As much as a fifth (19%) of UK organisations avoid notifying customers of data breaches, according to research from Trend Micro.
When asked if their business has a formal process in place to notify the data protection authority within 72 hours* in the event of a data breach, 57% of organisations said yes and that they always do. However, almost a fifth (19%) said they have a process in place but purposely avoid notifying customers of a breach. This grows to 22% for financial services companies, 33% for large businesses (between 1000 and 3000 employees) and a whopping 50% for construction and engineering companies. 19% of companies said they have no formal process in place at all.
Rik Ferguson, Global VP of Security Research at Trend Micro comments: “That’s terrible news for consumers. Already almost half of consumers (49%) are unaware that their data can be shared with third parties and in many instances they need to opt-out to prevent it from being passed on. Having little visibility into where their data goes and how secure that data is spells real trouble. Unfortunately, for many organisations the decision on whether to notify customers or keep a breach under wraps still comes down to a simple risk management calculation. Many still fail to deliver on their duty of care in hope of avoiding sanctions, brand damage and any potential customer payouts.”
Despite this lack of transparency, business confidence in the industry’s data protection capabilities is growing. 74% of UK organisations are confident they are protected against data breaches as best as they can be, compared to 69% in 2014. Public sector companies (43%), retailers (43%) and large organisations (44%) are the most confident. However, only 11% of financial services organisations feel very confident that they’re as secure as they can be against a data breach.
The research also shows that the continuous stream of high-profile breaches has had an impact on how organisations think about their own cybersecurity. 83% of companies claim they have had a full rethink about their data protection strategy following a high-profile data breach, such as the cases of TalkTalk, Sony and more recently the Mossack Fonseca leak. 43% of those companies have also introduced new processes as a result.
Key initiatives that companies undertook included better staff awareness programmes, introduced by 43% of companies and hashed passwords, introduced by 36% of organisations. Other common steps involved implementing new data protection policy (33%), encryption technologies (32%) and remote wipe technology for lost devices (29%).
In addition, a high proportion of companies think they have adequate processes and technology in place to address any customer ‘right to be forgotten’ requests**. 72% of organisations believe they can address those requests for the data their organisation collects on its customers, 61% for the data which partners of their organisations collect on their customers and 57% on the data their third party agencies collect on their customers.