A freedom of information (FOI) request to the Information Commissioner's Office (ICO) has revealed that businesses are waiting too long to report breaches and are failing to include vital information in their reports, says security firm Redscan.
The pan-European General Data Protection Regulation (GDRP) came into force last year, in the UK as an update to the Data Protection Act, and brings with it considerably heightened financial penalties for companies found to have maliciously or incompetently leaked or abused users' personally identifiable information (PII) and other private data. It also introduces a new deadline for breach notification: Where a breach has been discovered by a company, it has a duty to inform the Information Commissioner's Office (ICO) within 72 hours 'where feasible' and further inform any individuals with risk to their rights or freedoms 'without undue delay'.
According to documentation obtained by security firm Redscan via a freedom of information (FOI) request to ICO, however, companies have been lax in preparing for these new deadlines. Analysing 182 data breaches reported to ICO in the 2017-2018 financial year - which means they were made under the earlier Data Protection Act 1998, and thus not judged under the harsher terms of the GDPR - the company found that businesses waited an average of three weeks between discovering a breach and reporting it, with the worst having waited a full 142 days before making the report.
Even once the reports were made, Redscan claims, the overwhelming majority - 91 percent - failed to include key information including the expected impact of the breach, the company's recovery process, and dates relating to the breach itself and the discovery, making it harder for ICO to investigate the issue.
'Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses,' claims Mark Nicholls, Redscan's director of cybersecurity. 'Most companies don't have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.
'The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises. Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit.'
Redscan's analysis has also identified that the bulk of breaches occur on the weekend, when companies are less likely to have staff on-hand, while reports are typically made on a Thursday or Friday - described by Nicholls as 'good days to buy bad news'.
'It’s incredibly optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR. Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance.'
The ICO has not commented on Redscan's analysis.
September 16 2019 | 14:00