Two Out of Three Companies Haven't Reviewed Their Breach Preparedness Plans, Study Says
A study of global companies sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute also found that just over half of professionals believed their C-suite executives knew the company's plan to deal with a breach.
March 04, 2020 at 01:00 AM
5 minute read
The original version of this story was published on Corporate Counsel
Photo: Shutterstock
Many companies haven't updated their data breach plans since developing them, report a lack of adequate employee training on data protection, and still haven't figured out how to guard cloud services and mobile devices, according to a new study.
The "Seventh Annual Study: Is Your Company Ready for a Big Data Breach?" was sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute.
"I was surprised that two out of three respondents said they haven't reviewed or updated their data breach preparedness plans," said Michael Bruemmer, vice president of data breach resolution and consumer protection at Experian. "Preparedness plans can't be a binder on a shelf that are not active and fluid plans. They should be reviewed and updated at least on a yearly basis."
Bruemmer said a main takeaway from the report for general counsel is that "their clients are not preparing enough by practicing [data breach drills] and updating their response plans. They should work with clients to ensure this piece is a well-oiled machine."
He also recommended that general counsel ensure their companies have all data breach response partners in place, from forensics to call center support to identity theft protection.
"Companies do not want to be sourcing and vetting partners after a breach has occurred," Bruemmer warned. "These partners should be a regular member of the response team and participate in the practice drills."
He also encouraged more employee training, saying, "Employees have always been the weakest link in the security fence." Bruemmer said the lack of training is the easiest security protocol to implement "and one of the most important."
As for the report finding a lack of security around mobile devices, he said, "Mobile devices are certainly not going away and, again, employees should be trained on security protocols."
Respondents reported the same worrisome issues with cloud security this year that they reported in a 2018 study. "It seems that not much progress has been made in tackling the cloud platform," Bruemmer noted.
The study showed that 55% of respondents believed their C-suite executives knew the company's plan to deal with a breach, but Bruemmer said the number should be higher. He recommended that general counsel make sure the CEO and C-suite "are knowledgeable and prepared for a data breach response. We have witnessed many leaders ill-equipped to handle the consumer response after a data breach."
In a recent article from the Law Journal Newsletters, ALM affiliate publications, a group from Eversheds Sutherland said the worst-case scenario for a company is not the breach itself, but the resulting reputational damage, regulatory enforcement action, business interruption and inevitable litigation. The group was led by Michael Bahar in Washington, D.C., the co-head of the law firm's global cybersecurity and data privacy team, and previously general counsel for the minority staff of the U.S. House Intelligence Committee and deputy legal adviser to the National Security Council.
The Eversheds article advised, "It is important to adjust planning assumptions and response scenarios to focus on addressing these drivers of post-breach exposure."
From a reputation standpoint, only 23% of respondents in the Experian study said their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach.
In addition, Bruemmer warned of two types of future threats. "As cities install more free public Wi-Fi systems, hackers will take to the skies via the use of readily available drones to steal data from devices connected to the unsecure networks," he said.
Another evolving threat, he added, is the use of so-called "deepfake" video and audio technology to steal data and money, or to disrupt businesses. "We have already seen this come true in a few cases" where executives were deceived into allowing thieves to steal from their companies, Bruemmer said.
The Experian study surveyed 650 professionals in the United States, and 456 in the Europe/Middle East/Africa region. All respondents work with data breach planning and are in compliance, privacy, information technology and IT security.
In other findings, the study said:
- About 36% of respondents reported their organization had a ransomware attack last year with only 20% feeling confident in their ability to deal with it. The average ransom was $6,128 and 68% of respondents say it was paid.
- Spear phishing attacks are pervasive, with 69% of respondents reporting one or more attacks and 67% saying the negative consequences of these attacks were very significant. Bruemmer called these threats "rudimentary at this point, and … a strong employee training program against these attacks [is] a must."
- Some 68% of respondents said their company has put more resources toward security technologies to detect and respond quickly to a breach. Still data breaches are increasing, with significantly more organizations reporting data breaches than ever before. "Consequently, confidence levels among executives to thwart spear phishing and other common attacks have declined," according to the report.
- More organizations at 54% report they have a high ability to comply with the European Union's General Data Protection Regulation, compared with only 36% a year ago.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1Uber Files RICO Suit Against Plaintiff-Side Firms Alleging Fraudulent Injury Claims
- 2The Law Firm Disrupted: Scrutinizing the Elephant More Than the Mouse
- 3Inherent Diminished Value Damages Unavailable to 3rd-Party Claimants, Court Says
- 4Pa. Defense Firm Sued by Client Over Ex-Eagles Player's $43.5M Med Mal Win
- 5Losses Mount at Morris Manning, but Departing Ex-Chair Stays Bullish About His Old Firm's Future
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
