ICO data raises doubts over UK firms’ ability to manage breaches

UK businesses routinely delayed data breach disclosure to the Information Commissioner’s Office (ICO) in the year ahead of the full implementation of the EU’s General Data Protection Regulation (GDPR) on 25 May 2018.

This was the main finding of a freedom of information (FoI) request to the Information Commissioner’s Office about 182 data breach reports triaged by the ICO in the financial year to April 2018 by threat detection and response firm Redscan.

Analysis of the data shows that, on average, it took companies 60 days (two months) to identify they’d been a victim of a data breach, with one business taking as long as 1,320 days (44 months).

Businesses waited three weeks on average after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days. The data showed that less than a quarter of businesses would be compliant with current GDPR requirements, which demand that organisations report a breach within 72 hours of discovery.

However, the data revealed that financial services and legal firms were far better at identifying and reporting breaches than general businesses, which is likely due to increased regulatory awareness and the highly sensitive nature of data processed in these industries.

On average, financial services firms took 37 days to identify a breach, legal firms took 25 days, while companies classified as “general business” took 138 days. Financial services (16 days) and legal firms (20 days) were also quicker to disclose breaches to the ICO than general businesses (27 days).

“Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses,” said Mark Nicholls, director of cyber security at Redscan. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now reporting requirements are stricter.”

The data showed the 91% of reports to the ICO failed to include important information such as the impact of the breach, recovery process and dates. More than nine out of 10 companies (93%) did not specify the impact of the breach, or did not know the impact at the time it was reported, while 21% did not report a breach incident date to the ICO, suggesting they either lacked awareness of or knowingly withheld this important information. A further 25% also failed to report a breach discovery date.

“The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises,” said Nicholls.

“Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit.”

“In general, firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened.”