Skip to content Skip to navigation

Security Breaches: Who's In Charge?

June 22, 2008
by Reece Hirsch
| Reprints

There can be no doubt that security breach response is a critical compliance issue because the consequences of a botched security breach response can be catastrophic, including class action lawsuits, negative impact on stock price and, most importantly, damage to an organization's relationship with patients or customers. Despite the importance of these issues, many companies seem to have failed to clearly assign responsibility for security breach response, according to a recent survey conducted by Compuware Corp. and the Ponemon Institute. The study, entitled the 2008 Study on the Uncertainty of Data Breach Detection, surveyed more than 1,112 information technology practitioners in the United States, United Kingdom, France and Germany. Here are some of the findings of the survey that I found most interesting:

1. IT practitioners are not confident about their organization's ability to detect the loss or theft of sensitive or confidential information (10% were very confident, 34% were not confident and 18% were unsure).


2. IT practitioners are not very confident of their ability to learn all of the facts about a data breach.


3. Many organizations have not clearly defined who is responsible for data breach management. Over 43% of the IT practitioners reported that no one in their organization is responsible for data breach management. Another 23% were unsure who was responsible.


In order to effectively mitigate the risk of a security breach, the first crucial step is to define who in the organization is responsible for developing a security incident response plan. Not only should someone be given primary responsibility for this issue, but there should be an incident response planning team that includes relevant departments of the organization, which may include HR, public relations, legal, compliance, IT and (for public companies) investor relations. A major security breach can have an enormous and far-reaching impact on an organization, so it is imperative to have clear assignment of authority and an incident response team that is capable of quickly mobilizing appropriate resources throughout the organization. As the survey results suggest, if an organization has not clearly allocated responsibility for security breach response, then it may also experience difficulties in detecting and investigating breach incidents. For more information on the Compuware/Ponemon study, see the June 9 issue of BNA's Privacy & Security Law Report or contact The Ponemon Institute at research@ponemon.org.


There's an old poker saying that if you can't spot the mark at the table, then it's probably you. For IT and security professionals, the same may be true for security breach response. If you don't know who in your organization is responsible for managing security breach response, then it just might be you ....


Topics

Reece Hirsch

Partner, Morgan, Lewis & Bockius LLP

Reece Hirsch's Health Care Privacy Law Blog offers a lively commentary on a wide range of...