Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Data Breach Notification Laws Influence Storage Location Decisions

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches

Many companies that look to process and store sensitive data -- including intellectual property -- abroad as a cost-cutting measure are seeking countries with minimal data breach notification requirements, according to a survey of 1,000 senior IT decision makers by market research firm Vanson Bourne. The survey was sponsored by Intel's McAfee and Science Applications International Corporation (SAIC).

The economic downturn has been driving companies to process and store more types of sensitive information abroad, according to the survey. Today, about 50% of organizations said they would do this as a cost-cutting measure. Meanwhile, about 33% of organizations said they want to store more sensitive information outside their home borders, which is an increase from 20% in 2008.

Interestingly, about 80% of organizations said that their choice of data storage locale is influenced in part by a country's data breach laws. About 70% of organizations that do store information abroad select countries with more lenient notification rules.

Geographically speaking, which countries are the safest for storing data? "While attacks are hard to trace back to a specific country, China, Russia, Pakistan are perceived to be the least safe for data storage," according to a related report from McAfee and SAIC. Those rankings remain unchanged from 2008, as do the countries perceived to be the safest places for storing data: the United Kingdom, Germany, and the United States.

When it comes to companies that have experienced data breaches, 30% of organizations said they report all breaches, 60% pick and choose, and 10% admit that they only report a data breach when legally obligated to do so. The average cost of a breach, according to the report, exceeds $1.2 million, which is up significantly from 2008, when it was $700,000.

After a breach, many organizations fail to establish who was involved and what exactly was stolen. According to the report, "only a quarter of organizations conduct forensic analysis of a breach or loss, and only half take steps to remediate and protect systems for the future after a breach or attempted breach." Half of organizations said they've stopped investigations, at least once, because of the projected cost.

According to the report, the biggest threat to intellectual property remains insiders who leak information, whether unintentionally or otherwise. "Employees' adherence -- or lack thereof -- to security procedures is considered to be the greatest challenge to organizations' information security," said the report. "This ranked higher than other challenges, including multiple systems within the organization or the insecurity of supply chain partner systems."