Prior to the implementation of GDPR, a vast majority of UK organisations waited for several weeks before reporting data breaches to the ICO and 91% of them failed to include important information such as the impact of the breach, recovery process and dates, a Freedom of Information request has revealed.
A Freedom of Information request made by Redscan, a firm specialising in threat detection and response, has revealed that organisations did not follow mandated data protection rules such as reporting data breaches within timelines, assessing how a breach occurred, or identifying the impact of a breach properly.
Information provided by the Information Commissioner's Office (ICO) to Redscan stated that on average, it took UK businesses up to three weeks to report breaches to the ICO after it had been discovered and in 91% of breach reports, organisations failed to mention important information such as the impact of the breach, recovery process and dates.
In the financial year ending April 2018, UK businesses took 60 days on average to identify that they had indeed suffered a breach, with the longest time taken by an organisation to identify it had suffered a breach being 1320 days. At the same time, UK businesses took an average of 21 days to report identified data breaches to the ICO, thereby significantly delaying investigation and response to such breaches.
A little over 20% of UK organisations failed to report a breach incident date to the ICO, 25% of them failed to report a breach discovery date, and given the time taken by them to identify and report incidents, less than a quarter of them would be compliant with current GDPR requirements, which demand organisations report a breach within 72 hours of discovery.
"The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises.
"Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit," noted Mark Nicholls, Redscan director of cybersecurity.
Financial services and legal firms took lesser time to report data breaches
According to Redscan, in comparison to businesses at other sectors, financial services and legal firms took lesser time to identify data breaches and report them to the ICO which could be due to higher awareness of data protection laws and the highly sensitive nature of data processed by such firms. While financial services took 16 days on average to report breaches, legal firms took twenty days to do so.
At the same time, compared to other businesses which took 138 days on average to identify a breach, financial services took just 37 days and legal firms took 25 days, even though such timelines may also allow hackers to get away without suffering any consequences for their actions.
"In general, firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened," Nicholls said.
"Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses. Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter," he added.