Delayed breach notifications open door to regulatory fines

As more data breaches occur everyday and more data privacy regulations come into force, such as EU GDPR, organizations are beginning to make data governance and data protection more of a priority.

Delayed breach notifications and threat detection could intensify the regulatory challenges of data protection. In particular, 16 percent of businesses take between one and six months to detect a security threat and 5 percent only detect a threat when notified by external parties, according to the Blancco Technology Group.

While threat detection plays a vital role in helping organizations prevent data loss/theft, it’s equally important for organizations to notify regulatory authorities and customers of a data breach in a timely and efficient manner.

Despite the EU GDPR’s requirement to notify regulatory authorities of a data breach within 72 hours, 13 percent of the surveyed IT professionals admitted it takes between one month and one year to do so. In such instances, these organizations would be in violation of the EU GDPR’s breach notification requirement and could face regulatory fines of up to €20 million, or 4 percent of their global turnover, whichever is greater.

Key findings

• Information is beautiful, but data breaches are not. 28 percent of organizations have been hit by a data breach in the last 12 months.
• Although C-suite interest in data governance is increasing, visibility proves challenging. While it’s good news that 76 percent of C-suite and board-level executives review and assess regulatory compliance with state, federal and international data protection laws, 12 percent do so infrequently (between one and three years).
• ISO and NIST data protection guidelines are rising in importance. 88 percent of the surveyed IT professionals consider ISO and NIST guidelines to be either ‘very important’ or ‘important.’
• Regulatory fines have become too normalized. 29 percent of businesses have been cited by a regulatory/governing body for failure to comply with security regulations in the last 24 months.
• Regulatory fines are considered more damaging than customer lawsuits, negative publicity and reduced sales. 28 percent of organizations said regulatory fines are the most damaging consequence of being cited for a regulatory violation, followed by customer lawsuits (22 percent), negative publicity (20 percent) and reduced sales (8 percent).

“The findings of our study reiterate just how important it is for organizations to manage data properly and have a sound data governance program in place,” said Richard Stiennon, Chief Strategy Officer of Blancco Technology Group.

“This will require organizations to be fully aware of and regularly assess every type of user data that is stored, how long that data is kept, as well as when and where data needs to be removed when users end their service or when legal requirements demand it. As so many data breaches have shown, taking too long to detect a security threat and notify both regulatory authorities and customers could not only lead to regulatory fines, but could also put organizations at the center of customer lawsuits, diminished sales and negative publicity.”