Twitter Linkedin Youtube

How to Mitigate Data Breaches resulting from Human Error

Reading Time: 5 minutes

Authors:  

Shantanu Kulkarni | Data Protection Advisor

Date: 24 February 2022

The most recent European Data Protection Board (EDPB) Guidelines aim at helping data controllers decide how to handle data breaches and what factors to consider during risk assessment. The EDPB guidelines have been updated post public consultation and thus adopt a case study based approach, so they appear as a practical tool to be considered in conjunction with the existing Guidelines WP250. The guidelines cover various causes for breaches such as ransomware attacks, data exfiltration attacks, social engineering, and different scenarios related to the occurrence of an human error. 

An IBM report in 2021 on data breaches concluded that 95 % of data breaches are caused by human error. The purpose of this report is to consider the guidelines issued by the EDPB on human error as a cause for breaches. The article will be focused on the data breaches potentially related to human error and then consider the case studies discussed by the EDPB guidelines before suggesting recommendations to mitigate the risks arising from human errors.  

Human error is usually an unintentional action or inaction on the part of the employees that trigger, spread or permit a data breach to take place. A few examples of breaches caused by human error could be something as simple as an employee: 

  1. Clicking on a suspicious link in an email, leading to malware being downloaded onto the system; 
  2. Sending an email/ letter with personal data to an unintended recipient; 
  3. Sharing screen during a meeting call with unrelated personal data visible on the screen; 
  4. Leaving files and documents with confidential and personal data unattended at a workstation or near a photocopier; 
  5. Responding to a call without verification and disclosing personal data; 
  6. Having the same password for multiple accounts; 
  7. Forgetting/ losing an unencrypted work-related device. 

It is apparent from the above examples that the simplicity of how these types of breaches occur contributes to the difficulty that data controllers face to identify vulnerabilities and adopt measures to avoid them. However, the following section gathers some examples of possible scenarios that can be considered to help organisations to adopt a proactive approach to mitigate breaches that result from a human error. 

Case-Studies:  

Case 1:  

Facts Risk Assessment and Mitigating Actions Notification Obligations  
An employee copies data from the organisation’s database to a personal device.  

 

After resigning, the employee uses the data to contact the clients to entice them for his new business. 

Risks: 

  • Assess the involvement of sensitive personal data and its  quantity, along with  impact.  
  • Consider that while the consequences of a breach might be limited to the ex-employee’s self-marketing, more grave abuse of the stolen data cannot be ruled out. 

Mitigation: 

  • Consider trying to order the ex-employee to stop using the data or, in the worst case scenario, even initiating legal action against him/her.  
  • Adopt technical measures to render copying/downloading of data to removable devices impossible. 
  • Include clauses that prohibit such actions in the contract signed with employees. 

 

 

A notification to the Supervisory Authority will be needed .  

 

It is necessary to document the incident in a breach register per Article 33 (5) of the GDPR.  

 

As the impact on the data subjects is minimal at the first instance, a notification to individual data subjects may not be necessary. 

Case 2: 

Facts Risk Assessment and Mitigating Actions Notification Obligations 
An employee/agent/processor  accidentally sends data to a trusted but unintended recipient. Risk 

  • Assess the type of personal data involved in the event, along with impact.  
  • Consider whether the breach is intentional and may be caused by the agent or employees inattentiveness. 

Mitigation: 

  • Initiate a training regime to reinforce awareness. 
  • Contact the unintended recipient at the earliest to seek deletion of personal data involved, and request confirmation.  
  • Check for legally binding agreements with the unintended recipient to maintain professional secrecy. 
If the unintended recipient is trusted and immediately deletes data and provides confirmation, neither a notification to supervisory authority nor the data subjects could be needed.  

 

It is necessary to document the incident in a breach register per Article 33 (5) of the GDPR.  

 

 

Case 3: 

Facts Risk Assessment and Mitigating Actions Notification Obligations 
Two letters were mixed up, resulting in both letters being sent to the wrong person.  

 

This means that the two data subjects got access to each other’s information. 

Risk:  

  • Assess the type of personal data involved in the event and if the abuse of data could lead to substantial negative effects. 
  • Consider whether the breach is intentional or may have been caused by the agent or employee’s inattentiveness. 

Mitigation: 

  • Assess whether the number of data subjects affected is low and the kind of data affected.  
  • Initiate a training regime to raise awareness. 
  • Contact each unintended recipient at the earliest to request from both of them the destruction of personal data involved and request further confirmation as well.  

 

If no sensitive data is involved and the content may not cause substantial negative impact, then merely internal documentation of the incident in the breach register will suffice per Article 33 (5) of GDPR. 

 

If sensitive data is involved, data subjects will have to be formally contacted per Article 34 of GDPR, and the Supervisory Authority will have to be notified.  

 

 

Organisational and technical measures for preventing/mitigating the impacts of breaches resulting from human error: 

As stated earlier, it is challenging to draft static recommendations to counter data breaches resulting from human error. Therefore, we recommend a combination of measures to be adopted and adapted accordingly, based on the unique features of each case. Examples of such potential measures include the following: 

Training and Awareness: 

  1. Provide adequate training for employees on how to send letters and emails and the data protection risks related to these actions. 
  2. Develop a privacy culture by organising regular awareness sessions focused on avoiding the most common mistakes leading to personal data breaches.  
  3. Draft and circulate manuals on handling incidents and data breaches with up-to-date information on who to inform if an incident/data breach occurs.  

Emails: 

  1. Instruct employees sending emails with multiple recipients to use  the bcc’ (blind carbon copy) function by default. 
  2. Implement the message delay function (e.g. the message can be deleted/edited within a specific time period after clicking the press button).  
  3. Disable the autocomplete function when typing in email addresses.  
  4. Implement policies forbidding and preventing access to known open mail services. 
  5. Avoid sharing sensitive data through emails; instead, use a secure file sharing mechanism. However, when sharing attachments containing personal data, please use password tools to protect the files. 

Access Management 

  1. Adopt access control policies and implement them strictly.  
  2. Make multifactor user authentication mandatory when accessing sensitive personal data. 
  3. Curb the malicious use of data, by disabling the employee’s company-related account as soon as the person leaves the company.  
  4. Track unusual data flow between the file server and employee workstations.  
  5. Apply technical measures to block external storage devices on company-owned devices. 
  6. Disable the print screen function on the operating systems.  
  7. Implement a clean desk policy to mitigate any unintentional risks from an unattended workstation.  
  8. Use the automated locking function available on all computers.  

Data breaches are complex problems in themselves, but they may also be symptoms of a vulnerable, possibly outdated, security regime. Therefore, it is necessary to keep policies up-to-date, report data breaches and develop a privacy culture through regular training and awareness activities.  Lastly, if anything goes wrong when processing personal data, don’t panic! Follow the data breach reporting procedure or get in touch with your line manager and the data protection officer as quickly as possible: it is important to remember that data breaches have to be managed and reported within 72 hours, where necessary. 

 

Trilateral’s Data Governance and Cyber Risk Team have data protection specialists with extensive expertise and experience in implementing appropriate security measures in respect of personal data across both public and private sector organisations. Our support services will help your organisation protect patient records and maintain trust. Please feel free to contact our advisors, who would be more than happy to help.  

Related posts

AWS qualified Badge
Crown Commercial Service Supplier
Tri GDPR Award 2021