Member News

Human Error and Data Breaches

By  Martin P.J. Kratz QC

With Canada implementing mandatory private sector breach reporting under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) on November 1, 2018, it is worth noting that many breaches are due to human error. These breaches can be minimized with proper policies, practices and employee education, as well as regular monitoring and review of an organization’s privacy policies.

Data Commissioners or Information Commissioners often report details around the number, type and sources of breaches that are reported to them.

The UK’s Information Commissioner’s Office is the public body responsible for monitoring data breaches. This office monitors breaches the personal information of personal employment, financial and health information, as well as criminal record information.

A freedom of information request revealed the UK’s Information Commissioner’s Office’s research, reported by the Verdict, September 3, 2018, showed that 88 percent of data breaches were said to be the result of human error. This is a useful data point and may be contrasted with the quarterly report of the Office of the Australian Information Commissioner on the breaches reported to it, second quarter, 2018. While the UK report reported only 12 percent of breaches were due to malicious or criminal conduct, the Australian report indicated that 59 percent of data breaches were due to malicious or criminal attacks and only 36 percent due to human error. This contrasted with the first Australian Quarterly report, in 2018, from the Australian agency, which found a majority of the then reported breaches were due to human error.

In both cases, the most common sources of breaches due to human error were sending personal or sensitive information to the wrong recipient, by email or fax.

Whatever the reasons for the variation among these reports, it is clear that a key lesson is that there are likely to be a substantial number of breaches due to human error—these are preventable. 

This suggests organizations review, maintain and expand training, policies and procedures to heighten awareness of this preventable risk. With Canada’s federal law on reporting data breaches coming into force on November 1, 2018, this should serve as a call to action for Canadian organizations to review their privacy policies, practices and procedures in an effort to minimize the breaches due to human error.  As Canada’s new law will have mandatory reporting requirements as well as a requirement to maintain internal records of data breaches Canadian organizations should review their preparedness of these new national requirements.

Equally important, Canadian organizations should maintain an ongoing awareness of the substantial number of malicious or criminal attacks and implement technologies, policies and practices to defend against such attacks, detect them when they occur and minimize the damage caused by such an incident.

Compliments of Bennett Jones, a member of the EACCNY