On Average, Announcing a Data Breach Takes 287 Days

October 6, 2022

data-security-and-privacy-concept-visualization-of-personal-or-vector-id1162361864

According to IBM, it takes an average of 287 days for security teams to identify and contain a data breach. The timeline for notifying customers potentially affected can be even longer. On August 25, 2022, Georgia-based CorrectHealth (CH) announced that it had experienced a data security incident. The breach affected 54,066 individuals. CH stated that it discovered an unauthorized user potentially had access to its employee email accounts on November 10, 2021. The company promptly engaged a specialized third-party forensic firm to determine the nature and scope of the incident. The investigation concluded on January 28, 2022. Then CH engaged a third party to analyze the specific files that were compromised and to identify the individuals potentially impacted. This review lasted from March to July 2022.

It still took almost another month before CH announced the breach. The timeline for notification of customers from its detection on November 10, 2021, to the announcement on August 25, 2022, was 289 days, two days more than the IBM average. This shows how long it takes organizations to figure out what happened and to report it. So if you experienced a data breach on January 1st of this year, you may not have fully identified and contained it until October 14th.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top