Research leads to fresh calls for data-breach laws

A recent survey has revealed many companies hide security lapses from clients, leading to renewed calls for mandatory reporting of such mishaps

Companies that suffer data breaches are unwilling to tell their clients about the mishap, leading to renewed calls for mandatory reporting of information security lapses.

In a survey of 300 IT directors, chief technology officers and IT security managers in the public and private sector, one in 10 admit to falling victim to a security breach.

IT services company Logica, which sponsored the research, said the true number of organisations suffering data breaches is probably far higher.

Of those organisations that have experienced a data breach, 60 percent did not tell their clients and half did not alert the police or authorities.

The survey also found that only 30 percent of organisations educate staff in IT security and information handling procedures on a regular basis, and less than a third have a specific security-incident response team.

It also revealed that while 63 percent of those surveyed hold personal data subject to EU data-handling regulations, only a quarter comply with ISO27001/2, which Logica said meant companies are not adhering to appropriate security procedures when storing personal data.

More than half of organisations admitted to having "no idea" of the potential impact of a security breach on their business.

The research has led to renewed calls for organisations to be required to report information security lapses.

Tim Best, director enterprise security solutions at Logica, said in a statement: "It is time to take action — it should be mandatory for all organisations to report significant breaches of confidential personal information to the information commissioner or their regulatory body. Only through mandatory reporting will the scale of the problem be understood, which will lead to the correct solutions being applied."