Firms not prepared for data breaches, says report

New EU laws will compel businesses to report any data breaches

Ward Solutions  found that some organisations are poorly prepared to tackle data breaches or security incidents
Ward Solutions found that some organisations are poorly prepared to tackle data breaches or security incidents

Close to half of Irish businesses said they wouldn’t disclose a data breach to affected customers or suppliers, but legal experts warn new EU laws will compel businesses to report such incidents.

The finding of a survey by security company Ward Solutions also found some organisations are poorly prepared to tackle data breaches or security incidents.

"The reluctance of some organisations to report their data breaches is a natural enough instinctive response but it's not a sustainable strategy in the longer term," said Rob Corbet, partner with solicitors Arthur Cox.

From May 25th, 2018, the EU general data protection regulation (GDPR) will force all businesses across the EU to report breaches involving personal data to the appropriate national data protection authority.

READ SOME MORE

GDPR promises potentially huge fines for non-compliance, said Darren Daly, head of technology at the law firm ByrneWallace. "Failure to notify the Data Protection Commissioner or affected individuals as required is an offence under the GDPR, as is the failure to maintain a record of personal data breaches and remedial actions taken. Such offences may be subject to fines of up to €10,000,000 or 2 per cent of global turnover," he said.

Under GDPR, individuals can seek compensation for “non-material” damage arising from a breach of their data. “Organisations who have not worked out their data security policies and practices will be even more exposed at that point so there is little excuse for not confronting this reality now,” said Mr Corbet.

The survey of 133 senior IT decision-makers suggests some Irish organisations need to do just that. It found 26 per cent of Irish businesses have not planned for potential data breaches, even though 33 per cent had suffered a data security breach in the past 12 months.

Some 26 per cent of respondents had no official crisis management strategy to deal with potential data breaches.

Pat Larkin, chief executive of Ward Solutions, said a proper incident response and communication plan was critical to deal with the aftermath of a breach. "The worst mistake a company can make is to release limited details about the breach or try to downplay its effects. You don't want a drip-feed of continuous bad news because that makes it look like you're not investigating it properly and that ultimately has a worse effect on your brand," he said.

Security expenditure

The survey found 63 per cent of businesses expect to spend more on their IT security in the next 12 months, but Mr Larkin said there was a risk this could be poorly invested. “We still see misdirected spend where people chase advanced security systems in response to the latest threats, but the quickest return that people can get is ensuring they have the basics right and overall information security governance optimised.”