134 days. According to a recent report issued by the Baker Hostetler Privacy and Data Protection Team, that’s how long detection and notification take in the average data breach incident. Even given the ever-more-sophisticated techniques being employed by today’s hackers and cybercriminals, companies and organizations need to find ways to react quicker when confidential information is compromised.
A more rapid response ensures that vulnerabilities are protected as quickly as possible, that forensic evidence is preserved, and that the company or organization can share an adequate response narrative with affected stakeholders in the timely manner expected. Simply put, the faster and more complete the response, the smaller the liabilities in terms of litigation, reputation, and lost confidence in the brand.
Perhaps the most troubling aspect of this large detection and notification window is that it forces companies and organizations to accelerate their public statements about the breach. “We were slow on the front end, so we better make up time on the back end.” This is the foremost reason that companies and organizations commit the mortal sin of issuing a public statement, only to revise it in negative terms at a later date. “Turns out it wasn’t 100,000 records that were compromised; it was 1,000,000.”
When that happens, the company or organization looks like it doesn’t have the situation under control – and inflames the ire of shareholders, customers, and other stakeholders who understand that data breaches happen; but expect them to be resolved responsibly and with minimal damage and inconvenience to affected parties.
Another troubling finding from the Baker Hostetler team compounds the challenge. The report also states that an overwhelming 36 percent of data breaches can be attributed to human error on the part of the company or organization charged with keeping personally identifiable information (PPI) safe. Add that level of culpability to a slow, cumbersome public response and the stage is set for litigation and trust deficits that can have a significant impact on the bottom line.
For more interesting findings from Baker Hostetler, click here.
Jason Maloni is a Senior Vice President at LEVICK and Chair of the firm’s Litigation and Data Privacy Practices.