While the technological details of securing data such as encryption, firewalls and ‘access control mechanisms’ might command the attention of data protection lawyers and industry specialists alike, many data breaches originate from simple human error. This is reflected in the case studies from the 2013 Annual Report of the Irish Data Protection Commissioner (“DPC”).
Set out below are three recurring issues in human-error-based security breaches rules which can be identified from the DPC’s 2013 Report and recent developments:
- No personal gain
Often, a breach of data protection rules through human error will not result in any gain for the individual responsible for the breach. In one instance, the DPC highlighted the case of a voluntary organisation working with young people where a volunteer accidentally lost photocopies of passports on the return journey from a trip abroad. Another case study concerned a doctor who sent a patient’s medical file to an incorrect e-mail address as the result of a spelling error. In a different case, another doctor inadvertently disclosed a wider range of medical records about a patient to an insurance company, than the narrower set of records required for assessment by the insurer of the patient’s knee injury.
- Junior staff mistakes
Human error is likely to occur where junior personnel have inadequate training, bad judgment or poor supervision. The DPC drew attention to a case where a data subject’s phone was stolen while out shopping at a major phone retailer. The two thieves involved subsequently convinced a trainee employee to give them the contact details of the owner so that they could ‘return’ the handset. They then appeared at the data subject’s isolated home looking for a reward for ‘finding’ the phone.
- High cost and global prevalence
A 2014 ‘Cost of Data Breach Study’ of 341 different organisations worldwide found that 30% of data breach incidents were caused by a negligent employee or contractor – i.e. human error – rather than criminal/malicious attacks or system glitches. Human error was also the leading cause of data breaches in the UK (40% of incidents in 40 organisations studied). Furthermore, the global ‘cost per compromised record’ for companies was on average $145, but where the breach was caused by lost or stolen devices this figure increased by $16.10.
How can the problem be tackled?
On the face of it, breaches from human error can be difficult to handle. This results from the lack of personal gain or profit motive that might be found in an outsiders’ attempt at hacking. However, there are simple strategies that companies can introduce to reduce these problems.
Staff at all levels should understand the general principles of data protection. In this regard, adequate and specific training should be provided to all employees who have any contact with personal data.
When a data controller decides which employees will have access to personal data, then proper procedures should be put in place to supervise the release of any data to third parties. The DPC emphasises that these procedures must be enforced throughout each organisation.
One ‘go-to’ data protection officer
Even in smaller organisations, it is important to have a centralised point where data protection issues are dealt with. This is particularly important where junior staff are concerned - junior employees should know who to go to when confronted with a data protection issue.