HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Experian Third Annual Data Breach Preparedness Study Released

A huge number of data breaches have been suffered over the past few years. The severity of data breaches has similarly increased. This has forced organizations to beef up security protections and develop policies and procedures to prepare for data breaches when they occur. Progress has been made, but there is still some ground to cover, according to the latest data breach preparedness study from Experian.

Third Annual Data Breach Preparedness Study Released


The Experian-sponsored Third Annual Study on Data Breach Preparedness was published last month. The study explored the efforts that have been made by companies to deal with the increased risk of cyberattacks and breaches by malicious insiders.  The results show many companies have yet to respond to current threat levels. 19% of respondents said their employers do not have a data breach response plan in place.

Half of the 604 companies surveyed revealed they had suffered a data breach involving the exposure of more than 1,000 records in the past 12 months, while 63% reported having suffered two or more breaches in the past two years.

The study, conducted by the Pokémon Institute, shows that while organizations are better prepared for the inevitable, there is a lack of confidence in the ability execute data breach response measures. When the study was conducted last year, 30% of respondents rated their breach response plan as effective or very effective. This year, 34% of respondents rated their breach response plan as being effective or very effective. 41% revealed they are either unsure about their breach response plan or said it was not effective.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Damage to Reputation is a Major Concern


Aside from poor customer service, a data breach was considered to cause the most damage to a company’s reputation. Data breaches were considered to be more damaging than publicized lawsuits and even more damaging than having to perform product recalls.  That said, only 32% of respondents said they actually knew what to do to limit the effect a breach has on public opinion.

Due to the potential for damage, more effort is going into data breach preparedness. Board members are now increasingly becoming involved in data breach preparedness matters. Last year only 29% of companies said their boards were involved in breach preparedness. The figure now stands at 39%.

The report pointed out that even when a breach response plan is put in place, all aspects of the breach response are not being considered. Breach response plans are still not comprehensive, which will inevitably cause problems when a breach is eventually suffered.

Data Breach Response Plans are Missing Crucial Steps


Crucial steps are missing from the plan in many cases. For example, multi-national companies had implemented a data breach response plan, but not included one for operations based overseas. Preparations have been made to respond to a cyberattack, but policies have not been developed to deal with the loss and theft of portable storage devices or paper records.

Despite insider breaches being more common than cyberattacks in some industries, fewer than half of the respondents surveyed indicated their plans include dealing with insider breaches. A quarter of respondents said they did not review the policies and procedures put in place by third party partners.

A Lack of Staff Training is a Cause for Concern


Policies and procedures have been developed to improve data security and privacy awareness; however, in many cases those programs had yet to be implemented and training still has not been provided to all staff members.

Even when training was provided, four out of ten companies said training was only provided once. Ongoing training and refresher courses were not conducted by the majority of companies, in fact training was reported to be sporadic by 39% of organizations. Perhaps most worrying of all, employees with the greatest need for security awareness training – new recruits – had not been trained on privacy and security matters when they joined the company.

Privacy and security measures are improving slowly, but there is clearly a long way to go before organizations can consider themselves fully prepared to deal with a data breach when one occurs.

The full report can be downloaded here: http://www.experian.com/data-breach/2015-ponemon-preparedness.html

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.