Most data breach reports are late and contain an inadequate level of detail, according to new statistics released by the Information Commissioner’s Office.
Under the General Data Protection Regulation, which came into effect in May 2018, businesses must report a breach to their local data protection regulator within 72 hours of detecting it. But the new data, covering the financial year ending April 2018, reveals that it took businesses an average of 21 days to submit their reports to the ICO.
The data, unearthed by security vendor Redscan, also shows that nine out of 10 businesses failed to specify the impact of the breach, or did not understand the scope of the incident at the time of reporting.
The average business takes 60 days to discover a breach, but financial services firms and legal firms did so more promptly, taking 37 and 25 days to identify incidents respectively.
Sign up to Emerging Threats, our weekly cyber security newsletter
“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses”, said Mark Nicholls, Redscan director of cybersecurity.
“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”
The data raises questions about British businesses’ ability to comply with GDPR, which last year introduced fines of up to four per cent of annual turnover.
Nicholls added: “The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises.
“Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit.”
Even the most responsive sectors were still taking significantly longer than the new legislation allows to disclose breaches. Financial services firms took 16 days, while legal firms took 20.
Nicholls said: “The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened.”