Pre-GDPR UK Breach Reporting Was a Mess

Written by

Many UK firms struggled to identify breach incidents, delayed reporting to the regulator and left out key details in the year prior to the GDPR, and could still be non-compliant today, according to new data obtained by Redscan.

The managed security services provider obtained its findings from Freedom of Information (FOI) data relating to 181 anonymized incidents reported to the Information Commissioner’s Office (ICO) in the financial year ending April 2018.

It took firms on average 60 days to identify they’d been a victim of a breach, and then another 21 days to report the incident. The longest a business took to identify a breach was 1320 days, and to report, 142 days.

The vast majority (93%) also left out key details in their reporting, such as the impact of the incident and their recovery processes.

That means less than a quarter would have complied with the GDPR had it been in force then, Redscan estimated. The new law stipulates a strict 72-hour reporting window once a breach has been discovered.

Although the figures in many ways highlight exactly why the new legislation was brought in, Redscan argued that the GDPR is unlikely to have changed behaviors.

“Anyone who thinks that businesses are better geared to detect and respond to breaches since May 2018 is kidding themselves,” the firm’s director of cybersecurity, Mark Nicholls, told Infosecurity. “Despite greater time pressures and larger fines, most organizations still lack the security expertise and resources they need.”

While prior to the GDPR, firms needed to provide estimates for impact and recovery time, reporting requirements are now even more onerous, causing firms to struggle, he added.

“The information sought by the ICO goes way beyond the basics of recovery time and impact; businesses are now asked to provide estimates for the number of records affected and explain all measures being taken to mitigate possible adverse effects,” said Nicholls. “Businesses must also inform all individuals at risk, and to do that they need a full understanding of the scope of the breach.”

A report from DLA Piper in early February claimed there had been 59,000 breach reports to regulators since the GDPR was introduced, including 10,600 in the UK, although there was no info on whether these came in late and/or with incomplete information.

What’s hot on Infosecurity Magazine?