Data breach reports delayed as organizations struggle to achieve GDPR compliance

Businesses routinely delayed data breach disclosure and failed to provide important details to the ICO in the year prior to the GDPR’s enactment.

Data breach reports delayed as organizations struggle to achieve GDPR compliance

On average, businesses waited three weeks after discovery to report a breach to the ICO, while the worst offending organization waited 142 days. The vast majority (91%) of reports to the ICO failed to include important information such as the impact of the breach, recovery process and dates, according to the Redscan’s new Freedom of Information (FOI) request data from the Information Commissioner’s Office (ICO).

The FOI also revealed that hackers disproportionately targeted businesses at the weekend, while many reports would be issued to the ICO on a Thursday or Friday – possibly in an attempt to minimise potential media coverage.

Redscan analysed 182 data breach reports triaged by the ICO in the financial year ending April 2018 (relating to ‘general businesses’ as well as financial services and legal firms).

Key findings

  • On average, it took companies 60 days to identify they’d been a victim of a data breach, with one business taking as long as 1320 days
  • After identifying a breach, it took businesses an average of 21 days to report it to the ICO, while one took as long as 142 days
  • More than 9 out of 10 companies (93%) did not specify the impact of the breach, or did not know the impact at the time it was reported
  • Less than a quarter (45 out of 182) of businesses would be compliant with current GDPR requirements, which demand organizations report a breach within 72 hours of discovery
  • Nearly half of data breaches were reported to the ICO on a Thursday or Friday (87 of 181)
  • Saturday is the most common day for businesses to fall victim to a data breach – over a quarter of incidents were reported on a Saturday
  • Financial and legal firms identified and reported breaches more promptly than general businesses.

“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses”, said Mark Nicholls, Redscan director of cybersecurity.

“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”

Read Full Article

Leave a Reply

Your email address will not be published. Required fields are marked *