The Information Commissioner’s Office (ICO) have recently released details of personal data breach trends linked to breaches reported during Q4 of 2019 – 2020. Here we will explore the highest reported category of breaches and what organisations (and their employees) can do to minimise risk for their organisation.
What is a personal data breach?
The legal definition is that it is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” The definition is wide – reaching and covers much more than many people think. Common practical examples where a personal data breach can incur include:
- Sending emails or attachments to the wrong person;
- Loss or theft of phones/laptops containing identifiable personal data;
- Loss or theft of paper records e.g. leaving a file on public transport;
- Oversharing personal data unnecessarily e.g. disclosing personal data via telephone calls on the train;
- Phishing or hacking;
- Viruses or other security attacks on IT equipment, systems or networks;
- Breaches of physical security e.g. filing cabinet containing confidential information is lost or accessed without authorisation;
- Insecure disposal of confidential paper waste;
- Publication of confidential data on the internet in error and accidental disclosure of passwords.
What was the most common personal data breach reported to the ICO in Q4 of Y19/20?
Phishing
In relation to cyber security breaches, the most common type of breach reported is falling foul of a phishing attack. Phishing attacks are on the rise; indeed a recent Barracuda survey of over 1000 businesses across the world found that 51% of those surveyed have noticed an increase in email phishing since the COVID-19 pandemic.
So what is a Phishing attack? Well, phishing is the fraudulent attempt to obtain personal information e.g. usernames, passwords, credit card details, by using deceptive means usually emails or text. Examples include an email notifying you that your online banking password is going to expire and that you need to click a link to change your password. Or you may receive an email from a ‘client/customer/service user’ purporting to send you documents saved on Google Drive or Dropbox for example, and urging you to click on a link to access the files when in actual fact the files may contain various hacking agents. Or you may even receive an email purporting to be from a colleague asking you to transfer funds to a certain bank account for business purposes.
Falling foul to phishing attacks can wreak havoc for your organisation. While the IT Team/Support can put in place spam email filters, those are unlikely to be 100% effective. Therefore it is really important that all staff are alert to the possibility of phishing and have at least a basic understanding of how to spot a phishing email.
5 things organisations can do to help them detect a phishing email.
- Is the email from a public domain e.g. gmail.com? If the sender is purporting to be from an organisation, it would be very odd not to have a domain linked to that organisation. Have a good look at the actual email address and not just the sender. Does it look odd?
- If the domain name appears to include the name of the organisation, has it been misspelt?
- Often phishing emails are poorly written and/or contain poor grammar. Have a good read. Does it sound not quite right?
- Does it include suspicious attachments or links? Were you expecting the email? Does it just feel off? You can hover over the link and sometimes the destination address will appear – if it doesn’t contain the name of the organisation, it is likely to be suspicious.
- Does the message create a sense of urgency? Are they asking you to respond immediately? Scammers know that the best way to scam people is when we are rushed and not taking the time to think things through.
Organisations ought to encourage staff members not to click on any link embedded in a suspicious email or text. Nor should they respond or forward the message on. Staff should be encouraged to contact their IT department/team/support immediately and where appropriate, deleted it from their inbox.
Sending communications to the wrong recipient
The most common type of non-cyber related data breach is sending communications (usually by email) to the wrong recipient. This is often quite easy to do if using the ‘Reply All’ function and staff members forget to take recipients out of their response that should not have access to the personal data. Or if staff members are forwarding a long chain of emails and the new recipients should not be privy to the information contained earlier on in the chain. Or perhaps one of the recipients has a similar email address to someone else and Outlook’s auto populate suggests the wrong recipient!
Usually personal data breaches falling under this category are due to genuine human error rather than any form of intent or malicious behaviour. However, it is still a personal data breach, which the organisation could be responsible for. It is really important that all staff are encouraged to consider whether it is appropriate for the recipients to receive the information in their communication. While there is the option to recall emails, the function is not 100% effective.
Basic suggestions to minimise risk in this area is to repeatedly encourage staff to: check and double check their recipient email addresses are correct; be careful about using ‘Reply All’; and double check emails suggested by auto-populate. If this is a continuous issue in your organisation, consider disabling auto-populate in Outlook and/or adopting sender verification services.
Handling Personal Data Breaches
It is imperative that employees report all personal data breaches to the appropriate person internally e.g. the Data Protection Officer. Failure to do so may prevent the organisation from taking action to minimise any impact to individuals that could occur. It could also put the organisation in breach of data protection legislation, exposing the organisation to enforcement action from the Information Commissioner’s Office, which could include a fine of up to the greater of 4% of annual turnover or £17M euros.
In order to support swift reporting of personal data breaches, organisations should ensure staff are made aware of the procedure and this should be revisited regularly and form part of the on-boarding procedure of new staff. If staff do not know of the report procedure to be followed, they can’t report breaches and this failing will inevitably expose the organisation to risk.
Morgan O’Neill is Director of Data Protection Services and Loretta Maxfield is a Partner in our specialist Data Protection team. If you have any further queries, please contact Loretta or Morgan on 03330 430350, or by emailing lmaxfield@thorntons-law.co.uk or moneill@thorntons-law.co.uk.