Into the ‘data’ breach — the shocking survey results on pharma data breaches
A recent survey has revealed the extent to which pharma businesses are failing to report data breaches. Here, Dominic Johnstone, head of Information Management Services at Crown Records Management, discusses the shocking results.
Data breaches have been hitting news headlines worldwide this year including high profile stories, such as that of the mobile phone company Three — where an employee’s password was stolen in March and the data of 200,000 customers compromised. Then in April, cybercriminals seized 250,000 customer records at Wonga — this data breach included bank account details. Probably the biggest story for pharma was that of Merck, which fell victim to a ‘NotPetya’ cyber-attack in June, leading to a shutdown of its manufacturing operations.1,2
However, it seems these stories may be only the tip of the iceberg! The real extent of the pharma sector’s problem with data breaches has been revealed by a survey which suggests a quarter of IT workers in the industry are keeping them quiet.
The Crown Records Management Survey, undertaken by Censuswide, polled 408 IT decision makers in companies of between 100 and 1,000 employees across the country. It provided some shocking results, which suggest many of the UK’s data breaches are going unreported.
Some of the statistics for the pharmaceutical sector are highlighted below, with mixed results:
- 23% have chosen not to report a breach to more senior management or the appropriate authorities.
- 15% don’t know who to report a breach to — only the retail sector polled worse.
- 23% know somebody in their company who hasn’t reported a data breach.
- However, nobody polled was unaware of what constituted a data breach — better than the national average of 8%.
A long way to go…
Whilst the pharmaceutical sector is doing better than most when it comes to understanding what entails a data breach, there is still a long way to go. The frequency of data breaches that go unreported is especially worrying in a sector such as pharma, which handles large quantities of sensitive data.
Some of these statistics really are shocking and suggest that data breaches may be far more common and more widespread than many people realise. These results also indicate a culture inside many companies that the best response to a breach is to ignore it or keep it quiet.
Perhaps this comes from a fear of the loss of reputation which can be experienced when breaches are publicised. Or perhaps it is simply down to lack of a clear procedures and information management in the business. Either way, the implications are serious, and the fact still remains that data breaches must legally be reported within 72 hours.
New legislation, such as the UK data bill and the forthcoming EU general data protection regulation, due to come into force in May 2018, include measures to tackle data breaches.
The latter will bring in huge fines for businesses that suffer breaches as a result of poor compliance. It also sets a strict timeframe for the reporting of breaches — with fines for those who do not meet them.
It is, therefore, absolutely vital that businesses tackle this culture of secrecy because in future unprotected data loss will simply not be acceptable. In fact, it shouldn’t be acceptable now.
Having a clear data protection and information management programme in place is vital for businesses to avoid these kind of problems. It should be very clear who is responsible for reporting breaches and who they should be reported to.
Until businesses grasp how much a breach can cost them — both financially and in terms of reputation — this problem is not going to go away.
References: