Dark Reading has posted an interview with Ponemon regarding the latest Breach notification study. The study claims Costs Of Data Breaches Much Higher In U.S. Than In Other Countries

“A big reason for [the high cost of churn in the U.S.] is that U.S. companies are required to notify customers of their breaches, even if they only suspect that the customers’ records might be affected,” Ponemon says. “That sort of notification doesn’t happen anywhere else in the world.”

This is not accurate. There are at least twenty four countries in the world with breach notification requirements that involve suspected loss, as I explain in my presentations on breaches.

The UK, for example, requires public entities to disclose a breach after media is lost or missing. This is the reason you will find reports about them in the news. Commercial entities are less regulated, but it is not accurate to say notification doesn’t happen anywhere else in the world.

The Money Stop gives a good example from last month:

The HMRC office that has been involved in the latest breach is the same one that lost the details of 25 million people on discs back in 2007, raising a major alert over identity theft and security.

Why would they disclose this breach or the one three years ago when they only suspect records may be affected? They are required to do so by the Information Commissioner’s Office (ICO) under the Data Protection Act (DPA) of 1998. The Department of Work and Pensions, DVLA and other government bodies have also reported breaches, as documented in the list of DPA violations.

Ponemon’s study gives a few numbers for impact:

Notification accounts for $500,000 of the $6.75 million that the average U.S. company spends on a breach, according to the study; the average French company spends only $120,000 on notification.

I question whether they have found the right cause or they rely too much on a correlation.