Only one in ten UK businesses would be able to comply with the proposed European Commission ruling on reporting data losses within 24 hours.
As detailed by SC Magazine in January, businesses across the European Union (EU) will have to report "major" data breaches within 24 hours, according to the new Data Protection Directive for the EU.
However, in a survey of 200 IT decision-makers at UK businesses with more than 1,000 employees by LogRhythm, 87 per cent of respondents said they would be unable to identify individuals affected by a breach within that time frame.
Furthermore, 13 per cent claimed it would take them between one week and a month to pinpoint which customer data was affected, while six per cent did not believe they would ever be able to accurately obtain this information.
Ross Brewer, vice-president and managing director for international markets at LogRhythm, said: “The issuing of blanket breach notifications will inevitably have negative repercussions for the affected organisation.
“For example, the severity of an incident may be overstated, leading to a loss of confidence among potential and existing customers. In addition, the cost of informing an individual that their data may have been stolen is just as high as telling them it definitely has, and is often an unnecessary expense.”
When asked about their ability to produce accurate breach notifications, 72 per cent of respondents said the implementation of a 24-hour notice period would put their organisation at risk of "over-disclosure", when they are forced to reveal more information than is strictly necessary.
Also, just under half of the respondents (47 per cent) admitted that data is only analysed after a security event has occurred, rather than on a proactive basis; 28 per cent said it is doubtful that breaches can be prevented; and 18 per cent believed that breaches are now inevitable regardless of the security measures in place.