The majority of data breaches in the first quarter of 2013 were due to carelessness in the way the information was handled.
That’s according to the UK Information Commissioner’s Office (ICO) which says 175 out of 335 incidents it examined between April 1 and June 30 were due to personal data being “disclosed in error”.
Speaking on the ICO blog Sally-Anne Poole, the agency’s enforcement group manager for civil investigations, said there were many reasons for such errors:
"Everything from emails being sent to the wrong people to information erroneously included in freedom of information responses."
Other areas of note that led to data breaches include lost, stolen or poorly disposed of paperwork (54 cases) and lost, stolen or poorly disposed of hardware (31 cases).
So by the time you factor in errors in uploading data to websites (7 cases), I would argue that carelessness may actually account for closer to 80% of the investigated breaches.
Its not just staff at the customer-facing end of the business who are to blame though. Twenty-seven incidents were directly attributed to technical security failings covering a range of issues, with the most common being out of date security software and the failure of installed security systems, as the ICO press office informed me when I gave them a call earlier.
In other words, human error appears to be the problem again.
The largest number of the 335 reported incidents by sector were from health (91 cases) and local government (57 cases), though the ICO does note that “the NHS has their own rules that oblige any potential data breaches to be self-reported, while local government has similar guidelines. That means the two are always likely to be near the top of this table.”
The next two sectors on the list are therefore far more interesting because of the information they hold under their care. Schools and other educational establishments (25 cases) and solicitors and barristers (20 cases) are both sectors that I’m sure we would hope, and expect, to keep our own personal data secure.
Looking ahead, the reporting for the second quarter may well show a different spread of incidents by sector as the European Union looks to implement new regulations for the reporting of data breaches.
Coming into effect on 25 August, the new rules dictate that telecommunications companies and internet service providers will be compelled to report all personal data breaches to their relevant authority within 24 hours “where feasible.”
This is a change to the previous requirement of reporting breaches “without undue delay” which appears to have led to some rather lax interpretation of what that actually meant.
The ICO is not, of course, merely tasked with the collating of data and reporting of incidents. The agency also has the power to impose civil monetary penalties on organisations where necessary.
Notable penalties issued by the ICO this year include £70,000 for disclosing personal data in error (local government), £100,000 for leaving personal data in a decommissioned building (health sector) and £175,000 for publishing personal data on a Council website (health sector).