I’ve recently commented a few times on delays to notification in the healthcare sector. Out-Law.com has a piece on data breach response times in the U.K. that provides some useful comparisons.
Businesses in the UK took an average of 21 days to report personal data breaches they had identified to the Information Commissioner’s Office (ICO) during the year up to 31 March 2018, according to information disclosed by the watchdog.
[…]
According to Redscan, there were 181 data breaches reported to the ICO by organisations across the general business, financial and legal sectors over the 12 month period. Across those cases, the average time taken to identify a breach was 60 days and it took businesses 21 days on average to then report those breaches to the ICO.
Of course, that was before GDPR went into effect, and GDPR requires notification with 72 hours. According to the Information Commissioner’s Office:
“If, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability in place – which is a requirement of the law. That’s why mandatory breach reporting is one of the most significant upgrades in the new law. It drives companies to invest in better data security and better data governance,” she said.
Imagine if we had that requirement here….
Read more on Out-Law.com.