To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://management.silicon.com/itdirector/0,39024673,39293831,00.htm

Data breach victims get the mushroom treatment
Full Disclosure: Leaky companies hide security breaches

By Steve Ranger

Published: Thursday 25 September 2008

Companies that suffer data breaches are unwilling to tell their clients about the mishap, leading to renewed calls for mandatory reporting of information security lapses.

In a survey of 300 IT directors, CTOs and IT security managers in the public and private sector, one in 10 admit to falling victim to a security breach.

IT services company Logica, which sponsored the research, said the true number of organisations suffering data breaches is probably far higher.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

Of those organisations that have experienced a data breach, 60 per cent did not tell their clients and half did not alert the police or authorities.

The survey also found that only 30 per cent of organisations educate staff in IT security and information handling procedures on a regular basis, and less than a third have a specific security incident response team.

It also revealed that while 63 per cent of those surveyed hold personal data subject to EU data handling regulations, only a quarter comply with ISO27001/2, which Logica said meant companies are not adhering to appropriate security procedures when storing personal data.

More than half of organisations admitted to having "no idea" of the potential impact of a security breach on their business.

The research has led to renewed calls for organisations to be required to report information security lapses - in line with the silicon.com Full Disclosure campaign.

Tim Best, director enterprise security solutions at Logica, said in a statement: "It is time to take action - it should be mandatory for all organisations to report significant breaches of confidential personal information to the Information Commissioner or their regulatory body. Only through mandatory reporting will the scale of the problem be understood, which will lead to the correct solutions being applied."