Nearly half of all data breach reports submitted to the Information Commissioner’s Office were made on Thurday or Friday in what looks like a “deliberate tactic” to bury bad news, a Freedom of Information Request (FoI) reveals.
That’s according to the a new report by London-based cybersecurity company Redscan, which requested figures from the ICO on average data breach response times, finding that pre-GDPR it typically took firms 21 days to report.
Since GDPR came into force in May 2018, over 59,000 data breaches have been reported to European regulators, according to a survey by law firm DLA Piper. And the regulation requires them to be made within 72 hours.
(The Netherlands, Germany and the UK topped the table in the report with approximately 15,400, 12,600, and 10,600 reported breaches respectively.)
Mark Nicholls, Redscan Director of Cybersecurity commented: “Firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened.”
He added: “[But] it’s incredibly optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR… Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance.”
Redscan analysis of the FOI data also revealed that more than nine out of 10 companies did not, when reporting a breach to the ICO, specify the impact of the breach or did not know the impact at the time it was reported. The company also found that the longest time taken to report a breach to British data regulators was 142 days.
Law firms were the quickest to report, taking on average 16 days. Financial firms were not far behind as they reported within 20 days. Redscan found that breach detection on average was achieved within 60 days, however they noted that one company that suffered a breach was unaware of it for more than three years.
Reporting Breaches: A Job for Thursdays and Fridays…
€50 million is the largest fine to date and that was handed by the French data authority CNIL to Google in relation to how their processed their users personal data.
In their research Redscan identified a trend of threat actors targeting organisations security systems during the weekends; over a quarter of the breaches reported had occurred on a Saturday.
Nicholls added: “Detecting and responding to breaches is now a 24/7 effort. Many organisations lack the technology and expertise they need, which is compounded by a global cybersecurity skills shortage. Resources are stretched even further at weekends, when many IT teams are off-duty – exactly why hackers chose to target businesses out of hours.”
This is a tactic that makes sense for hackers as companies will not have a full cyber security team in place at the weekend and their ability to respond to incidents will be greatly diminished.
He concluded: “It’s also interesting to note that nearly half of reports to the ICO were submitted on a Thursday or a Friday, good days to bury bad news. This might be overly cynical but I suspect that in many cases, breach disclosure on these days may have a deliberate tactic to minimise negative publicity.”
According to Ross McKean, a partner at DLA Piper specializing in cyber and data protection: “The GDPR completely changes the compliance risk for organizations which suffer a personal data breach due to revenue based fines and the potential for US style group litigation claims for compensation.”