Study Shows Businesses Lack Adequate Security

May 15, 2007 3:49 PM

According to a new study commissioned by Scott & Scott, LLP, Dallas, and conducted by privacy and information management research firm the Ponemon Institute, Traverse City, Mich., 85 percent of businesses have experienced a data security breach. Despite the frequency of such security failures, 46 percent of businesses failed to implement encryption solutions even after suffering a data breach, and 82 percent did not seek legal counsel prior to responding to the incident despite having no prior response plan in place.

The survey, entitled The Business Impact of Data Breach, examines the responses of more than 700 U.S.-based C-level executives, managers and IT security officers in mid-size to large businesses spanning all industries. Analysis of the results shows that businesses are struggling to implement the proper policies and controls required to prepare for and mitigate the legal, regulatory, and financial risks associated with a security failure. In addition, many businesses may be discounting the long-term threat to customer retention and corporate reputation.

Key findings from the survey include the following:

• More than 85 percent of respondent organizations reported that they have experienced a data breach event.


• Of those organizations, less than 43 percent had an incident response plan in place, and 82 percent failed to consult with legal counsel before responding to the incident.


• Following a breach, 46 percent of organizations still failed to implement encryption technology on portable devices.


• 95 percent of businesses suffering a data breach were required to notify data subjects whose information was lost or stolen.


• 97 percent were required to notify under state statutes.


• 58 percent were required to notify under federal privacy acts such as HIPAA, GLBA and OCC.


• Organizations that suffered data breach actually employ substantially more IT and data security measures than organizations that did not experience a data breach.


• 37 percent of respondents say their organizations sent blanket notifications, rather than precise notifications.


• Organizations experiencing a data breach incurred costs across the board.


• 74 percent report loss of customers.


• 59 percent faced potential litigation.


• 33 percent faced potential fines.


• 32 percent experienced a decline in share value.


• Almost half of the breach incidents were attributed to lost or stolen equipment such as laptops, PDAs, and memory sticks. The second largest threat came from negligent employees, temporary employees, and/or contractors.


• Despite the frequency of data breach events, 42 percent of respondents claim their organization's IT security spending will remain the same in the coming year.

"Our findings show that data breaches are a pervasive problem for most organizations in the U.S. today. We also show that despite negative repercussions in terms of cost outlays and reputation diminishment, many companies that experience a breach do not take appropriate steps to prevent future incidents," says Dr. Larry Ponemon, founder and chairman of the Ponemon Institute. "However, I'm most surprised that IT security solutions such as encryption and authorization technology are not being deployed by most companies today."

Robert Scott, managing partner at Scott & Scott LLP agreed stating, "The most significant finding to me is that, despite having experienced a data breach, 46 percent of respondents failed to implement encryption technology on portable devices such as laptops and PDAs. Encryption is the single most effective way to avoid the negative business impact of data breaches."

Copies of the Survey on the Business Impact of Data Breach are available through the Ponemon Institute and through Scott & Scott, LLP.

Want to use this article? Click here for options!
© 2009 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue