Most companies aren’t prepared to respond to a global data breach, and aren’t yet ready to comply with the European Union’s General Data Protection Regulation (GDPR), even though it takes effect in less than a year, according to the latest Ponemon Institute report sponsored by Experian® Data Breach Resolution.
Nearly a third of the 588 information security and compliance professionals interviewed for the survey said their organizations had no global incident response plan in place, and 38 percent have a single plan that’s applied around the world. Just 27 percent reported having separate plans at the country or regional level, but even those who had a plan weren’t confident about its efficacy.
The global scope of data breaches
The number of data breaches reached a record high in 2016 — 4,149 incidents in 102 countries around the world exposed more than 4.2 billion records, according to cybersecurity company Risk Based Security. Ponemon’s survey underscores the scope of global data breaches; 51 percent of respondents reported their companies experienced a global data breach in the past five years, and 56 percent of breached companies had more than one incident.
When the GDPR goes into effect in May 2018, any company that processes and/or holds the personal data of European Union consumers will be required to comply with the regulation, regardless of where the company is located. Failure to comply can lead to fines ranging from 2 percent to 4 percent of a company’s annual global turnover.
Despite the escalating risks of falling victim to a global data breach and the possible repercussions of not complying with the GDPR, Ponemon’s survey shows a widespread lack of preparedness among companies.
Levels of unpreparedness
When it comes to preventing and responding to a global data breach, and ensuring they comply with the GDPR’s strict notification rules, many survey respondents expressed significant shortfalls in preparedness:
- Outdated and inadequate security solutions would hinder the ability of 49 percent to cope with a global data breach.
- Just 40 percent of respondents felt confident their organizations’ security technologies would adequately protect information assets and IT infrastructures overseas, and only 39 percent said they had the right policies and procedures to do so.
- Slightly more than a third thought their companies could successfully manage cultural differences and privacy and data security expectations in different areas of the world.
A majority of respondents (89 percent) predicted the GDPR will significantly affect their data protection practices, and 69 percent felt non-compliance would hinder their companies’ ability to do business globally. Yet only a quarter said their companies were ready to comply with the new regulation.
While most understand GDPR is something they need to worry about, many aren’t sure what to do. The survey reveals some companies may be feeling desperate enough about the looming regulation to take drastic measures; 34 percent said their preparations include closing operations in countries with high non-compliance rates.
Timely notification of regulators and EU citizens affected by a data breach is a key component of the GDPR, yet the majority of our survey respondents (69 percent) said they would have trouble meeting the time limitations. The GDPR requires breached companies to notify regulators within 72 hours of discovering a breach, and affected consumers “without undue delay.” Half of our survey respondents said they experienced a global breach that required notification of victims. Only 10 percent were able to do so within the GDPR’s 72-hour window; 38 percent reported notification took two to five months to complete.
Obstacles to preparedness
The years-long evolution of the GDPR, which will replace older regulations, is evidence that world governments are taking data breach risks seriously. Unfortunately, our study indicates not all C-suite decision-makers are as concerned about global data breach risks as they should be and their antipathy is impairing their organizations’ ability to prepare for a global data breach.
While the security professionals surveyed cited high-volume breaches (65 percent) and breaches involving high-value information (50 percent) as the data risks that concern them the most, only 30 percent said their organization’s C-suite was fully aware of the company’s compliance status. Further, just 38 percent said their executives viewed global data regulations as a top priority.
Technology limitations and lack of executive support are significant obstacles to preparedness and compliance, but they’re not the only ones. Additionally, survey respondents cited:
- Reluctance to make needed comprehensive changes in business practices (60 percent)
- Not enough budget to hire staff (37 percent)
- Unrealistic demands from regulators/regulations (35 percent)
- Not enough money for appropriate security technology (34 percent)
- Lack of knowledge about global data breach response (29 percent)
What companies must do
Some survey respondents indicated their organizations are taking the right steps toward preparedness and compliance. They are putting in place security technologies to quickly detect a data breach (48 percent), have tested and proven response plans (44 percent), can quickly identify whether a breach will require notification (15 percent) and are prepared to notify regulators within 72 hours of breach discovery (13 percent).
However, many organizations could be doing more to prepare for a global data breach and to comply with the GDPR. Global data breach risks continue to increase in number, scope and impact, and the potential loss of business and financial impact of a breach could prove catastrophic for affected companies. With less than a year to go until the GDPR takes effect, any company that conducts business internationally needs to act now to ensure it will be ready to deal with a global data breach when it occurs.