At a time when British businesses should be bolstering and updating their data protection policies in preparation for new legislation, it is worrying to report a culture of secrecy and ambivalence towards data breaches across the country.
With the EU General Data Protection Regulation (GDPR) due to come into force on May 25 next year, bringing with it huge fines of up to 20m Euros or four percent of turnover, a survey has revealed the real extent of Britain’s data breach problem.
The Crown Records Management Survey, undertaken by Censuswide, polled 408 IT decision makers in companies of between 100 and 1,000 employees across the country — and results suggest almost one in three IT workers are keeping breaches quiet by failing to report them.
Whether this is out of fear, secrecy or panic is not clear, but this head-in-the-sand approach could have serious implications in the future as public interest in breaches continues to grow — and legislation around them continues to tighten.
Data breaches have hit the news already in 2017 with high profile cases such as mobile phone company Three — where an employee’s password was stolen in March and the data of 200,000 customers compromised. Then in April, cyber criminals seized 250,000 customer records at Wonga — including bank account details.
However, it seems these stories may be only the tip of the iceberg.
The most hard-hitting statistics from the Crown Records Management survey include:
- 32% know someone in their company who has not reported a data breach.
- 31% have delayed reporting a data breach to senior management or the appropriate authorities.
- 29% have chosen not to report a breach to senior management or the appropriate authorities.
- 27% know someone in their previous company who has not reported a data breach.
- 14% don’t know who to report a breach to.
- 8% don’t know what constitutes a data breach.
It is worth taking a moment to take those figures in, because some of these statistics really are shocking. They suggest that data breaches may be far more common and more widespread than many people realize — and that British business is not well prepared for the changes that lie ahead.
There appears to be a culture inside many companies that the best response to a breach is to ignore it or keep it quiet.
Perhaps this comes from a fear of the loss of reputation which can be experienced when breaches are publicized. Or perhaps it is simply down to a lack of clear procedures and information management in the business. Either way, the implications are serious.
Many people will know the GDPR is due to bring in huge fines for companies which break the rules or suffer data breaches — these fines have been heavily publicized. But perhaps what is less recognized is that the regulation also includes a requirement for data breaches to be reported quickly, within 72 hours, in future.
This strict timeframe is going to be a challenge for businesses which currently have no real structure in place or which have provided no staff training around the reporting of breaches.
This is not an issue affecting only big business and corporations, who will undoubtedly be the target for big fines in the early days of the regulation. Any kind of fine — or any loss of reputation — could be a real threat to the viability of a small business and this is true across all sectors.
Survey results seemed to show the issue of secrecy is common across many sectors. Some of the most eye-watering results included:
• 43% in the banking and finance industry know someone in their company who has not reported a data breach — the highest percentage amongst all the sectors surveyed.
• 40% in banking and finance have delayed reporting a data breach to senior management or the appropriate authorities — again, the highest figure amongst those surveyed.
•20% of those in retail don’t know who to report a data breach to — the highest figure of any sector.
•17% in retail aren’t even sure what constitutes a data breach — for comparison the average figure is just 8 per cent.
•15% in the pharmaceutical sector don’t know who to report a breach to — only retail polled worse.
In fairness to some sectors there were one or two exceptions to the rule. Healthcare came out well with only one in 20 unaware of who to report a breach to, while everyone in the insurance sector understood what constitutes a data breach and not a single person surveyed had avoided reporting a breach.
It is a relief that the picture is not completely bleak but nevertheless the prospect of so many businesses keeping data breaches quiet is a concern given the direction of travel in data protection legislation.
Businesses which delayed preparation for GDPR in the hope that it will not affect the UK after Brexit are already starting to realize the mistake they have made. Firstly the regulation will be in place before Brexit is completed, secondly it will still affect every business which handles the personal data of European citizens, and thirdly the UK government has already brought in the UK Data Bill — which mirrors many of its key principles.
Bearing all that in mind it is absolutely vital that businesses tackle this culture of secrecy because in future unprotected data loss will simply not be acceptable. In fact, it shouldn’t be acceptable now.
Having a clear data protection and information management program in place is vital for businesses to avoid these kind of problems. It should be very clear who is responsible for reporting breaches and who they should be reported to.
Until businesses grasp how much a breach can cost them — both financially and in terms of reputation – this problem is not going to go away.