It’s only to be expected that there has been a significant increase in the number of data security incidents reported by The Information Commissioner’s Office in their recent quarterly stats. The publicity around GDPR which came into force in May 2018 has of course raised everyone’s awareness and increased the understanding of the importance of reporting a data breach.
The stats released for Quarter 1 and Quarter 2 of the financial year 2018/19 show a steady increase with 3146 incidents reported in Q1, rising to 4056 reported in Q2.
Interestingly 63% of incidents reported in Q2 are attributed to disclosure of data with 35% of incidents relating to security of data.
Source: ICO
Figures released for Q1 and Q2 of 2018/19 are already showing a 57% increase in data breaches reported on the previous year.
The ICO’s annual stats for the year 2017/18 provide a comprehensive breakdown of the type of incidents reported across the various business sectors. Again, it’s no real suprise that the majority of causes behind the data breaches recorded related to either human or process error and could have been avoided.
Sending personal data either by post, fax or email to the incorrect recipient accounts for 30% of the 2,934 data incidents reported. Loss or theft of paperwork accounts for 14% of the incidents reported. The fact that anyone is still sending personal data via fax in 2018 is nothing short of shocking. Other incident types not highlighted in the chart below included data left in an insecure location, failure to redact data, insecure disposal of paperwork and hardware, loss or theft of an unencrypted device and loss of the only copy of encrypted data.
Source: ICO
It’s uncertain whether the ICO will continue to provide the same level of granular breakdown of types of security incidents for the year 2018/19, but it may be safe to assume that the same trends will continue.
The stats released are a great indicator of the most common causes of data breaches and highlight some very simple, basic measures to help prevent accidental data loss.
Given the volumes of emails sent and received on a daily basis, emailing personal data is always going to pose a significant risk. Whilst there are some system and process changes that can be introduced to try and mitigate the risk of selecting the wrong recipient, human error will always be the weak spot.
We are all human and mistakes will happen. When assesing what enforcement action to take following a reported data security incident, the ICO will take into account what steps a business has taken to meet it’s obligations of accountability and what level of security measures have been implemented, including staff awareness training.
Ensuring that all staff are aware of their responsibilities to protect personal data is of course vital and depending on the nature of your business, it makes sense to focus an element of your training on the areas which pose the biggest risk of human error in your organisation and follow up with regular reminders.
Whether it’s posting or emailing personal data to the wrong person, not using BCC and disclosing details of all recipients to the mailing list, or leaving personal data in an unsecure location, understanding what can go wrong and what simple measures can be put in place to prevent it, helps mitigate the risk and helps to promotes a culture of commitment to good data security.