Businesses waited, on average, three weeks after detecting a data leak to report it to the Information Commissioner’s Office (ICO) in the year prior to the GDPR’s enactment; many waited until the end of the week to admit fault — possibly to minimise press coverage.
That’s according to data from a Freedom of Information (FOI) request by Redscan, the cyber security provider, who then analysed 182 data breach reports triaged by the ICO in the financial year ending April 2018
Redscan’s analysis found that it took organisations 60 days to even realise a data breach had occurred — the worst offender took 1,320 days. Furthermore, 93% of companies did not specify the impact of the breach, or did not know the impact at the time it was reported.
The GDPR and Brexit
“The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises,” said Mark Nicholls, director of cyber security at Redscan. “Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit.”
Financial services and legal services tended to be quicker, averaging 16 and 20 days, respectively
“The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened,” added Nicholls. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”