Are we too human for data protection?
8 min read
21 November 2017
Staff are often the most vital assets any business can have, but they also have the astounding ability to bypass data protection, whether because of revenge or innocent mistake.
Where once the world’s most valuable firms were predominantly from the oil and energy sector, today the commercial landscape is dominated by tech companies such as Apple, Amazon and Facebook which are essentially built on data. But with ever increasing volumes of information – and thus a greater need for data protection – comes huge scope for human error.
According to statistics obtained from the UK’s Information Commissioner’s Office, human error is the main cause of data breaches. Another tract of research found human error accounted for 62 per cent of the incidents reported to the Information Commissioner’s Office – a huge number when hacking and insecure web pages combined accounted for no more than nine percent.
Could it be that the greatest limiting factor of digital and technological achievement is, quite simply, the human bit?
Whilst the majority of headline grabbing data breaches come from some form of cyber fraud, where quite often the sheer scale of the data exposed is enough to warrant the headline (think of Yahoo! disclosing a 2013 data breach where over 3bn e-mail accounts were compromised), data breaches rooted in human error are happening on a daily basis – and sometimes with devastating effect.
Of course that`s the thing about being human. The chemical, psychological and sociological influences of our world can`t help but influence the way we act, however professional we intend to be. A bad night`s sleep or a pre-work row with a partner can all, at least subliminally, impact on how switched on we are when it comes to the office. But how can we protect confidential information and create sufficient data protection?
If only you knew what it cost
Unless employees understand the legislative framework, the level of risk to their organisation (both reputational and financial) and how that effects what they do day to day, staff will never really fully understand the impact of their actions whilst carrying out their day-to-day tasks
The introduction of compulsory breach reporting, coupled with a significant rise in the maximum fines for data breaches (increasing from £500,000 to a maximum of €20m or, if higher, four per cent of global turnover) means that data could actually become a toxic asset – the equivalent of asbestos for the 21st century digital age.
We have seen significant fines issued where employees have not wiped hard drives in accordance with the correct policy for doing so and subsequently sold those hard drives on eBay containing the medical data of several thousand patients or where faxes containing details of child abuse proceedings have been sent to the wrong fax number and these fines will only increase under the new regime of compulsory breach reporting and heftier fines.
Get the message out that careless mistakes cost a fortune, can affect the financial and reputational health of the company – and even employment security.
Identify the problem
Broadly speaking, human error tends to involve data posted, emailed or faxed to the wrong recipient or loss (theft?) of paperwork. Not encrypting data on portable devices and then losing those devices, and failure to redact data appropriately are also key areas where human error demolishes data protection.
An especially common form of human error happens when e-mail marketing is sent out and all the recipients are identifiable to each other rather than being a sent one where email addresses are hidden via a blind copy (Bcc).
Whilst there is software now available to organisations to help detect and prevent this kind of incident, this type of breach is still all too frequent and one such example occurred back in 2015 when a HIV clinic sent out a mailshot to over 700 users who had previously opted to receive test results and book appointment by e-mail. This resulted in the NHS Foundation Trust concerned receiving a £180,000 fine.
Make your company understand the issues
There’s no substitute for education, inculcating staff culture with a profound understanding of the need to be careful. Whether it’s regular training sessions, company pep talks or poster campaigns around the office reminding people of the need to check and double check whether they are doing, staff training is perhaps the key to offsetting human error
Publish a protocol
Many organisations have excellent written policies dealing with data protection matters covering things such as encrypting data on portable data storage devices, wiping hard drives after use and not taking physical hard copy files out of the office. However, if staff are not trained on these policies, how are they expected to comply with those policies if they can’t relate the written policies to their physical actions whilst carrying out their job on a day-to-day basis.
Keep up to date with software
Whilst software is also available to help prevent the spread of computer viruses or malicious software used to access and steal data, prevention software is often one step behind the viruses themselves and as such there is also a window of opportunity where an employee innocently opens an e-mail or clicks on a link that releases the virus and infects their system, possibly having devastating consequence son their employers systems and data integrity.
You need someone on the case, constantly monitoring this and employees need to be trained on an on-going basis around what to look out for suspicions e-mail or link wise.
Smart approaches to matters such as email encryption and online collaboration is only part of the way to ensure correct protection and control is applied to data. The rest is down to we human beings who all need reminding that while we may be smart enough to build the future we mustn`t be careless enough to throw it all away.
Christian Mancier is a partner in the corporate and commercial law department at Gorvins solicitors and a specialist in data protection law.