Egress Software Technologies, an encryption services provider, has released the figures from a Freedom of Information (FoI) request to the Information Commissioner’s Office (ICO) which show a worrying increase in data breaches as a result of human error. Examining reported incidents between April and June 2013, and the same period for 2014, healthcare organisations top this list with 91 reported breaches increasing to 183 – a staggering 101% increase. In other sectors the percentage increases are equally concerning: insurance 200%, financial advisers 44% and lenders 200%,- education 56% and general business 143%. Accordingly, this continued upward trend has seen total fines issues by the ICO for violations to the data protection act since 2010 in excess of £6.7m. With Public Sector organisations responsible for £4.5m of this, a large proportion has come from the taxpayers’ pockets.
An error in judgment: Mistakes lead to increased data breaches
During the first three months of 2014, one-quarter of reported data breaches were caused by the accidental loss or destruction of personal data. This is up from 15% for the second half of 2013. Of these, 43% involved confidential information being disclosed in error, primarily through emailing, faxing or posting data to an incorrect recipient.
It is therefore easy to conclude that convenience, not security, continues to be key when information is being shared with third parties, regardless of the risks.
In support of this, only 7% of breaches for the period occurred as a result of technical failings. The remaining 93% were down to human error, poor processes and systems in place, and lack of care when handling data. In fact, to date no fines have been levied due to technical failings exposing confidential data, whereas a total £5.1m has been issued for mistakes made when handling sensitive information.
£600,000 of this total has the specified cause of information being emailed to the incorrect recipient, £320,000 attributed to using the wrong fax number and £170,000 for postal address inaccuracies. Add to this the penalties for unspecified disclosure to the wrong recipient, loss of unencrypted endpoint devices and accidental uploads of sensitive information to publicly available websites, and the figure is in excess of £3.7m. The final £310,000 is accounted for by paperwork left in decommissioned buildings, on public transport or in the street.
CEO of encryption services provider Egress Software Technologies Tony Pepper comments: “It is concerning that such a high number of data breaches occur as a result of human error and poor processes, let alone the fact that this figure is actually rising. Of course, we will never be able to completely rule out people making mistakes but clearly safeguards are urgently needed. Confusion can often put confidential data at risk, with users unsure of when and how to encrypt. Similarly, a continued reliance on fax and post demonstrates a disturbing lack of care and control taken to sensitive information.
Source: Egress Software Technologies