Law firms take the longest to report data breaches
May 20, 2025
- Around four months is the average time it takes for a company to report a data breachbut certain industries take even longer,an analysis of ransomware attacks since 2018 finds.
- Companies often take months toreport data breaches because they don’t learn about them until much later and then conduct lengthy investigations before reporting them.
- The reporting gap means that people needto regularly change passwords and check financial activity since they won’t learntheir information has been stolenuntil months after an attack.
Don’t expect to learn about a data breach untilmonths later.
The average time companies or organizations take to report data breaches is around four months following an attack, but the waiting period can often stretch months longer depending on the complexity of the breach and how prepared companies are, according to an analysisby research firm Comparitech, which reviewed more than 2,600 ransomware attacks in the U.S. since 2018.
Ransomware attacks, when criminals demand payment from companies for information they stole,are among the most common causes of data breaches.
The attacks offer a gauge of how long it takes companies to report a crime that makesconsumers vulnerable to identity theft and exposes sensitive information, such ascontact details, credit cards and Social Security numbers.
Companies can take months to report a data breach because they often aren’t aware of the problem until much later and then need to conduct a lengthy investigation to determine the scope of the breach.
For example, Comparitech said Ventura Orthopedics didn’t startnotifying patients of a July 2020 data breach until Sept. 2023.
At first, the company said it believed the breach was limited to one patient but later investigations revealed it was bigger.
The average reporting time may be around four months, but companies in some industries drag their feet even longer.
Legal companies, such as law firms, took the longest to report data breaches, with 6.4 months aftera ransomware attack, followed by companies in education (6.3 months), technology (4.4 months), services (4.3 months) and finance (4.3 months) in the rest of the top five.
On the other hand, utility companies were the fastest to report, with an average of 3.3 months after a ransomware attack, followed by health care (3.4 months), construction (3.6 months), food and beverage (3.6 months) and manufacturing (3.7 months).
Comparitech said health care companies may be faster at reporting data breaches because of the Health Insurance Portability and Accountability Act (HIPAA), which requires that notifications should be given no later than 60 days after a breach.
Still, Comparitech said that health care companies will often send a notification of a breach before they have an exact number of how many people are affected.
State laws on reporting data breaches
Seventeen states have laws that require companies to report data breaches within a certain amount of time, including as low asone monthin Florida and Colorado and as high as around three monthsin Connecticut.
But Comparitech said these state laws haven’t significantly lowered reporting times: In the 17 states with rules on data breach reporting timelines, the average reporting time is close to 3.9 months.
For instance, Montana had the shortest average reporting time of 1.9 months, but the state doesn’t have a rule requiring reporting within a certain amount of time.
Sign up below for The Daily Consumer, our newsletter on the latest consumer news, including recalls, scams, lawsuits and more.
.newsletter-form {
display: flex;
max-width: 400px;
margin: 20px auto;
background: #f8f9fa;
padding: 10px;
border-radius: 8px;
box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
}
.newsletter-input {
flex: 1;
padding: 10px;
border: 1px solid #ccc;
border-radius: 5px 0 0 5px;
font-size: 16px;
outline: none;
}
.newsletter-input:focus {
border-color: #007bff;
}
.newsletter-button {
background: #2976D1;
color: white;
border: none;
padding: 10px 15px;
font-size: 16px;
border-radius: 0 5px 5px 0;
cursor: pointer;
transition: background 0.3s ease;
}
.newsletter-button:hover {
background: #0056b3;
}
#Data #breaches #long #reported