Dear Participant,
Has your organization provided notification of a data breach? If you sent notification about the loss or theft of personal information entrusted to you, were you satisfied with the steps your organization took to complete the incident response process? The first two parts of this survey focuses on how well you believe your organization responded to a recent data breach. Part three asks how important you believe certain attributes are in preventing and responding to a data breach.
We appreciate your frank responses to all survey questions. Please be assured that we will not collect any personally identifiable information. If you have any questions, contact Ponemon Institute at research@ponemon.org or call us at 1.800.887.3118.
Thank you in advance for your participation.
Dr. Larry Ponemon
Chairman
|
| |
|
|
|
Data breach victim is defined as the individual or household receiving notification that their personal information was either lost or stolen.
Personal information is information about a natural person, household or family. This information includes name, address, telephone numbers, e-mail address, Social Security number, other personal identification numbers, access codes, age, gender, income and tax information, shopping information, account activity and any other sensitive pieces of data about an individual.
|
| |
|
|
|
| Please respond to all questions based on your most recent incident requiring data breach notification |
| |
|
|
|
| Q1 What type of personal information was lost or stolen in this breach incident? |
| |
|
|
|
|
| Q2 What was the root cause of this data breach incident? |
| |
|
|
|
|
|
| Q3 In your opinion, what grade would you assign to your organization’s overall performance in responding to the data breach incident? |
| |
|
|
|
|
| Privacy Breach Index Questions |
| |
|
|
|
| Prevention: Please answer each question listed below with a Yes, No or Unsure response. For each "Yes" response, please rate the importance of each control activity from very important to irrelevant. |
| |
|
|
|
| Q4 Does your organization have policies describing how personal information should be protected from being lost or stolen? |
| |
|
|
|
|
|
|
| Q5 Does your organization have a training and awareness program available to customer service employees who might receive questions about privacy and data protection practices? |
| |
|
|
|
|
|
|
| Q6 Does your organization promptly change physical and electronic access rights of employees when they change jobs or are terminated? |
| |
|
|
|
|
|
|
| Q7 Does your organization practice strong authentication measures for granting employees and contractors access to its information systems? |
| |
|
|
|
|
|
|
| Q8 Are employees’ mobile devices (i.e. laptops, PDAs, cell phones) encrypted? |
| |
|
|
|
|
|
|
| Q9 Is the transmission of sensitive personal information encrypted? |
| |
|
|
|
|
|
|
| Q10 Does your organization regularly monitor its information systems for unusual traffic flow or other activity? |
| |
|
|
|
|
|
|
| Q11 Does your organization secure physical locations where personal information is stored? |
| |
|
|
|
|
|
|
| Q12 Are operating systems, applications and databases where data is stored and transmitted secured against intrusion? |
| |
|
|
|
|
|
|
| Q13 Do your employees have the ability to report data protection risks that might result in a data breach to appropriate supervisors or management personnel (upward communication)? |
| |
|
|
|
|
|
|
| Q14 Does your organization verify that its privacy and security procedures can prevent a data breach? |
| |
|
|
|
|
|
|
| Q15 Does your organization conduct periodic risk assessments to determine where personal information is vulnerable to a data breach? |
| |
|
|
|
|
|
|
| Q16 Does your organization conduct periodic risk assessments of third parties, vendors or business partners that have access to its personal information? |
| |
|
|
|
|
|
|
| Q17 Are these risk assessments used to improve the security of sensitive or confidential information in your organization? |
| |
|
|
|
|
|
|
| Q18 Are data-bearing devices containing personal information disposed of in a secure manner? |
| |
|
|
|
|
|
|
| Detection & Escalation: Please answer each question listed below with a Yes, No or Unsure response. For each "Yes" response, please rate the importance of each control activity from very important to irrelevant. |
| |
|
|
|
| Q19 Is there a process in place to determine the potential harms experienced by victims as a result of the breach? |
| |
|
|
|
|
|
|
| Q20 Is there a function or leader responsible for managing the data breach incident? |
| |
|
|
|
|
|
|
| Q21 Has your organization established a cross-functional incident response team? |
| |
|
|
|
|
|
|
| Q22 Does your organization have enabling technology (such as DLP) to monitor potential data breaches? |
| |
|
|
|
|
|
|
| Q23 Are employees informed about how to report a data breach within the organization (upward communication)? |
| |
|
|
|
|
|
|
| Q24 Is there a process for restricting the release of information about the data breach incident (e.g., on a need to know basis only)? |
| |
|
|
|
|
|
|
| Q25 Are third parties, including contractors and business partners, instructed on how to inform your organization when they have a data breach involving your company's sensitive personal information? |
| |
|
|
|
|
|
|
| Q26 Does your organization have a special team assigned to investigate a data breach incident? |
| |
|
|
|
|
|
|
| Q27 Does your organization have internal specialized forensic tools and techniques in place to investigate a data breach? |
| |
|
|
|
|
|
|
| Q28 Is your organization's privacy leader involved in the detection and escalation process? |
