UK firms say they will not be able to cope with EU data law

UK firms say they will not be able to cope with EU data law

24-hour data breach reporting time unrealistic?

Article comments

Only one in ten UK firms say they are ready for the European Commission's proposed data protection directive.

A survey of 200 firms employing more than 1,000 staff by OnePoll found 87 percent admitting they would not be able to identify individuals affected by a data breach within the EC’s proposed 24-hour time frame.

In addition, 13 percent said it would take them between a week and one month to pinpoint which customer data was affected, while six percent did not believe they would ever be able to accurately obtain this information.

The LogRhythm research found that 72 percent believed the new EC breach disclosure rules would put them at risk of "over-disclosure". This is when organisations are forced to reveal more information than is strictly necessary, for example notifying every individual who might have been affected by a breach, rather than just those who definitely were.

"'Over-disclosure' is an issue that has been causing concern in locations like the US, which already has breach notification laws in place,” said Ross Brewer, vice president and managing director for international markets at security log management software firm LogRhythm, which sponsored the research.

Brewer said the issuing of blanket breach notifications have negative repercussions for the affected organisation as, for instance, the severity of an incident may be overstated, leading to a loss of confidence amongst potential and existing customers.

In addition, the cost of informing an individual their data may have been stolen is just as high as telling them it definitely has, said Ross.

Supporters of the directive will say in response that firms should be more careful about customers' data in the first place, and therefore avoid the bad publicity and expense resulting from breaches.

The survey showed that 77 percent of respondents believed the implementation of data breach penalties, such as the EC’s proposed two percent of an organisation’s global turnover, would motivate them to increase spending on IT security.

Brewer said: “It is worrying that so many organisations’ IT security decisions seem to be motivated by non-compliance and the threat of financial penalties, rather than a desire to employ a best practice approach."

He said it appears that these attitudes stem from the top, as 50 percent of respondents stated that new regulations are one of the main ways of engaging senior level staff with the IT security decision-making process.

In-depth: What the European Commission data law will mean for business


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *