Two Out of Three Companies Haven't Reviewed Their Breach Preparedness Plans, Study Says
A study of global companies sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute also found that just over half of professionals believed their C-suite executives knew the company's plan to deal with a breach.
March 04, 2020 at 01:00 AM
5 minute read
The original version of this story was published on Corporate Counsel
Many companies haven't updated their data breach plans since developing them, report a lack of adequate employee training on data protection, and still haven't figured out how to guard cloud services and mobile devices, according to a new study.
The "Seventh Annual Study: Is Your Company Ready for a Big Data Breach?" was sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute.
"I was surprised that two out of three respondents said they haven't reviewed or updated their data breach preparedness plans," said Michael Bruemmer, vice president of data breach resolution and consumer protection at Experian. "Preparedness plans can't be a binder on a shelf that are not active and fluid plans. They should be reviewed and updated at least on a yearly basis."
Bruemmer said a main takeaway from the report for general counsel is that "their clients are not preparing enough by practicing [data breach drills] and updating their response plans. They should work with clients to ensure this piece is a well-oiled machine."
He also recommended that general counsel ensure their companies have all data breach response partners in place, from forensics to call center support to identity theft protection.
"Companies do not want to be sourcing and vetting partners after a breach has occurred," Bruemmer warned. "These partners should be a regular member of the response team and participate in the practice drills."
He also encouraged more employee training, saying, "Employees have always been the weakest link in the security fence." Bruemmer said the lack of training is the easiest security protocol to implement "and one of the most important."
As for the report finding a lack of security around mobile devices, he said, "Mobile devices are certainly not going away and, again, employees should be trained on security protocols."
Respondents reported the same worrisome issues with cloud security this year that they reported in a 2018 study. "It seems that not much progress has been made in tackling the cloud platform," Bruemmer noted.
The study showed that 55% of respondents believed their C-suite executives knew the company's plan to deal with a breach, but Bruemmer said the number should be higher. He recommended that general counsel make sure the CEO and C-suite "are knowledgeable and prepared for a data breach response. We have witnessed many leaders ill-equipped to handle the consumer response after a data breach."
In a recent article from the Law Journal Newsletters, ALM affiliate publications, a group from Eversheds Sutherland said the worst-case scenario for a company is not the breach itself, but the resulting reputational damage, regulatory enforcement action, business interruption and inevitable litigation. The group was led by Michael Bahar in Washington, D.C., the co-head of the law firm's global cybersecurity and data privacy team, and previously general counsel for the minority staff of the U.S. House Intelligence Committee and deputy legal adviser to the National Security Council.
The Eversheds article advised, "It is important to adjust planning assumptions and response scenarios to focus on addressing these drivers of post-breach exposure."
From a reputation standpoint, only 23% of respondents in the Experian study said their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach.
In addition, Bruemmer warned of two types of future threats. "As cities install more free public Wi-Fi systems, hackers will take to the skies via the use of readily available drones to steal data from devices connected to the unsecure networks," he said.
Another evolving threat, he added, is the use of so-called "deepfake" video and audio technology to steal data and money, or to disrupt businesses. "We have already seen this come true in a few cases" where executives were deceived into allowing thieves to steal from their companies, Bruemmer said.
The Experian study surveyed 650 professionals in the United States, and 456 in the Europe/Middle East/Africa region. All respondents work with data breach planning and are in compliance, privacy, information technology and IT security.
In other findings, the study said:
- About 36% of respondents reported their organization had a ransomware attack last year with only 20% feeling confident in their ability to deal with it. The average ransom was $6,128 and 68% of respondents say it was paid.
- Spear phishing attacks are pervasive, with 69% of respondents reporting one or more attacks and 67% saying the negative consequences of these attacks were very significant. Bruemmer called these threats "rudimentary at this point, and … a strong employee training program against these attacks [is] a must."
- Some 68% of respondents said their company has put more resources toward security technologies to detect and respond quickly to a breach. Still data breaches are increasing, with significantly more organizations reporting data breaches than ever before. "Consequently, confidence levels among executives to thwart spear phishing and other common attacks have declined," according to the report.
- More organizations at 54% report they have a high ability to comply with the European Union's General Data Protection Regulation, compared with only 36% a year ago.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250