eDiscovery Daily Blog

More Organizations Have Data Breach Plans in Place, But More Are Reporting Data Breaches – eDiscovery Trends


You cannot talk about eDiscovery these days without talking about data security and breaches.  Bank of America, Home Depot and Target are just three examples of big name companies that have been hit by data breaches.  A recent study, conducted by the Ponemon Institute, shows that more organizations have data breach response plans and teams in place, yet more organizations are reporting at least one data breach in the past two years.

In this second annual study (Is Your Company Ready for a Big Data Breach?  The Second Annual Study on Data Breach Preparedness), sponsored by Experian® Data Breach Resolution, Ponemon Institute surveyed 567 executives in the United States about how prepared they think their companies are to respond to a data breach.  Here is a sampling of their key findings:

  • More companies have data breach response plans and teams in place. In 2014, 73% of companies had such a plan in place, up from 61% in last year’s study.  Also, more companies have teams to lead data breach response efforts – 72% of respondents, up from 67% last year.
  • Yet, data breaches have increased in frequency.  Last year, 33% of respondents said their company had a data breach involving the loss or theft of more than 1,000 records in the past two years. This year, the percentage has increased to 43%. Of those that experienced data breaches, 60% reported their company experienced more than one data breach in the past two years – up from 52% of respondents in 2013.
  • More companies have data breach response plans but they are not considered effective.  Despite the majority of companies having data breach plans, only 30% of respondents said their organizations are effective or very effective in developing and executing a data breach plan.
  • Maybe part of the reason is they don’t review their plans regularly.  Only 22% of respondents with data breach plans said their organizations review and update their plans at least yearly, with 41% of those respondents indicating no set time period for reviewing and updating the plan and 37% of those respondents having not reviewed or updated since the plan was put in place.

It’s also interesting to note that 17% of respondents were unsure whether their organization had a data breach in the past two years.  Really?  Well, at least that’s down from 22% in last year’s survey.

The 24 page report is chock-full of statistics and survey results and available here.  Thanks to Sharon Nelson and her always excellent Ride the Lightning blog for the tip.

So, what do you think? Does your organization have a plan for responding to data breaches?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.