Data breaches, what’s the issue… part 2

Data breaches, what’s the issue… part 2

By Steven Orpwood, Senior Consultant and DPO

In my last blog I looked at some hypothetical data breach situations. Whilst the descriptions may have been farfetched, the scenarios were perfectly feasible. In fact, it’s often the wrapping to such events presented by the press that blind us to the significance of what has occurred and the potential harm caused.

A data breach is often thought of as the loss of data to someone who will use it maliciously, but this is just the tip of the iceberg. Data breaches come in all shapes and sizes; a quick review of the internet brings up the usual suspects, e.g. Yahoo UK Services Limited fined £250k for putting the personal data of approximately 500m international users at risk by failing to put adequate measures in place to prevent a cyber-attack, and the Bible Society’s network was compromised and the personal data of 417,000 of the society’s supporters put at risk due to use of an easy-to-guess password for remote access. However, there are other examples, for instance a Devon based Recruitment Consultant was fined for unlawfully taking personal data from his employer when leaving to set up his own business; the Independent Inquiry into Child Sexual Abuse fined for sending an email to 90 participants of a non-recent child sex abuse inquiry that identified possible victims of sexual abuse simply by using ‘To’ rather than ‘Bcc’; Blackpool Teaching Hospitals NHS Foundation Trust fined for not noticing that tables of data published to display annul equality and diversity metrics on its website were double-clickable and showed the underlying  data, including National Insurance number, date of birth, religious belief and sexual orientation; and an NHS healthcare assistant fined for unlawfully obtaining and disclosing the medical records of 29 people.

What is clear is the variation in incidents which are labelled breaches. There is loss but also, unauthorised disclosure or access, accidental or unlawful destruction and alteration to personal data. However, when you look at the root causes, they generally fall into two categories: human error and malicious intent. Whilst you can mitigate against both, it’s almost impossible to eradicate either, because no matter how good your security, someone will be trying to circumvent it, and regardless of the quality of your processes and training, people will always make errors. What is key is how you manage these two scenarios. As an example, when working in IT many years ago, one of our team’s activities was to complete a month end process. This involved a number of backups followed by accounting ledger closures and data purges ready for the month ahead. During one month end, a colleague, and seasoned Unix pro, used the command rm -rf inappropriately, and deleted all files in a directory rather than a subset. As he saw the list of deleted files pass before his eyes, he realised his error, and that there was no immediate recourse. He waited for the process to end, and then restored the data from the backup he’d just taken. So was this a breach?  Yes, it was (accidental destruction). If this happened now, would there be a reprimand or fine from the ICO? No, and here’s why. My IT Director was a stickler for process, ours were exemplary and effectively reduced the risk resulting from the deletion to near zero. In our case, the data was backed up, the system was unavailable to users, and the process happened outside office hours. Although it took my colleague 8 hours to restore everything and complete the month-end processing, the breach was managed, i.e. mitigating actions were put in place immediately, and there was no risk to the rights and freedoms of data subjects, so it would not need to be raised to the ICO, or be communicated to the data subjects impacted.

So, what I’m saying is this, breaches can, and will, happen, but the three key steps in breach management are: (i) prevention – think about, document and assess risks to your data across all risk categories; (ii) ensure all processes have associated procedures and employees are trained; and (iii) when you have a breach, react immediately; investigate, document and raise to the ICO, and potentially the data subject, if it’s not possible to put an effective mitigation in place, or if there is a risk to the rights and freedoms of the data subjects impacted. To push home the point, it’s worth remembering that there are two levels of fine available under the new GDPR, 4% or €20m and 2% or €10m (whichever is the bigger in either case). Assuming you have documented how you manage your personal data (obtaining, processing, retaining, training etc.), and can show the measures put in place both prior to, and post, a data breach, then the GDPR accepts that both human error and malicious intent are always possible. It’s the lower of the two fines that will be applicable, and even then, it will be at a much lower level.

The new European Data Protection Board (EDPB) and the ICO want to work with organisations to promote good personal data practices, and reserve the big fines for those who knowingly and consistently flout the rules. Proactivity is the greatest weapon in managing your GDPR responsibilities, preventing breaches, and, as mentioned in an early blog, gaining a competitive edge over your competitors.


To find out about AiM’s GDPR services, including training, discovery reviews, interim DPOs and GDPR compliance technology solutions, click here.