HRH, Ponemon Institute Launch Privacy Breach Index

August 21, 2008

Hilb Rogal & Hobbs Co. has teamed with the Ponemon Institute, a privacy and information management research firm, to launch the Privacy Breach Index, a benchmarking tool that can measure a company’s response to data loss or theft, especially when it concerns information about people and their families.

Paul Paray, senior vice president at HRH, commented, “When advising clients, we often tell them it is not a matter of if you sustain a privacy breach, it is more a matter of when you sustain one. Given our understanding about the risks to sensitive and personal information in organizations, we approached Dr. Larry Ponemon, noted researcher on privacy and data security practices, to create objective tools that could actually improve a company’s ability to manage a privacy incident.”

The Privacy Breach Index (PBI) benchmark tool can assist companies to do the following:

–Improve existing procedures and safeguards for prevention of a data breach.
–Determine areas most vulnerable to a data breach.
–Benchmark an organization’s response to a data breach against other companies.

The PBI is compiled from surveys completed by 768 individuals in the data protection, IT security and compliance professions who have the expertise or experience to assess their organization’s responsiveness and quality of response following an organization’s breach incident. Each participant in the survey self-reported that their organization had a data breach involving the loss or theft of customer, consumer or employee data in the past 24 months.

“Our study provides further evidence of the importance of having a good quality privacy incidence response plan in place,” said Dr. Ponemon. “More than 83 percent of respondents believe that the individuals affected by the data breach lost trust and confidence in their organization’s ability to protect their personal information. As we have found in our consumer studies on trust, these perceptions often result in the loss of customer loyalty.” Ponemom added that some 80 percent of respondents in the PBI study reported that a certain percentage of data breach victims terminated their relationship with the organization.

The PBI survey questions address the core activities that encompass all aspects of a company’s data loss incident response, such as: detection and forensics, escalation to management, notification quality and timeliness to breach victims, support to breach victims (such as credit monitoring or identity theft protection, post-mortem response, reputation management and response to regulatory or legal action).

Five key findings from the Privacy Breach Index Survey are:

1. Only 9 percent of respondents gave an “A” or excellent to their organization’s overall performance in responding to their organization’s most recent data breach incident. Thirty-one percent said their performance rated a “B” or good and 26 percent said it rated a “C” or fair grade, while 29 percent gave a “D” or poor and 5 percent gave their organization an “F” for failure.

2. An overwhelming 80 percent of respondents believe that their organizations experienced some loss of customers or other data breach victims after the incident.

3. The number one root cause of data breach incidents reported by participants is employee negligence (50 percent of participants) followed by third party negligence (29 percent). External penetration (hackers) was low at 3 percent and other criminal activity was only 1 percent.

4. Most respondents say their companies have had multiple data breaches. More than 36 percent of respondents have between one and four data breach incidents involving 100 or more records each year, 32 percent have between five and eight and 31 percent have nine or more incidents.

5. Respondents believe that the ex-post response to a data breach (such as conducting an audit or assessment after the incident is closed) and detection and escalation of the incident (such as ensuring that third parties are instructed to inform the organization if they have a data breach involving the organization’s sensitive and confidential data) are very important or important to a successful privacy incidence response plan.

The PBI survey will be available for download from

Source: Hilb Rogal & Hobbs,

Was this article valuable?

Here are more articles you may enjoy.