From Incident to Discovery to Breach Notification: Average Time Frames
This article by Mahmood Sher-Jan is the fourth in a series of articles published with the IAPP Privacy Advisor, on the topic of establishing program metrics and benchmarking your privacy incident management program. Find earlier installments of this series here.
Measuring the efficacy of your privacy program is one way to ensure you have a baseline for improvement, as well as a means to test and prove that your continuous efforts to improve security and privacy at your organization are having their intended impacts. Establishing benchmarking metrics is also important to lend continuity to a process that can sometimes resemble a fire drill. In the midst of an unauthorized disclosure of protected, private data, your team will be moving fast and engaged in a flurry of activity in order to properly document and risk assess an incident to determine regulatory and contractual notification obligations, if any, in order to meet notification deadlines and prove compliance.
In this surge of activity, it can be helpful to break the incident management process into smaller phases to analyze. This brings us to our next benchmarking metric in this series: measuring the average timeframes for specific phases of the incident response lifecycle.
Occurred, discovered, notified
As we’ve seen in large data breaches recently covered by the media, the issue of timing can have wide impacts on your internal process, whether you are compliant with applicable regulations and public perception. It’s no longer just regulators asking when the incident occurred, when it was discovered, how long it took the organization to determine if it’s a data breach, and how long it took to notify. We’re increasingly seeing these stats reported in the media and repeated by the public.
Timelines to notify are also becoming increasingly specific in data breach notification regulations. One prominent example is the EU General Data Protection Regulation (GDPR) notification time frame: “without undue delay and, where feasible, not later than 72 hours.” This is a stark departure from some of the regulations we are accustomed to complying with in the U.S., where the patchwork of state and federal laws can vary from “in the most expeditious manner possible, without unreasonable delay” or more commonly within 30 to 45 days from breach discovery.
Analyzing the data: average timeframes in incident response
Before we begin looking at some of the timelines and breaking down the averages, it’s important to note that the metadata available for analysis within RADAR reflects best practices in how incident-response management has been streamlined within privacy programs. When using automation via the RADAR platform to document, risk assess, and heatmap privacy incidents, the data tends to be skewed towards shorter average timeframes, thus representing a more accelerated lifecycle than privacy programs using manual solutions and spreadsheets for incident response.
The timeframes we analyzed are anchored to three points in an incident lifecycle:
- Occurrence: when the incident happened
- Discovery: when the organization became aware of the incident
- Notification: average date initial notification(s) were provided
Consider this lifecycle as a funnel. Despite the presumption of data breach and requirement for multi-factor risk assessment, we know that not every incident is a data breach (in fact fewer than 1 in 10 incidents are data breaches).
Therefore, there will be more data available to analyze in the occurrence-to-discovery phase, while the discovery-to-notification phase will only include the incidents that represent a high risk of harm or otherwise rise to the level of a breach.
Below are the average timeframes (in days) for 18 months of incidents, January 2016 to June 2017:
- Occurrence to discovery: 13.21 days
- Discovery to notification: 29.1 days
One of the first things that will stick out to privacy professionals preparing to comply with the GDPR is the amount of time it takes to provide notice. Because the GDPR requires a notification time of 72 hours, this data suggests that this is no easy feat.
- Surprising stats on third-party vendor risk and breach likelihood
- Data protection is a team sport, benchmark data tells the story
- Beyond data breach: why every incident matters