Prior to the implementation of the General Data Protection Regulation (GDPR), UK businesses routinely had a sloppy breach response time, taking an average of three weeks to report a data breach to the UK’s data watchdog.
A Freedom of Information (FOI) request submitted to the Information Commissioner’s Office (ICO) by threat detection and response company Redscan revealed routine shortcomings in organisations’ responses to data breaches.
In the financial year ending April 2018, breach response time – the time companies took to report each incident to the ICO – averaged 21 days. The longest took 142 days.
Key details, such as the breach’s impact, were missing from 93% of companies’ reports.
The report also shows how many organisations remained unaware that a data breach even occurred, with 60 days being the average to identify it and the longest taking 1,320 days.
Slow breach response time post-GDPR is costly
Under the UK’s previous data protection laws, reporting a breach was advisable but not mandatory. Those organisations in the FOI request will not face any punitive action for their reporting failures.
However, should they take longer than 72 hours to report a breach under GDPR, they could be liable for a maximum fine of up to €20m or 4% of annual turnover.
Organisations must also inform individuals “without undue delay” if the breach is “likely to result in a high risk of adversely affecting” their rights and freedoms, according to ICO guidelines.
According to Redscan, just 45 of the 182 businesses anonymously analysed in the FOI would meet the requirements of GDPR compliance.
“It’s incredibly optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR,” said Redscan’s director of cybersecurity Mark Nicholls.
“Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance.”
GDPR came into effect on the 25 May 2018, over a month after the conclusion of the FOI report’s scope.
Financial and legal firms best of a bad bunch
The picture was slightly better for financial services and legal firms, which took an average of 16 and 20 days respectively to report the breach to the ICO. While a shorter response time than general businesses, which took an average of 27, they are still some way off GDPR’s stipulated 72-hour time frame.
Commenting on this, Nicholls said:
“In general, firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened.”
Almost half of the breaches were reported to the ICO on a Thursday or Friday, possibly following public relations techniques to lessen media coverage.
“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses”, added Nicholls.
“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”