The UK's data protection authority revealed details of how businesses that voluntarily reported data breaches handled those incidents in its 2017/18 financial year in data provided to cybersecurity company Redscan under freedom of information laws.
According to Redscan, there were 181 data breaches reported to the ICO by organisations across the general business, financial and legal sectors over the 12 month period. Across those cases, the average time taken to identify a breach was 60 days and it took businesses 21 days on average to then report those breaches to the ICO.
Redscan also said that in more than 90% of the cases, businesses did not "specify the impact of the breach or did not know the impact at the time it was reported".
The data disclosed to Redscan pre-dates the application of the General Data Protection Regulation (GDPR). Prior to 25 May 2018, many businesses were under no legal obligation to report personal data breaches to data protection authorities or affected individuals, although it was considered best practice.
"Given that the data relates to breaches that would fall under the Data Protection Act 1998 it is perhaps unsurprising that the average reporting time was 21 days," said cyber risk expert Seaton Gordon of Pinsent Masons, the law firm behind Out-Law.com. "In the absence of a mandatory requirement to notify the ICO of a breach, it is arguably reasonable for an organisation to take adequate time to determine its position prior to notifying a ‘serious breach’ – this being the relevant threshold when the ICO expected to be notified."
"The GDPR doesn’t afford organisations the same luxury of time – expecting businesses to have assessed the scope of their data processing and their associated obligations, regulatory or contractual, such that a prompt notification is possible," he said.
Under the GDPR, organisations must now notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
Since the GDPR took effect, a number of major data breaches have been announced, including incidents reported by airlines British Airways and Cathay Pacific and the Marriott hotel group, although, in EU terms, it remains unclear whether those incidents are being considered under the GDPR or earlier legislation.
Elizabeth Denham, information commissioner, said: "The ICO has seen a significant increase in the number of breaches reported to us since GDPR came in, and organisations seem – in the main – to have understood the need to have a process in place to self-report breaches. But it’s important to realise breach reporting is not a mere administrative responsibility. It requires organisations to take responsibility for what they do with personal data, and have processes and systems in place to demonstrate compliance."
"If, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability in place – which is a requirement of the law. That’s why mandatory breach reporting is one of the most significant upgrades in the new law. It drives companies to invest in better data security and better data governance," she said.