Personal Data Breaches – how do they happen?

We hear about the large scale personal data breaches, companies hacked and data stolen. These make the news due to the size of company and the number of people affected. However, this only accounts for around 5% of all data breaches.

The remaining 95% of personal data breaches occur in different ways, with varying volumes of data involved. They are the result of deliberate or accidental action.

Deliberate action includes the hacked company network but can also occur due to the malicious action of an employee, or ex-employee.

Accidental action is usually due to a lack of awareness, or carelessness. This can include:

  • Sending emails with all recipients in a ‘cc’ list, instead of using ‘bcc’.
  • Attaching sensitive documents to an email, where one or more recipient is outside the company.
  • Keeping passwords on ‘post-it notes’, stuck to a computer screen.
  • Accessing sensitive data whilst in a public place. Using a laptop on a bus, train or plane, for example.
  • Leaving documents in plain sight or in a public place.

Only just this morning I picked up a piece of paper from my front garden, it was some paperwork for a delivery company listing all their driver names and mobile phone numbers.

Preventing Personal Data Breaches

There are many tools available to help prevent the hacking of company networks, but these will only prevent against known methods of attack. It is essential to keep all software up to date and apply the latest security patches, ensuring defence against all known methods of attack.

Deliberate and accidental personal data breaches are harder to prevent than a hacking attack. If an existing employee is determined to deliberately make personal data available to an unauthorised party, there’s probably very little that can be done to prevent it. Staff trust is important and a business can’t operate effectively without it.

Personal data accidentally sent to an incorrect recipient, or devices containing personal data being lost or stolen, is also hard to prevent. Employees aren’t deliberately taking these actions, but they do need to be aware of the potential impact of their actions.

Training is essential, for existing employees, to raise awareness and help prevent the accidental data breaches.

A strong ‘off boarding’ policy is essential for ex-employees, to ensure all network access is removed and any sensitive data retrieved. Removing access to the many cloud based applications, in use by companies, is as important as denying login to the company network.

What should be done – in the case of a Personal Data Breach?

It is the responsibility of all organisations, who handle personal data, to ensure personal data is secure. These organisations are obliged to be registered with the Information Commissioner’s Office (ICO) and report any data breaches as soon as they occur. The ICO has plenty of guidance and self-assessment tests to help business determine whether they need to be registered and if a data breach needs to be reported (www.ico.org.uk/for-organisations/guide-to-data-protection/).

In the case of hacked data, the need to notify the ICO is clear. It is likely that unauthorised data access will be of risk to individuals, with the potential to affect their rights and freedom.

In the case of an accidental data breach, the ICO can help determine what action should be taken.

In all cases a record must always be kept of any personal data breaches, whether the ICO needs to be notified or not.