| |
|
|
|
|
|
|
| Q29 As part of the assessment or forensic investigation, are conclusions developed, reviewed and approved by management? |
| |
|
|
|
|
|
|
| Q30 Are there standard operating procedures or protocols established for communicating relevant and appropriate information to law enforcement in the event of data theft or other criminal activity involving the breach incident? |
| |
|
|
|
|
|
|
| Notification: Please answer each question listed below with a Yes, No or Unsure response. For each "Yes" response, please rate the importance of each control activity from very important to irrelevant. |
| |
|
|
|
| Q31 Does your organization have a communications plan for notifying all appropriate regulatory authorities and law enforcement? |
| |
|
|
|
|
|
|
| Q32 Does your organization have a communications plan for notifying the media? |
| |
|
|
|
|
|
|
| Q33 Does your organization have a communications plan for employees who are responsible for responding to data breach victims? |
| |
|
|
|
|
|
|
| Q34 Does your organization have internal customer service and call center employees who respond to data breach victims' questions? |
| |
|
|
|
|
|
|
| Q35 Is there an existing contact channel (letter, email, phone call) to communicate with the data breach victim? |
| |
|
|
|
|
|
|
| Q36 Is there a process for verifying that contact with each data breach victim has been completed? |
| |
|
|
|
|
|
|
| Q37 Is there a process for managing incomplete or failed notification and contact returns? |
| |
|
|
|
|
|
|
| Q38 Is there a repository of standardized and approved communications available for use in advance of the incident? |
| |
|
|
|
|
|
|
| Q39 Is there a mechanism for receiving and tracking feedback about the quality and responsiveness of the organization to data breach victims? |
| |
|
|
|
|
|
|
| Q40 Is there a process for addressing special circumstances (i.e., disgruntled victims that require escalated management attention)? |
| |
|
|
|
|
|
|
| Q41 Is there a process for differentiating victims based on their personal information and accompanying exposure to ID theft or criminal activity? |
| |
|
|
|
|
|
|
| Q42 Is there a process for ensuring that all communications are done according to a pre-determined timeline? |
| |
|
|
|
|
|
|
| Q43 Is there a process for ensuring that communication about the breach is kept confidential until the company notifies victims and other stakeholders? |
| |
|
|
|
|
|
|
| Q44 Does your organization provide a website or link on your website for data breach victims to learn more about the data breach incident and remedies available to them? |
| |
|
|
|
|
|
|
| Q45 Does your organization provide free or subsidized identity protection services, including credit monitoring, to minimize harm to data breach victims? |
| |
|
|
|
|
|
|
| Q46 Does your organization offer more than one year of free credit monitoring to data breach victims? |
| |
|
|
|
|
|
|
| Q47 Is there some outreach effort to communicate the benefits of identity protection services to data breach victims? |
| |
|
|
|
|
|
|
| Q48 Does your organization purchase specialized insurance to reimburse for loss related to a data breach event? |
| |
|
|
|
|
|
|
| Q49 Does your organization fully document the incident response from initial discovery to disclosure? |
| |
|
|
|
|
|
|
| Q50 Is there subsequent communication or disclosure to data breach victims when new information about the breach event comes available? |
| |
|
|
|
|
|
|
| Ex-post Response: Please answer each question listed below with a Yes, No or Unsure response. For each "Yes" response, please rate the importance of each control activity from very important to irrelevant. |
| |
|
|
|
| Q51 Is there an assessment, audit or post-mortem procedure required after the incident is closed? |
| |
|
|
|
|
|
|
| Q52 Is there a final report to senior management or the board of directors? |
| |
|
|
|
|
|
|
| Q53 Is there a performance review of the incident response team conducted by management? |
| |
|
|
|
|
|
|
| Q54 Is there a process to make recommendations for improvement? |
| |
|
|
|
|
|
|
| Q55 Is there a training program for those who were responsible for the breach? |
| |
|
|
|
|
|
|
| Q56 Does your organization attempt to calculate the cost of the data breach? |
| |
|
|
|
|
|
|
| Q57 Is there a process to implement recommendations for privacy and data protection risk assessment programs? |
| |
|
|
|
|
|
|
| Q58 Is there a process to determine responsibility for the data breach incident? |
| |
|
|
|
|
|
|
| Q59 Is there a process to determine appropriate actions and enforcement for non-compliance with policies? |
| |
|
|
|
|
|
|
| Organization Characteristics |
| |
|
|
|
|
|
|
|
| What organizational level best describes your current position? |
| |
|
|
|
|
| Total years of business experience? | |
|
|
|
|
| Total years in privacy or security? | |
|
|
|
|
| Total years in current position? | |
|
|
|
|
| Check the Primary Person you or your supervisor reports to within your organization. |
| |
|
|
|
|
|
| Check the country or U.S. region where your company’s primary headquarters is located. |
| |
|
|
|
| If in the United States, what state? |
| |
|
|
|
|
|
| Educational and career background: |
| |
|
|
|
|
|
| What is the approximate size of your IT department in terms of full-time equivalent (FTE) headcount? |
| |
|
|
|
|
|
| What industry best describes your organization’s industry concentration or focus? |
| |
|
|
|
|
| What best describes your role in managing privacy and data protection risks within your organization? Check all that apply. |
| |
|
|
|
|
| What is the worldwide headcount of your organization? |
| |
|
|
|
|
|
Close