Only one in ten UK firms say they are ready for the European Commission's proposed data protection directive.
A survey of 200 firms employing more than 1,000 staff by OnePoll found 87 percent admitting they would not be able to identify individuals affected by a data breach within the EC’s proposed 24-hour time frame.
In addition, 13 percent said it would take them between a week and one month to pinpoint which customer data was affected, while six percent did not believe they would ever be able to accurately obtain this information.
The LogRhythm research found that 72 percent believed the new EC breach disclosure rules would put them at risk of "over-disclosure". This is when organisations are forced to reveal more information than is strictly necessary, for example notifying every individual who might have been affected by a breach, rather than just those who definitely were.
"'Over-disclosure' is an issue that has been causing concern in locations like the US, which already has breach notification laws in place,” said Ross Brewer, vice president and managing director for international markets at security log management software firm LogRhythm, which sponsored the research.
Brewer said the issuing of blanket breach notifications have negative repercussions for the affected organisation as, for instance, the severity of an incident may be overstated, leading to a loss of confidence amongst potential and existing customers.
In addition, the cost of informing an individual their data may have been stolen is just as high as telling them it definitely has, said Ross.
Supporters of the directive will say in response that firms should be more careful about customers' data in the first place, and therefore avoid the bad publicity and expense resulting from breaches.
The survey showed that 77 percent of respondents believed the implementation of data breach penalties, such as the EC’s proposed two percent of an organisation’s global turnover, would motivate them to increase spending on IT security.
Brewer said: “It is worrying that so many organisations’ IT security decisions seem to be motivated by non-compliance and the threat of financial penalties, rather than a desire to employ a best practice approach."
He said it appears that these attitudes stem from the top, as 50 percent of respondents stated that new regulations are one of the main ways of engaging senior level staff with the IT security decision-making process.