Law Firms Amongst Quickest To Report Data Breaches Pre GDPR

A recent Freedom of Information (FoI) request has found that law firms were amongst the quickest organisations to react and report data breaches to the Information Commissioner’s Office (ICO).

However, in the time prior to General Data Protection Regulations (GDPR), businesses languished for too long until they reported the breach to the UK’s official watchdog.

According to the FoI request, obtained by Pen-testing firm Redscan, too many organisations continue to ignore the 72-hour limit to disclose a breach to the UK’s watchdog, the ICO. In fact, only 45 organisations would have been compliant under the current regulations.

Up to the end of the financial year of 5 April 2018, the ICO received 181 reports that a data breach had taken place. Of the law firms that reported breaches during this time, the 20 days it took to contact the ICO was amongst the fastest of any business type; second only to the financial services and the 16 days of deliberations before the ICO were notified.

In comparison, the average business took three weeks (21 days) to report a data breach following a cyber attack. One firm were either unaware of the data breach that had occurred within their business or spent over three years fretting before eventually disclosing the breach after 1,320 days.

Whilst many were reluctant to admit the vulnerabilities to their digital presence, 93% of firms failed to disclose the severity of the breach to the ICO for fear of reputational damage.

Similarly, in a bid to avoid considerable media scandals, 44% (87) of the 181 reports were made at the end of the week, either on a Thursday or Friday, with a further 25% of reports being made on a Saturday. Additionally, with IT teams winding down on a Friday afternoon, the cyber criminal preferred a Saturday to breach the majority of these organisations.

Mark Nicholls, Redscan director of cybersecurity, commented: “Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses.

“Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.

“Detecting and responding to breaches is now a 24/7 effort. Many organisations lack the technology and expertise they need, which is compounded by a global cybersecurity skills shortage. Resources are stretched even further at weekends, when many IT teams are off-duty – exactly why hackers chose to target businesses out of hours.

“It’s also interesting to note that nearly half of reports to the ICO were submitted on a Thursday or a Friday, good days to bury bad news. This might be overly cynical but I suspect that in many cases, breach disclosure on these days may have a deliberate tactic to minimise negative publicity.

“The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises.

“Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit.

“In general, firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened.”

How has cyber security, monitoring and reporting improved since GDPR was brought into force? Are you aware of firms that continue to flout GDPR regulations?



Have you heard of Today’s Legal Cyber Risk? This is a sample article which we published recently. Our up and coming publication is respected as a source of reliable advice and information which informs the legal sector about the changes that are happening in regards to IT, risk and cyber crime. Are you a managing partner of a law firm? Or do you work in their IT department? Sign up to Today’s Legal Cyber Risk free newsletter here.