ICO FOI reveals data breach detection and reporting woes, pre-GDPR

Businesses waited, on average, three weeks after detecting a data leak to report it to the Information Commissioner’s Office (ICO) in the year prior to the GDPR’s enactment; many waited until the end of the week to admit fault — possibly to minimise press coverage.

That’s according to data from a Freedom of Information (FOI) request by Redscan, the cyber security provider, who then analysed 182 data breach reports triaged by the ICO in the financial year ending April 2018

Redscan’s analysis found that it took organisations 60 days to even realise a data breach had occurred — the worst offender took 1,320 days. Furthermore, 93% of companies did not specify the impact of the breach, or did not know the impact at the time it was reported.

The GDPR and Brexit

James Castro-Edwards, Partner and Head of Data Protection at Wedlake Bell, discusses the three possible outcomes for GDPR post-Brexit, dependent on whether we get a deal or not

“The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises,” said Mark Nicholls, director of cyber security at Redscan. “Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit.”

Financial services and legal services tended to be quicker, averaging 16 and 20 days, respectively

“The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened,” added Nicholls. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”

Google’s GDPR fine, why was it so low?

Under GDPR, companies can be fined up to four per cent of turnover for regulatory violations. In the case of Google, that would be roughly $3.6 billion. Yet, Google’s GDPR fine announced on January 21st was barely one-hundredth of that level, why so low?

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future

Related Topics

Data Breach
FOI
GDPR
ICO