Companies avoid data breach notifications

As Australia experiences ongoing delays to the introduction of data breach notification laws, a study has found only a third of companies that experience data breaches notify customers promptly.

As Australia experiences ongoing delays to the introduction of data breach notification laws, a study has found only a third of companies that experience data breaches notify customers promptly.

Of the 16 companies included in the study, only five (31 per cent) were classified as "quick responders" — notifying customers within a month of a data breach — despite the study also finding those who did alert customers earlier generally minimised the costs of restoring the breach by around 20 per cent.

The report suggested notifications following data breaches resulted in abnormally high turnover rates, indicating why some businesses could be less inclined to inform customers of data breaches until legally required.

"Customers are increasingly willing to end or curtail relationships with organisations that experience breaches, making retaining customer trust a business imperative," the report said.

However, James Turner, advisor at analyst firm IBRS, believed that the relatively small Australian market means churn rates may have little impact on businesses, stating; "Australia is a fairly closed environment. If one of the banks is hacked and you decide to leave, it isn't like you have a lot of choice. And whichever bank you move to, it's entirely possible that a customer there is leaving to go to your old bank because of poor customer service."

Turner also suggests the costs of preventing data breaches may outweigh the risk of them occurring. "The sad reality is that IT security is an area where the two main indicators for reasonable spending — probability and severity of a successful attack — are both hard to determine," he said, "Australian organisations looking at this data will also be weighing the cost of a breach against the cost of deploying mitigating controls. In many instances, the cost of a breach will be a risk that they are prepared to take simply because it would be financially irresponsible, as well as practically impossible, to mitigate every risk."

The Ponemon Institute found the average cost of a data breach was around $2 million; of this total, notification was the least significant cost, averaging around 4 per cent of the whole, which the study put down to the fact that Australian organisations are not required to notify victims when a data breach occurs.

Australia has been taking its time formulating data breach notification laws, despite the issue being raised in a 2008 report recommending almost 300 changes to existing privacy laws and practices. Producing the legislation is waiting on the introduction of other privacy laws.

Of the data breaches included in the report, 31 per cent involved systems glitches; a quarter were the result of employee negligence and a third resulted from third-party or outsourcer errors. Third-party breaches cost 40 per cent more on average than in-house errors. The study found malicious attacks or botnets caused the most damage, with costs involved also averaging around 40 per cent higher than negligence or systems glitches.

Manual or policy-based solutions were favoured over technological upgrades, according to the study, which suggested training programs and manual controls were cheaper and faster to put in place than encryption or security solutions.