Having a Data Breach Preparedness Plan Is Not Enough

Most organizations currently have a data breach preparedness plan in place, but a new study indicates that executives are not updating or practicing the plan regularly and lack confidence in its effectiveness.

While 86 percent of respondents said their organizations have a data breach notification plan in place—up from 61 percent in 2013—only 24 percent have a procedure for updating their plan on a yearly basis, according to the study sponsored by Experian Data Breach Resolution and conducted by the Ponemon Institute. Thirty-eight percent said they have no set time period for reviewing and updating their response plan, and 29 percent have not reviewed or updated their plan since it was put in place.

Only 27 percent of those surveyed are confident in their ability to minimize the financial and reputational consequences of a breach, and 31 percent lack confidence in dealing with an international incident.

“When it comes to managing a data breach, having a response plan is simply not the same as being prepared,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills.”

Among the study’s findings:

• 52 percent of companies in the study experienced a data breach in the last two years, with 66 percent of those respondents indicating their organization had multiple breaches.

• 57 percent of respondents said their company’s board of directors, chairman and CEO are not informed and involved in plans to deal with a possible data breach. Only 34 percent believe the board understands the specific security threats facing their organization.

• 61 percent of respondents have a privacy/data protection awareness and training program for employees and other stakeholders who have access to sensitive or confidential personal information, up from 44 percent in 2013.

• Only 42 percent of respondents said privacy/data protection awareness programs are provided as part of the new employee orientation process, while 55 percent said training is only conducted annually or sporadically.

• 38 percent of companies surveyed have a data breach or cyber insurance policy, up from 10 percent in 2013. Of those that do not have a policy, 40 percent said they have no plans to purchase one.

Ponemon surveyed 619 executives and staff employees who work primarily in privacy, compliance and IT security in the United States.

For more information, see the full report: “Is Your Company Ready for a Big Data Breach?“