Data breaches: Why humans are our weakest link
Ever felt the sense of impending doom after you realise you’ve left your laptop in the pub? Or, possibly worse, on the 16.43 from Waterloo?
Have you suffered the embarrassment of emailing an attachment to the wrong person? Have you ever absent-mindedly clicked on a links in a fake email?
If you have, you’re not alone. Welcome to a not even remotely exclusive club.
In our recent survey of DPN subscribers, 69% of responders said they’d suffered a personal data breach in the past 12 months. Of these a whopping 90% said those breaches were caused by human error.
We asked what types of mistake people had made which led to a data breach. The following clear themes emerged:
- Email containing personal data sent to the wrong recipients
- Incorrectly spelling email recipients and disclosing personal data in error to the wrong person
- Forwarding attachments with personal data in error
- Following links in a phishing email
- Sensitive mail going to the wrong postal address (yes, a properly old-fashioned dead wood data breach!)
It’s clear our email activities are the DPO’s biggest headache, and the area where people are most likely to act in haste and make a mistake.
Given the torrent of emails most of us handle on a weekly basis, maybe it’s not much of a surprise.
Is an email error a data breach?
An interesting question has been raised recently about whether incorrectly disclosing personal data via email is actually a personal data breach or not.
In a recent ruling, the Belgian Data Protection Authority concluded that mistakenly sending an email (which in the case in point meant personal data was disclosed to the wrong recipient) did NOT represent a data breach.
The Belgian DPA said a personal data breach could only occur as a result of a breach of security controls. In this case, security controls had not been breached.
Happy days! Do we no longer need log (or in some cases notify) all those email errors?
Hmmm, I’m not so sure.
This got me thinking, why is human error cited in every breach report as one of the major causes of personal data breaches?
Data breaches: What does the ICO say?
The UK Information Commissioner’s Office has detailed data breach guidance in which it states:
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
The ICO goes on to provide some examples:
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
Clearly the UK Regulator does consider ‘sending personal data to an incorrect recipient’ as a personal data breach. After all, data has been provided to someone who shouldn’t have received it. Surely how it happened is, to a certain extent, academic?
I’m reminded of an embarrassing case from a couple of years ago, where a sexual health clinic mistakenly divulged sensitive personal details when recipients were cc’d rather than blind copied.
The clinic received some very unwelcome publicity and was fined by the ICO (albeit a small amount as they were ‘an unincorporated associate rather than a full, money-making charity’).
Data breaches: What does the EDPB say?
Earlier this year the European Data Protection Board helpfully published data breach notification examples. This includes a number of different scenarios including:
- Stolen material storing non-encrypted personal data
- Stolen paper files with sensitive data
- Snail mail mistake
- Personal data sent by mail by mistake
I’m therefore minded not to dwell on the Belgian DPA ruling, and will continue to consider disclosing personal data via email in error as a data breach (which may or may not be notifiable depending on the level of risk posed).
Although I’m not a lawyer, I do wonder if the Belgian DPA’s decision is perverse. Perhaps other cases passing through the same courts may end up revising the Belgian finding, and it’s certainly one to keep an eye on.
What keeps you awake at night?
In our DPN survey we also asked, ‘when thinking about data breaches, what worries you the most?’. The following common worries were most apparent:
- Reputational damage
- Staff not reporting mistakes quickly enough
- Staff not reporting their mistakes at all
- Legal action by affected data subjects
- Customer data being used for fraud / other harm caused to data subjects
- Timescale challenges
- Not being aware a serious incident has occurred
Clearly staff not reporting mistakes is a worry. Unfortunately, humans make errors and are tempted to cover them up. As my mother taught me as a child, this seldom ends well!
Quite often it’s not the mistakes that become the biggest problem, it’s attempts to conceal them. Politicians of all stripes, I’m looking at you!
To this point I favour stressing, in any awareness campaigns and in data incident policies; ‘We know people make mistakes, but you must report them.’ (It might help).
A culture that treats mistakes as learning opportunities strikes me as more likely to pick up on errors.
How do we combat human error?
We’ve all rushed to meet a deadline (or finish stuff before we go on leave) and we’ve all had moments where our concentration lapses – we can’t prevent this.
The message just needs to be repeated over and over again, we need to take care.
Regular data protection training is important, but so is reinforcing this message with ongoing awareness efforts – intranet alerts, eye-catching posters in lifts, including data protection awareness in appraisals… whatever it takes.
I will also point out the Regulators are humans too, they understand mistakes happen no matter how much you try to avoid them. What they want to see is clear evidence that you’ve made a concerted effort to try to make people aware and reduce the likelihood.
The ICO’s investigation into a data breach at Heathrow Airport in 2017 found the Airport had failed not only ‘to ensure that the personal data held on its network was properly secured’ but that it had also failed ‘to provide any, or any sufficient training in relation to data protection and information security.’
It is highly likely the fine would have been reduced if Heathrow Aiport could demonstrate sufficient training had been conducted.
We have to accept human error can’t be eradicated, (unless I, Robot becomes reality), but there’s a whole raft of strategies we can use to mitigate risk.
And showing we’ve tried to do the right thing in the first place is half the battle, as a cocktail of human error AND complacency makes for the worst sort of mistake.