Data security buck passed to CEOs, says study

Electronic security responsibility rests on chief executive officers, according to a new survey released by Kroll Ontrack

MINNEAPOLIS, MN / LONDON – Less than half of US and UK firms have a policy in place for their electronically stored information (ESI) or how to deal with a data breach. The responsibility passes up the corporate chain to the chief executive officers, who in reality have little or no control over their firms’ electronic data policies, finds a recent survey.

The survey, The Kroll Ontrack ESI Barometer, released by data software and services firm Kroll Ontrack, was initiated after a series of high-profile electronic data losses in the UK and US recently. The most notable of these was HM Revenue and Customs’ (HMRC) loss of copies of the UK child benefit database containing 25 million citizen’s personal and bank details.

Kristin Nimsger, president of Kroll Ontrack, says: “The explosion of information has occurred at a much greater pace than the ability of any department to adequately address the risk and compliance issues associated with it.”

In the case of HMRC, complacency at junior level created a potentially catastrophic data loss that immediately resulted in the resignation of the government department’s chairman and which has ongoing political implications.

The new study reveals only 48% of US firms and 43% of UK firms have a strategy or policy in place to deal with ESI regulation, litigation or investigation.

“Our greatest recommendation is that corporate leaders take full ownership of responsibility to be proactive to deal with these issues. They can’t just be addressed in the context of litigation but must also be addressed in the boardroom,” says Nimsger.

The report suggests a diffusion of responsibility for data security means no single department is able or willing to take full responsibility for risks and that information doesn’t reach board level until it is too late.

“You need to focus a cross-functional team that represents compliance, risk, legal, IT and executive leadership to design and implement a strategy,” says Nimsger, adding that some clients are seeking increased liaison or internal restructuring to concentrate responsibility.

Regulators have also added to pressure for a more proactive approach over the past year, and potential losses due to non-compliance are a growing concern for firms.

“There’s an opportunity for organisations to take a proactive role and be sensibly prepared to deal with electronically stored information. This year, over half of our UK business managing electronic information was related to regulatory enquiries and the EU Commission on anti-competition, in particular,” says Nimsger.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Most read articles loading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here