Data security buck passed to CEOs, says study

- David Benyon
- 12 Dec 2007

MINNEAPOLIS, MN / LONDON – Less than half of US and UK firms have a policy in place for their electronically stored information (ESI) or how to deal with a data breach. The responsibility passes up the corporate chain to the chief executive officers, who in reality have little or no control over their firms’ electronic data policies, finds a recent survey.

The survey, The Kroll Ontrack ESI Barometer, released by data software and services firm Kroll Ontrack, was initiated after a series of high-profile electronic data losses in the UK and US recently. The most notable of these was HM Revenue and Customs’ (HMRC) loss of copies of the UK child benefit database containing 25 million citizen’s personal and bank details.

Kristin Nimsger, president of Kroll Ontrack, says: “The explosion of information has occurred at a much greater pace than the ability of any department to adequately address the risk and compliance issues associated with it.”

In the case of HMRC, complacency at junior level created a potentially catastrophic data loss that immediately resulted in the resignation of the government department’s chairman and which has ongoing political implications.

The new study reveals only 48% of US firms and 43% of UK firms have a strategy or policy in place to deal with ESI regulation, litigation or investigation.

“Our greatest recommendation is that corporate leaders take full ownership of responsibility to be proactive to deal with these issues. They can’t just be addressed in the context of litigation but must also be addressed in the boardroom,” says Nimsger.

The report suggests a diffusion of responsibility for data security means no single department is able or willing to take full responsibility for risks and that information doesn’t reach board level until it is too late.

“You need to focus a cross-functional team that represents compliance, risk, legal, IT and executive leadership to design and implement a strategy,” says Nimsger, adding that some clients are seeking increased liaison or internal restructuring to concentrate responsibility.

Regulators have also added to pressure for a more proactive approach over the past year, and potential losses due to non-compliance are a growing concern for firms.

“There’s an opportunity for organisations to take a proactive role and be sensibly prepared to deal with electronically stored information. This year, over half of our UK business managing electronic information was related to regulatory enquiries and the EU Commission on anti-competition, in particular,” says Nimsger.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to print this content. Please contact info@risk.net to find out more.

You are currently unable to copy this content. Please contact info@risk.net to find out more.

As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.

If you would like to purchase additional rights please email info@risk.net

You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.

If you would like to purchase additional rights please email info@risk.net