If your data is affected in a cybersecurity breach of a government entity, you probably won’t find out for four months. Comparitech has analyzed data on breaches caused by ransomware attacks between 2018 and 2023 to identify trends in reporting times.
Government doesn’t have the longest average reporting time, though — that honor goes to the legal sector, at 6.4 months. Businesses overall averaged about the same as government, at 4.2 months. The health-care sector has the lowest average report time, at 3.7 months, while education was one of the highest at 4.8 months.
The Comparitech team also found that states with specified reporting time frames typically have shorter response times, at 3.9 months, than those without, at 4.2 months. And the longest-known delay in reporting was 38 months, from a company in the health-care sector. Ventura Orthopedics suffered a ransomware attack in July 2020, but didn’t begin notifying patients whose data was affected until September 2023. They had initially believed that only one patient’s data had been compromised, until further investigations revealed that wasn’t the case.
