Survey results confirm increasing data-breach threat

August 3, 2015

Minimising the risk of compliance violations during periods of sustained growth is a key responsibility of many CLOs. And, during times of rapid change as organisations continue to grow and acquire or merge with other businesses, the CLO must quickly adapt and effectively communicate legal expertise and guidance to the company.

To gain a better understanding of the issues CLOs are dealing with, the ACC recently contacted 9489 CLOs or general counsels (GCs), receiving responses from 1289 CLOs in 46 countries.

While ethics and compliance remain at the top of the list of CLO concerns, more than a quarter of survey respondents said they were prioritising data breaches and the protection of corporate data.

The survey revealed that 27 percent of respondents’ organisations experienced data breaches in the past two years. Department size and revenue seem to play a large role in the likelihood of data breaches, with over 50 percent of respondents working for companies with more than US$4 billion in revenue reporting data breaches.

More CLOs in Canada reported that breaches had occurred (41 percent) compared with those in the Asia Pacific region (14 percent) and the United States (26 percent).

Although CLOs from the telecommunications, transportation, professional-services and educational-services industries all reported that their companies had experienced data breaches at higher than average rates, the healthcare sector had more data breaches than any other industry. According to the survey, 49 percent of healthcare industry CLOs stated that their companies had experienced breaches over the past two years.

The implications of suffering a data breach are expensive, both in terms of direct costs – the average data breach costs US$3.5 million, according to information-services group Experian – and indirect costs such as customer turnover. When commenting on budget and resource issues, surveyed CLOs expressed their concerns that breaches place a burden on their legal departments from a staffing and financial perspective.

According to Ponemon Institute’s 2015 Cost of Data Breach Study, the healthcare industry has the highest per capita data breach cost by industry. Meanwhile, according to Experian, breaches are expected to increase in the sector as technological advances are made in managing health, monitoring care and storing employee health records.

Considering the introduction of strict regulations to safeguard protected health information over the past two decades, the survey stated that CLOs in the healthcare industry face a substantial challenge as health systems continue to expand the implementation of electronic health records.

‘Thwarting and responding to breaches of corporate data is increasingly a reality for today’s GCs and CLOs,’ said ACC president and CEO Veta T Richardson. ‘As attempted data breaches become more sophisticated, the CLO will play a growing role in cybersecurity strategy, risk assessment and prevention.’

According to The Wall Street Journal, the number of cyber ‘incidents’ that were reported to the United States Department of Homeland Security more than doubled between 2009 and 2013, with 228,700 cyber incidents reported in 2013. Between the rise in online business transactions and big-data tracking, the ACC’s survey findings emphasised that organisations must ensure the secure and legal collection and storage of client and customer financial, demographic and transactional data.

However, according to the results of the survey, just one in three companies has data breach protection insurance. And, despite aggressive detection and awareness, the cost per stolen record rose by nine percent over the past year, according to Ponemon Institute.

Other interesting findings from the survey included the fact that compliance was the top practice area for hiring over the past year, especially for new positions created in Latin America (33 percent) and the Asia Pacific region (30 percent).



In the past two years, companies with fewer employees experienced less data breaches than large organisations. About 22 percent of CLOs at companies with fewer than ten employees reported experiencing a data breach, compared with 64 percent of CLOs at companies with 100 to 250 employees.


CLOs in Canada reported the highest percentage of data breaches (41 percent) compared with other regions around the world. Approximately 14 percent of CLOs in Asia Pacific reported data breaches, compared with 26 percent in the United States.


CLOs at companies with higher annual revenues experienced significantly more data breaches in the past two years. Sixteen percent of CLOs at companies with annual revenues below US$100 million reported data breaches, whereas more than half of the CLOs in companies with more than US$4 billion in revenue reported data breaches.


Data breaches were more likely to be reported by CLOs in the healthcare industry than in any other industry. The prevention of data breaches is a top concern for CLOs in the healthcare industry due to the strong emphasis on healthcare data security reinforced by the Health Insurance Portability and Accountability Act Privacy Rule and the significant expansion of electronic health record implementation over the past decade.


Extract reprinted with permission from the Association of Corporate Counsel 2015 All Rights Reserved

Hear from the specialists

A number of the recent data breaches involving United States retailers have involved the same infiltration tactics by hackers: the exploitation of third-party contractors. On 25 June, FireEye’s Washington DC-based manager of threat intelligence Jen Weedon and Tesco’s London-based senior ethics and compliance counsel James Walker joined Compliance Insider®’s managing editor Stephen Mulrenan to discuss cybersecurity and supply-chain due diligence, and provide compliance officers with suggestions on remediation steps and prevention controls.


Previous Article
What ‘Safe harbour’ means for compliance
What ‘Safe harbour’ means for compliance

The EU’s Data Protection Directive 95/46/EC establishes minimum data-privacy requirements that all EU Membe...

Next Article
2012 highlight review – the risks identified in leading industries
2012 highlight review – the risks identified in leading industries

Popular countries of research and investigation (Finanical Year 2012) The following is a summary of the co...

Do your suppliers meet the expectations of your integrity & compliance programme?

Tell me more