EU: Firms 'woefully unprepared'

The vast majority of UK businesses are “woefully unprepared” to meet the 24-hour data breach deadline included in the new EU data laws, with 87% admitting they will find it virtually impossible to identify individuals in that timeframe.
A report, by security management firm LogRhythm, shows a further 13% would take between a week and one month to pinpoint which customer data was affected, while 6% did not believe they would ever be able to accurately obtain this information.
Ross Brewer, vice-president and managing director for international markets at LogRhythm, said: “Traditional security has focused on the perimeter defences, not analysis, so most firms are woefully unprepared for the new EU data protection regulation.”
When asked about their ability to produce accurate breach notifications, 72% of firms said the implementation of a 24-hour notice period would put their organisations at risk of over-disclosure.
Brewer said over-disclosure happens when organisations are forced to reveal more information than is necessary, for example notifying every individual who might have been affected by a breach, rather than just those who definitely were.
“Over-disclosure is an issue that has been causing concern in locations such as the US, that already have breach notification laws in place,” Brewer said.
The issuing of blanket breach notifications will inevitably have negative repercussions for the affected organisation, he said. For example, the severity of an incident may be overstated, leading to a loss of confidence among existing and potential customers.
“In addition, the cost of informing an individual their data may have been stolen is just as high as telling them it definitely has and is often an unnecessary expense,” said Brewer.