- Around four months is the average time it takes for a company to report a data breach but certain industries take even longer, an analysis of ransomware attacks since 2018 finds.
- Companies often take months to report data breaches because they don't learn about them until much later and then conduct lengthy investigations before reporting them.
- The reporting gap means that people need to regularly change passwords and check financial activity since they won't learn their information has been stolen until months after an attack.
Don't expect to learn about a data breach until months later.
The average time companies or organizations take to report data breaches is around four months following an attack, but the waiting period can often stretch months longer depending on the complexity of the breach and how prepared companies are, according to an analysis by research firm Comparitech, which reviewed more than 2,600 ransomware attacks in the U.S. since 2018.
Ransomware attacks, when criminals demand payment from companies for information they stole, are among the most common causes of data breaches.
The attacks offer a gauge of how long it takes companies to report a crime that makes consumers vulnerable to identity theft and exposes sensitive information, such as contact details, credit cards and Social Security numbers.
Companies can take months to report a data breach because they often aren't aware of the problem until much later and then need to conduct a lengthy investigation to determine the scope of the breach.
For example, Comparitech said Ventura Orthopedics didn't start notifying patients of a July 2020 data breach until Sept. 2023.
At first, the company said it believed the breach was limited to one patient but later investigations revealed it was bigger.
The average reporting time may be around four months, but companies in some industries drag their feet even longer.
Legal companies, such as law firms, took the longest to report data breaches, with 6.4 months after a ransomware attack, followed by companies in education (6.3 months), technology (4.4 months), services (4.3 months) and finance (4.3 months) in the rest of the top five.
On the other hand, utility companies were the fastest to report, with an average of 3.3 months after a ransomware attack, followed by health care (3.4 months), construction (3.6 months), food and beverage (3.6 months) and manufacturing (3.7 months).
Comparitech said health care companies may be faster at reporting data breaches because of the Health Insurance Portability and Accountability Act (HIPAA), which requires that notifications should be given no later than 60 days after a breach.
Still, Comparitech said that health care companies will often send a notification of a breach before they have an exact number of how many people are affected.
State laws on reporting data breaches
Seventeen states have laws that require companies to report data breaches within a certain amount of time, including as low as one month in Florida and Colorado and as high as around three months in Connecticut.
But Comparitech said these state laws haven't significantly lowered reporting times: In the 17 states with rules on data breach reporting timelines, the average reporting time is close to 3.9 months.
For instance, Montana had the shortest average reporting time of 1.9 months, but the state doesn't have a rule requiring reporting within a certain amount of time.