HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Majority of Companies Lack Confidence in Data Breach Response Plans

Even though an increasing number of organizations now have data breach response plans in place, there is a general lack of confidence that a full recovery will be possible if a data breach is experienced.

According to a survey conducted by the Ponemon Institute on behalf of Experian, 86% of organizations now have a data breach response plan in place. When the survey was last conducted in 2013, only 61% of companies had such a plan.

While a plan has been developed, 38% of companies have not set a timescale for reviewing and updating their breach response plan. 29% of respondents said they have never updated their plan since it was put in place. Out of the respondents that said there was a data breach response plan in place, only 42% believed the plan was effective or very effective.

Only 27% of respondents said they were confident that their organization could minimize the financial impact of a data breach. International data breaches were also a cause for concern. 31% of respondents were not confident they would be able to deal with such an incident.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

For many companies the breach response plan is simply a checkbox item. As Michael Bruemmer, Experian Data Breach Resolution Vice President, explains “When it comes to managing a data breach, having a response plan is simply not the same as being prepared.”

If organizations want to be able to respond quickly to a data breach and minimize the damage caused, they must start to view the breach response plan as process, not a one-time event. If the breach response plan is not regularly reviewed and updated, it will not be possible to mount an effective response to new threats.

Organizations that have not updated their breach response plans in the past two years, are unlikely to have effectively planned for a ransomware attack. Only 9% or respondents said they had determined the circumstances under which a ransom would be paid. 56% of respondents said they do not think their organization could effectively deal with a ransomware attack.

If a breach response plan is not tested and practiced, it is unlikely that an organization will be able to exercise an efficient breach response. Just over a quarter of respondents said they do not practice their breach response plan. Out of those, 64% said they do not practice the plan because it is not a priority. Out of the companies that do practice their plan, only 39% do so twice a year.

Preparing for the financial impact of a data breach is also important, yet only 38% of respondents said they have purchased a cybersecurity or data breach insurance policy. Four out of ten respondents said they had no intention of purchasing insurance coverage in the future.

Preventing data breaches requires increased investment in technology, but many breaches occur because protections have been bypassed by the attackers. Employees are still the weakest link, yet many organizations do not realize the importance of security training. Only 42% of respondents said that they provided data protection or privacy awareness training to new recruits during the orientation process. Only 26% said they conduct privacy/data protection awareness training annually, and 29% said they conduct training sporadically. 42% only conduct training during orientation.

In 2013, 44% of organizations said they had a privacy/data protection awareness training program for employees that have access to sensitive data. Now 61% of respondents said they provide that training. However, that means that 39% do not.

Fortunately, a more companies are now increasing spending on security technologies to detect and respond to data breaches more quickly. 58% of companies reported a spending increase in the last 12 months compared to 48% in 2014.

While data breach preparedness is improving there is still some way to go. As pointed out in the report, many companies “are failing to take crucial steps as part of the preparedness process, preventing them from being truly ready for a real life data breach incident.”

The fourth annual data breach preparedness survey was conducted on 619 executives and employees in the United States who primarily work in compliance, IT Security, or privacy.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.