Having incident response plan can help reduce data breach costs, according to survey

Out-Law News | 07 Jun 2013 | 10:26 am | 2 min. read

UK businesses that have a "formal incident response plan" spend less time dealing with a data breach than those that do not, a new report by an information and systems security provider has said.

Symantec said that there was a 15% rise in the average total cost UK firms incur as a result of a data breach incident from 2011 to 2012. The average organisational cost of data breaches increased from £1.75 million for UK firms in 2011 to £2.04m in 2012, (23-page / 1.49MB PDF) it said. The figures are based on information provided by 38 UK organisations surveyed by the Ponemon Institute.

However, Symantec said that UK firms that took certain steps, including having a "formal incident response plan" to implement if they experience a data breach, could save costs usually associated with a breach.

"If the organisation has a formal incident response plan in place prior to the incident, the average cost of a data breach was reduced as much as £13 per compromised record," Symantec said. "In addition, a strong security posture and the appointment of a CISO reduced the cost as much as £13 and £9 per compromised record, respectively. Finally engaging outside consultants to assist with the breach response also saved £4 and quick notification saved £2 per record. When considering the average number of records lost or stolen, these factors can provide significant and positive financial benefits."

Symantec said that the average number of records containing personal data that were breached in a data breach incident was 23,833. The company said that UK businesses are "taking the protection of sensitive and confidential data more seriously in order to avoid costly fines and the loss of reputation or marketplace image" as a result of" changes in the regulatory landscape".

The European Commission has proposed a new data breach notification regime should be introduced under a reformed data protection law framework, whilst new network and information security requirements may also be imposed on firms in some industries under separate Commission plans.

Cyber liability and data breach insurance specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com said that Symantec's assessment of businesses' approach to data security was supported by trends in the insurance sector.

"Insurance companies are reporting that they are receiving increasing numbers of enquiries from businesses about data risk and cyber liability insurance products," Birdsey said. "The trend is driven by the growing general awareness of the importance of data, the vulnerabilities and risks to information security and also the cost of dealing with an incident."

"Businesses are seeking to preemptively mitigate the risk posed by data breaches by forming incident response plans, and at the same time transfer that risk to others. One of the reasons that companies are interested in insurance is because, by taking out data risk or cyber liability policies, they can gain access to a network of experts to help them deal with a data breach in the event that they experience one," he said.

"The experts may include IT forensics experts, PR and crisis management specialists, credit monitoring providers or firms that can help companies deal with the logistics of data breaches, such as sending out thousands of emails to consumers to notify them of the incident. Insurers have managed to build up that network of experts and make them available to policy holders at greater convenience and at lower cost than companies would encounter if they were seeking to contract with those providers in the aftermath of a breach," Birdsey added.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.