Companies are complacent and lack confidence when it comes to data breach preparedness, according to a new study

Costa Mesa, Calif., October 5, 2016 — While most organizations have a data breach preparedness plan in place, data indicates that executives are not updating or practicing the plan regularly and lack confidence in its effectiveness. These revealing findings are according to the just-released study Is Your Company Ready for a Big Data Breach?, sponsored byExperian Data Breach Resolution and conducted by the Ponemon Institute.

The fourth annual study shows that data breach preparedness certainly is on companies’ radar, and having a response plan in place is par for the course. The number of organizations with a plan increased from 61 percent in 2013 to 86 percent in 2016. However, despite this strong majority of companies that now have a response plan in place, 38 percent of organizations surveyed have no set time period for reviewing and updating it, and 29 percent have not reviewed or updated their plan since it was put in place. Furthermore, only 27 percent of organizations surveyed are confident in their ability to minimize the financial and reputational consequences of a breach, and 31 percent lack confidence in dealing with an international incident.

To access the full complimentary report, visit

“When it comes to managing a data breach, having a response plan is simply not the same as being prepared,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Unfortunately many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills.”

The lack of planning is especially troublesome when considering the rise of new threats in the marketplace, such as ransomware. In fact, the study showed that 56 percent of surveyed organizations are not confident that they could deal with a ransomware incident. Additionally, only 9 percent of survey respondents have determined under what circumstances they would pay to resolve a ransomware incident.

“Investing in breach preparedness is like planning for a natural disaster. You hope it will never happen, but just in case, you invest time and resources in a response plan so your company can survive the storm,” added Bruemmer.

Additional key study findings further demonstrate the divide between plan creation and true data breach preparedness:

The good: Companies show an increase in the level of preparedness

  • 58% of surveyed organizations (compared with 48% in 2014) have increased their investment in security technologies in the past 12 months in order to be able to detect and respond quickly to a data breach.
  • 61% of surveyed organizations (compared with 44% in 2013) have a privacy/data protection awareness and training program for employees and other stakeholders who have access to sensitive or confidential personal information.
  • Companies understand that they need to take action after a breach occurs to keep customers and maintain their reputation. To do so, those surveyed believe the best approaches are providing free identity theft protection and credit monitoring services (71%), gift cards (45%), and discounts on products or services (40%).

The bad: Missteps and signs of complacency

  • Among those organizations surveyed that do not practice their plan (26%), a majority (64%) don’t practice because it is not a priority.
  • Only 38% of companies surveyed have a data breach or cyber insurance policy. Of those that do not have such a policy, 40% have no plans to purchase one.
  • Less than half (46%) of survey respondents have integrated response plans into their business continuity plans, and only 12% meet with law enforcement or state regulators in advance of an incident.
  • Only 39% of organizations surveyed practice their plan at least twice a year.


For additional data breach resources, including webinars, white papers and videos, visit Read the Experian Data Breach Resolution blog at


About Experian Data Breach Resolution

Experian Data Breach Resolution, powered by the nation’s largest credit bureau, is a leader in helping businesses prepare for a data breach and mitigate consumer risk following breach incidents. With more than a decade of experience, Experian Data Breach Resolution has successfully serviced some of the largest and highest-profile data breaches in history. The group offers swift and effective incident management, notification, call center support and fraud resolution services while serving millions of affected consumers with proven credit and identity theft protection products. Experian Data Breach Resolution is active with the International Association of Privacy Professionals, NetDiligence, Advisen and the Ponemon Institute RIM Council and is a founding member of the Medical Identity Fraud Alliance. For more information, visit and follow us on Twitter @Experian_DBR.

About Experian 

We are the leading global information services company, providing data and analytical tools to our clients around the world. We help businesses to manage credit risk, prevent fraud, target marketing offers and automate decision-making. We also help people to check their credit report and credit score and protect against identity theft. In 2016, for the third year running, we were named one of the “World’s Most Innovative Companies” by Forbes magazine.

We employ approximately 17,000 people in 37 countries and our corporate headquarters are in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and São Paulo, Brazil. Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended March 31, 2016, was US$4.6 billion. To find out more about our company, please visit or watch our documentary, “Inside Experian.” Experian and the Experian marks used herein are trademarks or registered trademarks of Experian Information Solutions, Inc. Other product and company names mentioned herein are the property of their respective owners.


# # #