After a Freedom of Information (FoI) request to the Information Commissioner’s Office (ICO) an encryption services company points to what it calls a worrying increase in data breaches as a result of human error. Egress Software Technologies says that from reported incidents between April and June 2013, and the same period for 2014, healthcare bodies top this list with 91 reported breaches increasing to 183. Other sectors see percentage increases too. Accordingly, this continued upward trend has seen total fines issues by the ICO for violations to the data protection act since 2010 in excess of £6.7m. With public sector bodies responsible for £4.5m of this, a large proportion has come from the taxpayers’ pockets.
During the first three months of 2014, one-quarter of reported data breaches were caused by the accidental loss or destruction of personal data. This is up from 15pc for the second half of 2013. Of these, 43pc involved confidential information being disclosed in error, primarily through emailing, faxing or posting data to an incorrect recipient.
Egress Software suggests that convenience, not security, continues to be key when information is being shared with third parties, regardless of the risks. Only 7pc of breaches for the period occurred as a result of technical failings. The other 93pc were down to human error, poor processes and systems in place, and lack of care when handling data. In fact, to date no fines have been levied due to technical failings exposing confidential data, whereas a total £5.1m has been issued for mistakes made when handling sensitive information.
Some £600,000 of this total has the specified cause of information being emailed to the incorrect recipient, £320,000 attributed to using the wrong fax number and £170,000 for postal address inaccuracies. Add to this the penalties for unspecified disclosure to the wrong recipient, loss of unencrypted endpoint devices and accidental uploads of sensitive information to publicly available websites, and the figure is in excess of £3.7m. The final £310,000 is accounted for by paperwork left in decommissioned buildings, on public transport or in the street.
CEO of encryption services firm Egress Software Tony Pepper says: “It is concerning that such a high number of data breaches occur as a result of human error and poor processes, let alone the fact that this figure is actually rising. Of course, we will never be able to completely rule out people making mistakes but clearly safeguards are urgently needed. Confusion can often put confidential data at risk, with users unsure of when and how to encrypt. Similarly, a continued reliance on fax and post demonstrates a disturbing lack of care and control taken to sensitive information.
“What these statistics demonstrate is that training alone is not the answer. Organisations have put huge emphasis on process driven training, but the fact that 93pc of all incidents between January and March 2014 were caused by human error or failure to carry out effective process demonstrates that a change in approach is needed. Organisations need to make data protection a priority. Where possible, fax and post must be replaced by secure electronic communication that is procured in its own right. Solutions that are easy to use yet offer comprehensive protection and control have been developed to mitigate the risk of a data breach, so it is mystifying why organisations are not implementing them to reduce their liability.”
Pepper adds: “The upward trend in the number of data breaches throughout key areas of the public sector should be a cause for continued concern. These organisations are handling particularly sensitive information, with local government providing services direct to and on behalf of citizens, many of whom are vulnerable or at-risk; education providers handling data about students and young people; and central government responsible for the well-being of the nation as a whole.
“It is also interesting to note the increase in breaches within the private sector as well. While the data they hold is often of a commercially sensitive nature, it will still include personal information about their clients. There should be a subsequent call to action within the private sector to address areas of concern and gaps in data protection, enhancing the services they provide to clients and their reputation within their markets.”
The ICO’s data shows that the cost of data breaches caused by information being disclosed to the wrong recipient via unencrypted email, fax and hand delivery amounting to over £1.8m, of which in excess of £1.7m has been from central and local government organisations, as well as healthcare organisations. An additional £815,000 worth of fines have also been handed out by the ICO as a result of loss of paperwork. Brighton and Sussex University Hospitals NHS Trust has received the largest fine to date: £325,000. This contributes to the £1.3m total for the sector as a whole.
However it is in local government where the highest total can be found, with a 9pc rise in the number of breaches and £470,000 of fines being levied for the same periods and charged for that time contributing to a total of more than £2.3m.
Pepper says: “To date, the ICO has levied in access of £6.7m in fines. It is alarming to see that well over half of that, indeed £4.5m, is coming from the public sector alone. In particular, local government have contributed over one-third to this total. Not only are these organisations and bodies responsible for handling citizens data, their malpractice is being paid for by the public pocket.
“With the Information Commissioner currently seeking greater powers to issue penalties to the organisations and individuals responsible for data breaches and enhanced EU data protection legislation under review by the European Commission, it has never been more key to prioritise best practise when it comes to handling confidential information. As a first step that would bring immediate benefits, organisations need to start implementing encryption technology to improve protection and control.”
