Survey Reveals Breaches Are Increasing, But Executives Feel Unprepared to Respond

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson

Sept. 25 — Although more companies have data breach response plans in place, many corporate executives still believe their companies are unequipped to handle the fallout from a breach, according to a survey report on corporate data breach preparedness by Experian Data Breach Resolution and the Ponemon Institute released Sept. 24.

The results of the survey also reveal that the frequency of data breaches is increasing, Michael Bruemmer, vice president of Experian Data Breach Resolution, told Bloomberg BNA Sept. 18 on the sidelines of the combined International Association of Privacy Professionals Privacy Academy and Cloud Security Alliance Congress in San Jose.

The most important takeaway from the survey report is that 27 percent of companies don't have a data breach plan in place, Bruemmer said.

The report was based on 567 surveys of executives at Fortune 500 companies.

Increasing Breach Frequency

Almost half (43 percent) of companies have suffered at least one security incident in the past two years, a figure that is up 10 percent from 2013, according to the report.

Seventeen percent of the survey respondents weren't sure if their company had a breach, Bruemmer pointed out.

Although breach incidents are on the rise, what drew media attention to data breaches over the past year was the number of people affected, Bruemmer said. He pointed to a data breach in South Korea, where personal information from 140 million credit card accounts was stolen from three credit card companies.

Bruemmer said he doesn't expect breaches to decrease or go away in the foreseeable future. More secure credit card technology—known as “chip and PIN”—won't be fully implemented for over a year, and 80 percent of breaches are attributable to human error, he noted.  

Lack of Confidence

Seventy-three percent of companies have an incident response plan in place, a figure that is up 12 percent from 2013, Bruemmer said.

The survey also revealed that 48 percent of companies increased investments in security technologies over the past year, according the report. Twenty-six percent of companies have a cybersecurity insurance policy, an increase from 10 percent in 2013, the report said.

However, 68 percent of the survey respondents said they still felt unprepared to handle breaches, a “direct reflection of the frequency and types of threats,” Bruemmer said. Thirty percent felt their company's incident response plan was ineffective, he added.

Bruemmer called breach response an “exercise in building trust with consumers” and said a company's breach communications must be consumer-friendly.

The survey report recommended that: companies frequently review incident response plans and conduct security risk assessments; the board of directors, chief executive officer and chairman play an “active role” in data breach preparation and response; employees receive training on the protection of sensitive data; and companies clearly define data breach response accountability and responsibility.

To contact the reporter on this story: Katie W. Johnson in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

The report “Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness” is available at


Request Bloomberg Law Privacy and Data Security