The human factors of notifiable DP breaches

Human factors are not studied in any great depth - yet over half of notifiable data protection breaches in the last two years have been the result of human error.

Human error represents the lion share of data protection breaches notified to the UK Information Commissioner’s Office (ICO) in the last two years, yet there is little ongoing research into the human factors involved.

47% of notifications – which excludes both cyber attacks and loss/theft incidents – were directly attributable to human error, such as putting information in the post to the incorrect recipient or failing to redact information.  Although monitored by the ICO, these kinds of mistakes are not grabbing the headlines as cyber events do – partly because the potential damage is normally limited to a single record, but the impact can still be devastating.

In 2015, a seven year old girl was murdered by her Father after her “safe house” address was accidentally disclosed. In 2017, Basildon Borough Council received a £150,000 fine after failing to redact sensitive information from a statement received in support of a planning application.

Ponemon Institute published a study in 2012, sponsored by Trend Micro, but this focused on the human factors behind cyber breaches – without considering the issues around non-cyber events.

Breaking down the Human Factors behind data breaches

Almost three quarters (74%) of the human factors are down to the failure to redact information or simply sending the right information to the wrong recipients.  In January 2018, Leicester City Council sent personal information relating to potentially thousands of vulnerable people including children to 27 taxi firms in the city.  Posting or e-mailing data to the wrong recipient has the potential to bring a high degree of inconvenience, embarrassment or distress – not to mention potential financial loss as a direct result of the disclosure – which is why bulk records like this are normally treated with the greatest of care.

Is it loss or theft?

For loss / theft examples, there is also the potential for human error to come into play.  Whilst an unattended device such as a laptop might attract genuine unwanted attention, the fact that 75% of loss / theft incidents involve paperwork suggests a potential for human carelessness.

From our experience, the exact nature of loss / theft incidents is usually hard to pin down – people rarely admit to forgetting and leaving equipment or files unattended unless there is some other proof.

The impact of GDPR

With GDPR going live on 25th May 2018, breach reporting becomes mandatory.  Currently Health is the only sector (out of 22) which has mandatory reporting – reflecting the sensitivity around patient health records – and is responsible for 237 out of 687 incidents (34%) reported to the ICO in the three months to September 2017.

It seems likely that, come May 25th, the ICO could well be swamped by an order-of-magnitude increase in data breach notifications.

GDPR also makes items previously considered best practice such as Privacy Impact Assessments mandatory.  In the light of the above statistics, taking time to review and reduce the volume of personal information a business holds no-longer seems to be unnecessary red tape.  Rather, if your business is taking the trouble to weed out sensitive information – it significantly lowers the risk that this information will ever end up in the hands of someone it shouldn’t.

Furthermore, if the ICO does ever come knocking – it will demonstrate that you’ve spent the time to put the correct systems and processes in place.