Human error causes alarming rise in the number of data breaches and resulting monetary penalties

Dec. 5, 2014 - PRLog -- Egress Software Technologies, an encryption services provider, has today released the figures from a Freedom of Information (FoI) request to the Information Commissioner’s Office (ICO) which show a worrying increase in data breaches as a result of human error. Examining reported incidents between April and June 2013, and the same period for 2014, healthcare organisations top this list with 91 reported breaches increasing to 183 – a staggering 101% increase. In other sectors the percentage increases are equally concerning: insurance 200%, financial advisers 44% and lenders 200%,- education 56% and general business 143%. Accordingly, this continued upward trend has seen total fines issues by the ICO for violations to the data protection act since 2010 in excess of £6.7m. With Public Sector organisations responsible for £4.5m of this, a large proportion has come from the taxpayers’ pockets.

During the first three months of 2014, one-quarter of reported data breaches were caused by the accidental loss or destruction of personal data. This is up from 15% for the second half of 2013. Of these, 43% involved confidential information being disclosed in error, primarily through emailing, faxing or posting data to an incorrect recipient.

It is therefore easy to conclude that convenience, not security, continues to be key when information is being shared with third parties, regardless of the risks.

In support of this, only 7% of breaches for the period occurred as a result of technical failings. The remaining 93% were down to human error, poor processes and systems in place, and lack of care when handling data. In fact, to date no fines have been levied due to technical failings exposing confidential data, whereas a total £5.1m has been issued for mistakes made when handling sensitive information.

£600,000 of this total has the specified cause of information being emailed to the incorrect recipient, £320,000 attributed to using the wrong fax number and £170,000 for postal address inaccuracies. Add to this the penalties for unspecified disclosure to the wrong recipient, loss of unencrypted endpoint devices and accidental uploads of sensitive information to publicly available websites, and the figure is in excess of £3.7m. The final £310,000 is accounted for by paperwork left in decommissioned buildings, on public transport or in the street.

CEO of encryption services provider Egress Software Technologies Tony Pepper comments: “It is concerning that such a high number of data breaches occur as a result of human error and poor processes, let alone the fact that this figure is actually rising. Of course, we will never be able to completely rule out people making mistakes but clearly safeguards are urgently needed. Confusion can often put confidential data at risk, with users unsure of when and how to encrypt. Similarly, a continued reliance on fax and post demonstrates a disturbing lack of care and control taken to sensitive information.

“What these statistics demonstrate is that training alone is not the answer. Organisations have put huge emphasis on process driven training, but the fact that 93% of all incidents between January and March 2014 were caused by human error or failure to carry out effective process demonstrates that a change in approach is needed. Organisations need to make data protection a priority. Where possible, fax and post must be replaced by secure electronic communication that is procured in its own right. Solutions that are easy to use yet offer comprehensive protection and control have been developed to mitigate the risk of a data breach, so it is mystifying why organisations are not implementing them to reduce their liability.”

Public Sector and healthcare, primarily NHS, organisations have experienced the greatest number of data breaches between April to June 2013 and April to June 2014. With a 101% rise in breaches in the period from 91 to 183, healthcare organisations top the list for the number reported, followed by local government and education organisations. Central government also experienced a growth of over one-third (38%).

However, the Private Sector has also experienced an alarming rise in data breaches. The financial industry is one of the hardest hit, with an increase of 200% in insurance, 200% seen for lenders and 44% for financial advisors, and a 200% rise for pension providers. Concerning increases have also been seen by the housing sector (67%), telecoms (150%) and recruitment (300%), with ‘general business’ experiencing a 143% increase.

Pepper states: “The upward trend in the number of data breaches throughout key areas of the Public Sector should be a cause for continued concern. These organisations are handling particularly sensitive information, with local government providing services direct to and on behalf of citizens, many of whom are vulnerable or at-risk; education providers handling data about students and young people; and central government responsible for the wellbeing of the nation as a whole.”

The ICO’s data reveals that the cost of data breaches caused by information being disclosed to the wrong recipient via unencrypted email, fax and hand delivery amounting to over £1.8m, of which in excess of £1.7m has been from central and local government organisations, as well as healthcare organisations. An additional £815,000 worth of fines have also been handed out by the ICO as a result of loss of paperwork.

With the health sector experiencing a more than 100% increase in data breaches April to June 2013 and April to June 2014, it comes as little surprise that Brighton and Sussex University Hospitals NHS Trust has received the largest fine to date: £325,000. This contributes to the £1.3m total for the sector as a whole.

However it is in local government where the highest total can be found, with a 9% rise in the number of breaches and £470,000 worth of fines being levied for the same periods and charged for that time contributing to a total of more than £2.3m.

Pepper comments: “To date, the ICO has levied in access of £6.7m in fines. It is alarming to see that well over half of that, indeed £4.5m, is coming from the Public Sector alone. In particular, local government have contributed over one-third to this total. Not only are these organisations and bodies responsible for handling citizens data, their malpractice is being paid for by the public pocket.

“With the Information Commissioner currently seeking greater powers to issue penalties to the organisations and individuals responsible for data breaches and enhanced EU data protection legislation under review by the European Commission, it has never been more key to prioritise best practise when it comes to handling confidential information. As a first step that would bring immediate benefits, organisations need to start implementing encryption technology to improve protection and control.”