Human Error and Data Breaches
With Canada implementing mandatory private sector breach reporting under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) on November 1, 2018, it is worth noting that many breaches are due to human error. These breaches can be minimized with proper policies, practices and employee education as well as regular monitoring and review of an organization’s privacy policies.
Data Commissioners or Information Commissioners often report details around the number, type and sources of breaches that are reported to them.
The UK’s Information Commissioner’s Office is the public body responsible for monitoring data breaches. This office monitors breaches of personal information of personal employment, financial and health information as well as criminal record information.
A freedom of information request revealed the UK’s Information Commissioner’s Office’s research, reported by the Verdict, September 3, 2018, showed that 88% of data breaches were said to be the result of human error. This is a useful data point and may be contrasted with the quarterly report of the Office of the Australian Information Commissioner on the breaches reported to it, 2nd quarter, 2018. While the UK report reported only 12% of breaches were due to malicious or criminal conduct, the Australian report indicated that 59% of data breaches were due to malicious or criminal attacks and only 36% due to human error. [https://www.bennettjones.com/Blogs-Section/What-Can-Canada-Expect-with-Mandatory-Breach-Notification] This contrasted with the first Australian Quarterly report, in 2018, from the Australian agency, which found a majority of the then reported breaches were due to human error.
In both cases, the most common sources of breaches due to human error were sending personal or sensitive information to the wrong recipient, by email or fax.
Whatever the reasons for the variation among these reports, it is clear that a key lesson is that there are likely to be a substantial number of breaches due to human error. These are preventable.
This suggests organizations review, maintain and expand training, policies and procedures to heighten awareness of this preventable risk. With Canada’s federal law on reporting data breaches coming into force on November 1, 2018, this should serve as a call to action for Canadian organizations to review their privacy policies, practices and procedures in an effort to minimize the breaches due to human error. As Canada’s new law will have mandatory reporting requirements as well as a requirement to maintain internal records of data breaches Canadian organizations should review their preparedness of these new national requirements.
Equally important, Canadian organizations should maintain an ongoing awareness of the substantial number of malicious or criminal attacks and implement technologies, policies and practices to defend against such attacks, detect them when they occur and minimize the damage caused by such an incident.
In terms of the statistical variation, human error can mean a lot of different things. For example the human error of sending out a single fax to the wrong number would theoretically cause less harm as compared to the human error of leaving a production database containing personal information of thousands of customers in an open AWS instance.
If a nefarious actor comes along, finds the cache of data in the AWS database, downloads it and then steals identities, then should this be categorized as a human error occurrence or a criminal conduct occurrence?
Is inadequate security human error? Are hackers as unpreventable as a force majeure?
I wonder if there is a legal definition of “human error”, because logically the case of a user sending out the information to the wrong recipient is clearly human error, whereas the negligence or inaction of an open AWS instance isn’t defined as human error, it’s just that ultimately it was someone’s fault.
Those are two fundamentally different concepts and I would think the law would have that covered. Admittedly I just started working in the legal profession after years of IT/education work.