A quarter of reported data breaches were caused by accidental loss or destruction of personal data.
According to a Freedom of Information Act request, an examination of incidents in the first three months of 2014 found one-quarter of reported data breaches were caused by the accidental loss or destruction of personal data, up 15 per cent for the second half of 2013.
Of these, between April and June 2013 and the same period for 2014, 43 per cent involved confidential information being disclosed in error, primarily through emailing, faxing or posting data to an incorrect recipient. Only seven per cent of breaches for the period occurred as a result of technical failings; the remaining 93 per cent were down to human error, poor processes and systems in place, and lack of care when handling data.
The FOIA request found that, to date, no fines have been levied due to technical failings exposing confidential data, whereas a total £5.1m has been issued for mistakes made when handling sensitive information.
Since the possibility to fine for significant data loss was given to the Information Commissioner in 2010, the total number of fines issued is in excess of £6.7 million.
£600,000 of this total has the specified cause of information being emailed to the incorrect recipient, £320,000 attributed to using the wrong fax number and £170,000 for postal address inaccuracies. Add to this the penalties for unspecified disclosure to the wrong recipient, loss of unencrypted endpoint devices and accidental uploads of sensitive information to publicly available websites, and the figure is in excess of £3.7m. The final £310,000 is accounted for by paperwork left in decommissioned buildings, on public transport or in the street.
Tony Pepper, CEO of Egress Software Technologies, who made the request, said that people making mistakes will never be completely prevented, but it was clear that safeguards were urgently needed.
“Confusion can often put confidential data at risk, with users unsure of when and how to encrypt,” he said. “Similarly, a continued reliance on fax and post demonstrates a disturbing lack of care and control taken to sensitive information.
“What these statistics demonstrate is that training alone is not the answer. Solutions that are easy to use yet offer comprehensive protection and control have been developed to mitigate the risk of a data breach, so it is mystifying why organisations are not implementing them to reduce their liability.”
He also claimed that of the £6.7 million in fines, it was alarming to see that well over half (£4.5 million) is coming from the public sector alone. “Not only are these organisations and bodies responsible for handling citizens’ data, their malpractice is being paid for by the public pocket,” he said.
