent of respondents have communications teams trained to assist in responding to victims.
o Additionally, only 30 percent of respondents say their organizations train customer service personnel on how to respond to questions about the data breach incident.
o The vast majority (65 percent) also lack mechanisms to verify that contact with each victim was completed, and only 38 percent have mechanisms for working with victims with special circumstances.
• The survey also finds that organizations are missing security technology safeguards and tools to prevent or understand the extent of an incident.
o Encryption is not widely deployed: Less than one-third of respondents say sensitive or confidential personal and business information stored on computers, servers and other storage devices is generally encrypted.
o Forensics is lacking: Many organizations lack the forensics capabilities to fully understand the nature and extent of the incident.
Only 36 percent have the tools or technologies to assess the size and impact of a data breach.
Nineteen percent have advanced forensics to determine the nature and root causes of cyberattacks.
Only 25 percent have the ability to ensure the root cause of the data breach was fully contained.
“The study findings show that organizations need to prioritize preventing future breaches and better manage post-breach response,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “In addition to improving technical safeguards, it’s clear that companies also should focus more attention on meeting the needs of affected consumers that suffer a data breach.”
To access the full report, Is Your Company Ready for a Big Data Breach?, visit www.experian.com/readiness.
For more information, visit http://www.experian.com/DataBreach.
Read Experian’s blog at http://www.experian.com/DBBlog.
Contacts:
Tara Mulcahy
Edelman
1 206 268 2212
tara.mulcahy@edelman.com
Becky Frost
Experian Data Breach Resolution
1 949 202 7296
bfrost@experianinteractive.com
About Experian Data Breach Resolution
Experian® is a leader in the data breach resolution industry and one of the first companies to develop products and services that address this critical issue. As an innovator in the field, Experian has a long-standing history of providing swift and effective data breach resolution for thousands of organizations, having serviced millions of affected consumers. For more information on the Experian Data Breach Resolution division at ConsumerInfo.com, Inc. and how it enables organizations to plan for and successfully mitigate data breach incidents, visit http://www.experian.com/databreach.
About Experian
Experian is the leading global information services company, providing data and analytical tools to clients around the world. The Group helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score, and protect against identity theft.
For more information, visit http://www.experianplc.com.
Experian and the Experian marks used herein are service marks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the property of their respective owners.