New EC Data Breach Disclosure Rules May Put Businesses At Risk Of “Over-Disclosure”

Research shows that UK businesses do not believe they have the capability to comply with new European Commission Data Protection Directive rules, specifically the ability to generate accurate breach notifications in the event of a data leak.

The research, which surveyed 200 IT decision makers at UK businesses with more than 1,000 employees, and was conducted by OnePoll, found 87 percent of respondents would be unable to identify individuals affected by a breach within the proposed 24 hour notification timeframe.

Furthermore, 13 percent claimed it would take them between one week and a month to pinpoint which customer data was affected, while six percent did not believe they would ever be able to accurately obtain this information.

When asked more specifically about their ability to produce accurate breach notifications, 72 percent of respondents stated that the implementation of a 24 hour notice period would put their organisations at risk of ‘over-disclosure’.

This is when organisations are forced to reveal more information than is strictly necessary, for example notifying every individual who might have been affected by a breach rather than just those who definitely were.

Over-disclosure’ is an issue that has been causing concern in locations, such as the United States, that already have breach notification laws in place. The issuing of blanket breach notifications will inevitably have negative repercussions for the affected organisation.

For example, the severity of an incident may be overstated, leading to a loss of confidence amongst potential and existing customers. In addition, the cost of informing an individual their data may have been stolen is just as high as telling them it definitely has and is often an unnecessary expense.

The research also provided an insight into the motivations driving the decisions behind IT security strategy. Despite an escalation in the cyber threat in recent years, caused in part by the increasing sophistication of Advanced Persistent Threats (APTs) and the rise of ‘hacktivism’, 52 percent of respondents reported that the proportion of IT budget spent on security had not gone up in the last five years.

In addition, 77 percent stated that the implementation of data breach penalties, such as the EC’s proposed two percent of an organisation’s global turnover, would motivate them to increase the spending on IT security.

The study provided further evidence of the lack of network visibility that seems to be common amongst organisations today. When asked if their company had ever experienced a security breach incident 27 percent responded that they did not know. In addition, 47 percent of respondents admitted that data is only analysed after a security event has occurred rather than on a proactive basis.

While this research suggests that security spend is not going up, it does show that organisations are beginning to realise how effective modern cyber threats are at achieving their goals. 28 percent of respondents said it is doubtful that breaches can be prevented, while 18 percent believe that breaches are now inevitable regardless of the security measures in place.

It is worrying that so many organisations’ IT security decisions seem to be motivated by non-compliance and the threat of financial penalties, rather than a desire to employ a best practice approach. Unfortunately it appears that these attitudes stem from the top as 50 percent of respondents stated that new regulations are one of the main ways of engaging senior level staff with the IT security decision making process.

It was also a surprise to find that almost half of respondents are still employing a post-event analysis approach when the general feeling is that traditional security solutions are no longer able to prevent breaches. Clearly a best-practice approach would be to employ continuous collection and analysis of all log data generated by the IT estate.

This would provide the traceability required to detect any early indication of an impending attack. Effective remediation of threats, and limitation of the damage they can cause, depends on organisations having this ability to combat them in the early stages, something only proactive Protective Monitoring can provide.

Ross Brewer brings to over 22 years of sales and management experience in high tech and information security. Prior to joining LogRhythm, he was a senior executive at LogLogic where he served as vice president and managing director EMEA. Ross has held senior management and sales positions in Europe for systems and security management vendor NetIQ and security vendor PentaSafe (acquired by NetIQ). He was also responsible for launching Symantec’s New Zealand Operations.