UK businesses can't handle EC's data breach rule

The vast majority of British business will not be able to meet the EC's proposed rule on data breaches, which says they must tell people their data has been leaked within 24 hours, according to a OnePoll survey conducted for LogRhythm. Further, 72 percent of the companies surveyed think the rule will lead to "overdisclosure".

The vast majority of British business will not be able to meet the EC's proposed rule on data breaches, which says they must tell people their data has been leaked within 24 hours, according to a OnePoll survey conducted for LogRhythm. Further, 72 percent of the companies surveyed think the rule will lead to "overdisclosure". Since they will not have time to identify those users whose data has been compromised, they will have to notify everyone who might have been affected.

OnePoll surveyed 200 IT decision makers at UK businesses with more than 1,000 employees about their ability to comply with new European Commission Data Protection Directive rules. It found that only 13 percent would be able to identify individuals affected within the proposed 24-hour timeframe. Another 13 percent reckoned it would take them between a week and a month, and 6 percent didn't believe they could do it at all. (See the infographic below.)

LogRhythm's Ross Brewer warned that "overdisclosure" could lead to "a loss of confidence amongst potential and existing customers", as well as being expensive. "The cost of informing an individual their data may have been stolen is just as high as telling them it definitely has," he said.

The survey also showed that almost half the companies surveyed -- 47 percent -- only analysed their data after a "security event", rather than on a continuous basis. This is good news for LogRhythm, which is keen to sell them "protective monitoring" systems.

Although EC regulations usually come in for criticism, they do oblige companies to pay attention, and may make them improve the ways they handle data.

Brewer said: "It is worrying that so many organisations’ IT security decisions seem to be motivated by non-compliance and the threat of financial penalties, rather than a desire to employ a best practice approach. Unfortunately it appears that these attitudes stem from the top as 50 percent of respondents stated that new regulations are one of the main ways of engaging senior level staff with the IT security decision making process."

@jackschofield

Infographic

A larger version of this infographic is available as a PDF