Home Technology Regulation C-suite execs cocky about data breach law compliance: survey

C-suite execs cocky about data breach law compliance: survey

Senior executives at companies with more than 500 employees in 11 countries appear to be somewhat casual in their approach to complying with requirements for the EU's General Data Protection Regulation that takes effect on 25 May next year.

Security firm Trend Micro came up with this finding after conducting 1132 online interviews with IT decision-makers in the US, the UK, France, Italy, Spain, the Netherlands, Germany, Poland, Sweden, Austria and Switzerland. 

A similar survey was conducted at Trend Micro's August CLOUDSEC conference, covering 292 Australian C-suite executives who were asked about the Australia data breach laws that take effect on 22 February 2018.

The company said it had seen the following broad trends:

  • senior executives shun GDPR responsibility in 57% of businesses;
  • about 42% of businesses don’t know email marketing databases contain personally identifiable information; and
  • about 22% of businesses claim a fine "wouldn’t bother them" if they were found in violation of the GDPR requirements.

While more than half (56%) of the Australians surveyed agreed they would be affected by the mandatory data breach laws, and either had a process to become compliant in place, or were working on one, 16% did not believe they would be affected by the scheme.

Additionally, 28% admitted they only had an informal process in place, or no process at all for risk management and cloud security within their organisation.

Indi Siriniwasa, managing director – Enterprise and Government, Trend Micro ANZ, said it was concerning that so many Australian organisations were unprepared or believed they would not affected.

“It has never been more important for organisations to make cyber security a key priority, and protect the interests of their customers against cyber attacks. Not only is this a security and prevention issue, but it can also have a disastrous impact on both brand and reputation,” he said.

The GDPR includes provision for fines for failing to protect personal information of up to €20 million or 4% of turnover, whichever is greater. Australia's laws will levy fines on organisations that have a turnover of more than A$3 million.

In the countries other than Australia, Trend Micro found that those surveyed had strong awareness of the principles behind GDPR, with 95% knowing they needed to comply, and 85% having reviewed the requirements. Also, 79% of businesses were confident their data was as secure as it could be.

But when it came to defining personally identifiable information, things were not so clear-cut. Sixty-four percent were unaware that a customer’s date of birth was PII. 

Additionally, 42% said they would not classify email marketing databases as PII, 32% did not consider physical addresses to fall into this category and 21% did not think a customer’s email address was in this class. 

Trend Micro pointed out that this data was sufficient for identity theft, and any business not properly protecting this information could be penalised.

Another area of concern identified in the survey was the fact that businesses were unsure as to who would be held accountable for the loss of EU data by a US service provider. Only 14% were aware that both parties were equally responsible with 51% believing the EU data owner would be fined, while 24% were sure the the US service provider was at fault.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Ransomware is a type of malware that blocks access to your files and systems until you pay a ransom.

The first example of ransomware happened on September 5, 2013, when Cryptolocker was unleashed.

It quickly affected many systems with hackers requiring users to pay money for the decryption keys.

Find out how one company used backup and cloud storage software to protect their company’s PCs and recovered all of their systems after a ransomware strike.


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.


Popular News