UK organisations unprepared for EU data breach disclosure law

UK businesses admit they would be unable to identify individuals affected by a data breach within the EU's proposed 24 hour time frame

Some 87% of UK businesses admit they would be unable to identify individuals affected by a data breach within the EU’s proposed 24 hour timeframe.

A further 13% said it would take them between a week and one month to pinpoint which customer data was affected, and 6% did not believe they would ever be able to accurately obtain this information, according to research by security management firm LogRhythm.

Most UK businesses do not believe they have the capability to comply with the proposed EU data protection regulations, said Ross Brewer, vice-president and managing director for international markets at LogRhythm.

"Traditional security has focused on the perimeter defences, not analysis, so most firms are woefully unprepared for the new EU data protection regulation," Brewer told Computer Weekly.

However, he said organisations should already have a high level of visibility of data on their networks to comply properly with the existing UK Data Protection Act.

When asked about their ability to produce accurate breach notifications, 72% of respondents said the implementation of a 24-hour notice period would put their organisations at risk of over-disclosure.

Brewer said over-disclosure happens when organisations are forced to reveal more information than is necessary, for example notifying every individual who might have been affected by a breach, rather than just those who definitely were.

“Over-disclosure is an issue that has been causing concern in locations such as the US, that already have breach notification laws in place,” Brewer said.

The issuing of blanket breach notifications will inevitably have negative repercussions for the affected organisation, he said. For example, the severity of an incident may be overstated, leading to a loss of confidence among existing and potential customers.

"In addition, the cost of informing an individual their data may have been stolen is just as high as telling them it definitely has and is often an unnecessary expense," said Brewer.

The LogRhythm research provided an insight into the motivations driving the decisions behind IT security strategy. Despite an escalation in the cyber threat in recent years, 52% of respondents reported that the proportion of IT budget spent on security had not gone up in the past five years. 

In addition, 77% said the implementation of data breach penalties – such as the EU’s proposed 2% of an organisation’s global turnover – would motivate them to increase spending on IT security.  

The proposed level of fines shows how seriously the EU is taking data protection and should help focus the minds of business leaders on improving the way their organisations handle personal data, said Brewer.

The study provided further evidence of the lack of network visibility that seems to be common amongst organisations today. When asked if their company had ever experienced a security breach incident, 27% said they did not know.

In addition, 47% of respondents admitted that data is analysed only after a security event has occurred, rather than on a proactive basis.

While the research indicates that security spending is not going up, it does show organisations are beginning to realise how effective modern cyber threats are at achieving their goals, with 28% of respondents saying it is doubtful that breaches can be prevented; and 18% saying breaches are now inevitable, regardless of the security measures in place.

 “It is worrying that so many organisations’ IT security decisions seem to be motivated by non-compliance and the threat of financial penalties, rather than a desire to employ a best-practice approach," said Brewer.

He said these attitudes appear to stem from the top, as 50% of respondents stated that new regulations are one of the main ways of engaging senior level staff with the IT security decision-making process. 

“It was also a surprise to find that almost half of respondents are still employing a post-event analysis approach, when the general feeling is that traditional security solutions are no longer able to prevent breaches," said Brewer.

Clearly a best-practice approach would be to employ continuous collection and analysis of all log data generated by the IT estate, he said. Brewer believes this would provide the traceability required to detect any early indication of an impending attack.

"Effective remediation of threats, and limitation of the damage they can cause, depends on organisations having this ability to combat them in the early stages, something only proactive protective monitoring can provide," he said.


Read more on IT legislation and regulation