Companies Ill-Equipped Responding to Global Data Breaches: Experian

Companies Ill-Equipped Responding to Global Data Breaches: Experian
June 30, 2017 Marketing GrafWebCUSO

Ninety percent of companies in an Experian survey admit they had at least one global data breach in the past five years, yet 32% have no incident response plan in place.

“Data Protection Risks & Regulations in the Global Economy,” sponsored by Experian Data Breach Resolution, surveyed 558 individuals involved with their companies’ global privacy and data security regulations to reveal their overall level of understanding and capability to mitigate emerging international risks. Financial services (19% of respondents) was the largest segment surveyed.

The survey discovered companies’ overall security measures and policies are inadequate to manage global breaches. In fact:

  • 49% of organizations stated they have outdated and inadequate existing security solutions to manage a global data breach.
  • 40% said they had the right security technologies to adequately protect information assets and IT infrastructure in all overseas locations.
  • 39% believed they provide the right policies and procedures to protect information assets and critical infrastructure in all overseas locations.

The survey also sought to reveal how prepared U.S. companies are to face an ever-changing global regulatory landscape such as the European Union’s General Data Protection Regulation, scheduled to go into effect in May 2018.

In this study, 74% of respondents are either very familiar or familiar with the GDPR; and 89% of respondents said it will impact their companies’ approach to data protection in locations outside the U.S. More worrisome: only 9% report their companies are ready to comply; and 59% do not understand what they need to do to comply.

Thousands of American companies that do business with European customers need to reckon with EU’s General Data Protection Regulation. The GDPR changes the handling of personal and corporate data particularly in terms of personally identifiable information. Even credit unions in the U.S. are likely going to have to comply with this law if they have any members who moved to, or live in, Europe.

Companies overwhelmingly recognize the potential challenges and downfalls of new global regulations, but not their overall purpose or benefits:

  • Only 41% of respondents believe global regulations will strengthen their organization’s privacy and data protection practices.
  • Yet, 69% agree that failure to comply would have a detrimental impact on their organization’s ability to conduct business globally.

According to the Experian report, the actual notification process of communicating to individuals impacted by global breaches will likely hit companies hard, specifically those failing to prepare. As part of the GDPR’s requirements, organizations must report a data breach within 72 hours of becoming aware of it.

“Instead of facing this concern head on, companies may go to great lengths to avoid compliance and requirements, with 50% claiming they would consider closing overseas operations because of overly strict compliance,” the Experian report revealed.

Companies not only agree that the notification of data breach victims on a global scale is very difficult to perform as is, but also don’t believe it necessarily benefits victims of a data breach (according to 59% of respondents regarding GDPR’s 72-hour requirement). It is likely companies will struggle even more following the full adoption of GDPR.

“Overall the study found that companies fear, yet fail to properly understand and address global risks and regulations. Data breaches are the biggest security risk for companies operating globally and, while companies are aware of and have experienced the backlash of these incidents, the majority are not taking steps to adequately prepare for and manage existing and emerging threats,” the Experian survey noted.