Before the arrival of the GDPR and its mandatory 72 hour reporting requirement, how well did organisations do when it came to reporting data breaches? The answer is abysmally. On average, it took organisations three weeks to report a breach with one company taking almost five months (142 days).
This analysis comes from threat detection and response specialist, Redscan. It issued the Information Commissioners Office (ICO) with a Freedom of Information (FOI) request asking about breaches reported by April 2018, a month before the GDPR went live. In addition to the time taken to report a breach, 91% of organisations failed to provide all or even a reasonable amount of the data required.
According to Mark Nicholls, Redscan director of cybersecurity: “Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses
“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”
What did the FOI analysis show?
There are some damning statistics from this analysis. They raise an interesting question. If companies were so unprepared for breach notification in April 2018, are they likely to be GDPR compliant today?
Redscan has pulled seven key facts from the FOI data. They are:
- On average, it took companies 60 days to identify they’d been a victim of a data breach, with one business taking as long as 1320 days
- After identifying a breach, it took businesses an average of 21 days to report it to the ICO, while one took as long as 142 days
- More than 9 out of 10 companies (93%) did not specify the impact of the breach, or did not know the impact at the time it was reported
- Less than a quarter (45 out of 182) of businesses would be compliant with current GDPR requirements, which demand organisations report a breach within 72 hours of discovery
- Nearly half of data breaches were reported to the ICO on a Thursday or Friday (87 of 181)
- Saturday is the most common day for businesses to fall victim to a data breach – over a quarter of incidents were reported on a Saturday
- Financial and legal firms identified and reported breaches more promptly than general businesses
A damning indictment of IT security and compliance teams
There is nothing good in any of these numbers. They show that IT security struggles to know when the organisation has been breached. Even when they do know, they are often unable or unwilling to identify the seriousness of that breach.
Of more concern is that over 75% of those reporting breaches would have been in breach of GDPR requirements. Pre GDPR, there was no mandatory reporting across all organisations. The question is whether post GDPR, have organisations done a better job of reporting?
Reporting breaches just before the weekend could also be seen as an attempt to buy time. Companies may well have been hoping that the ICO would not come back with requests for more data until the following week. This would, at least, give them more time to establish how serious the breach was.
The delays in reporting may well be for other reasons such as avoiding bad press and damage to reputation. The awareness of breaches and the damage they caused to organisations has certainly increased over the last few years. It would have been interesting to compare the reporting times to April 2017 and 2016. These would have shown if there was a trend in delaying notification and the time taken to identify a breach.
Which industry sector did best?
The data that Redscan obtained covered three groups – general business, financial services and legal firms. It discovered that the latter two were far better at identifying and reporting breaches. This is likely to be as a result of greater legislation and scrutiny of those industry sectors.
The analysis shows:
- When it came to identifying a breach, legal firms were top of the class. They took, on average, 25 days. By comparison, financial services took 37 days and general business a whopping 138 days.
- Financial services were quicker to notify the ICO taking 16 days. Legal took 20 days and general business 27 days.
- 21% didn’t report the date when the breach occurred.
- 25% didn’t report when they discovered the breach
With the GDPR, all of these organisations have to improve what they do and how they do it. The timescales above might seem reasonable to some organisations but they fall far below the mandatory reporting requirements of the GDPR.
What are the GDPR reporting requirements?
The timescale for reporting a breach and the information that companies must provide is detailed in Article 33 of the GDPR. In brief these are:
Once the data controller is aware of a breach they have 72 hours to report it to the supervisory authority. Any organisation that fails to meet the deadline must provide the reasons why, when it does report the breach.
If the breach occurs at a data processor they must notify the data controller without undue delay once they are aware of the breach.
The breach notification must describe the nature of the breach. This includes how many people are affected and the number of records that have been lost. It should also provide the contact details of the data protection officer or whoever can provide more information if required. Importantly, the breach also needs to detail the consequences of the breach and the measures taken to address and mitigate those consequences.
The details of the breach and all actions taken need to be fully documented and provided to the supervisory authority. This is used to verify compliance with Article 33.
There is no ambiguity about the timeline. It is not a “best effort.” If you are going to hold details on European citizens then you need to be able to meet the requirements above.
Enterprise Times: What does this mean
While this is about pre GDPR breach reporting it shows just how badly organisations managed a data breach. It raises the question: Is this about complacency, laziness or a complete failure of organisations to grasp what is required of them?
Irrespective of the cause, organisations now have to deal with the mandatory reporting of breaches. The GDPR also provides the ICO with options to increase the penalties for those organisations who delay reporting or deliberately file incomplete reports. Whether the ICO will do that is another matter. In the past it has caveated some of its fines based on the impact they would have on the organisation. Whether that is right or wrong is a different debate.
What this analysis will do is give privacy advocates more ammunition to pressure the ICO to be more aggressive in how it deals with data breaches.