Data security buck passed to CEOs, says study

The survey, The Kroll Ontrack ESI Barometer, released by data software and services firm Kroll Ontrack, was initiated after a series of high-profile electronic data losses in the UK and US recently. The most notable of these was HM Revenue and Customs’ (HMRC) loss of copies of the UK child benefit database containing 25 million citizen’s personal and bank details.

Kristin Nimsger, president of Kroll Ontrack, says: “The explosion of information has occurred at a much greater pace than the ability of any department to adequately address the risk and compliance issues associated with it.”

In the case of HMRC, complacency at junior level created a potentially catastrophic data loss that immediately resulted in the resignation of the government department’s chairman and which has ongoing political implications.

The new study reveals only 48% of US firms and 43% of UK firms have a strategy or policy in place to deal with ESI regulation, litigation or investigation.

“Our greatest recommendation is that corporate leaders take full ownership of responsibility to be proactive to deal with these issues. They can’t just be addressed in the context of litigation but must also be addressed in the boardroom,” says Nimsger.

The report suggests a diffusion of responsibility for data security means no single department is able or willing to take full responsibility for risks and that information doesn’t reach board level until it is too late.

“You need to focus a cross-functional team that represents compliance, risk, legal, IT and executive leadership to design and implement a strategy,” says Nimsger, adding that some clients are seeking increased liaison or internal restructuring to concentrate responsibility.

Regulators have also added to pressure for a more proactive approach over the past year, and potential losses due to non-compliance are a growing concern for firms.

“There’s an opportunity for organisations to take a proactive role and be sensibly prepared to deal with electronically stored information. This year, over half of our UK business managing electronic information was related to regulatory enquiries and the EU Commission on anti-competition, in particular,” says Nimsger.