The significance of human error in notifiable data breaches

On 30 October 2018, the OAIC released its third Quarterly Statistics Report in relation to Notifiable Data Breaches (the report), which relates to the period 1 July 2018 – 30 September 2018. Despite an upward trend in awareness for organisations to protect confidential data from malicious or criminal attacks, which consistently accounts for greater than 50% of reported breaches, the past two reports show that human error consistently accounts for greater than one-third of reported breaches. The OAIC identifies human error as the unintended action by an individual that directly results in a data breach.

The report highlights that a single breach arising from human error can affect a significant number of people. As a key example, breaches as a result of failure to use the ‘blind carbon copy’ (BCC) function when sending group emails impacted an average of 494 individuals per data breach. In addition, unauthorised disclosure through failure to redact personal information impacted an average of 633 individuals per breach.

We note that personal information sent to the wrong recipient via email remains the most common human error breach, making up 31% of the total number of these types of breaches. However, on average this type of breach affected a smaller number of individuals, at 70 individuals per breach.

The report outlines that specific to the Finance and Health sectors, human error breaches accounted for 48% and 56% of reported breaches, respectively.

It is evident that malicious or criminal attacks, while still prevalent, are not the only significant cause of notifiable data breaches. In a number of breaches we have helped clients respond to we have seen an increase in the use of sophisticated attacks which are using brute force techniques to compromise systems. This is highlighted with 12% of breaches reporting this as the attack vector.

Accordingly, organisations must focus on increasing awareness on the impact of human error in relation to confidentiality obligations. In addition, organisations may consider internal controls to mitigate the risk of human error; including alerts when using a ‘carbon copy’ (CC) function to generic mailboxes or a large number of individuals.

With the release of the most recent report there has been commentary to indicate that many breaches are still not being reported. Some organisations are struggling to determine what constitutes serious harm and are not reporting an incident on the advice that the incident does not fall within the reporting guidelines. There are also some news outlets questioning why no penalties have been imposed to date.

View the OAIC’s October 2018 Quarterly Statistics Report…