Human errors (introduction)
First thing that comes to mind, when thinking about causes of data breaches, is a malicious attack by a hacker. Since privacy incidents might be considered a crime, it is natural to automatically associate them with a criminal. Nonetheless, the origins of such occurrences are too complex to limit them to criminal attacks. That thought process is simply too black and white for a diversified field as privacy. Moreover, it is common for data breaches to be caused by internal actors.
As an IBM study showed, human errors constitute 23% of all causes for data breaches. Undoubtedly, malicious activities still cause a fair amount of data breaches – in the past there was a hacker attack every 39 seconds. Unfortunately, such activities are even more common now. However, the very reasons for an incident are usually weak passwords or sharing non-encrypted data. Even in 95% of the cases, hackers attack a company throughout its weakest string – employees.
Lack of awareness
It is common knowledge that people do not know enough about privacy law and data breaches. The industry still seems distant and complicated. Customers or clients can satisfy themselves with some basic knowledge about consent to processing and their general rights. Employees, however, must be educated to protect the company and its clients. For instance, it is not possible to avoid phishing (constituting 32% of data breaches, according to Verizon 2019 Data Breach Investigation Report) without awareness.
Additionally, only one in four employees admits they caused a data breach. All these matters add up and create an unsafe, unprotected space. The company can implement the most complicated security measures, but without recognising the potential threats, the incidents will continue to happen.
It must be highlighted that lack of awareness relates not only to individual employees, but to the companies themselves too. Entities often do not recognise their obligations or prohibitions under General Data Protection Regulation. These types of issues come within the human error category too. If an individual fails to follow the obligations arising from law, only this individual himself can be blamed. The case of German H&M is an educational example of a data breach incident, which occurred due to lack of insufficient legal basis.
The company was fined with almost €35,300 million for the excessive monitoring of several hundred employees. The employer illegally recorded conversations with employees and stored data about their private lives, health records or plans for vacation days. Here, a human error of lack of awareness not only caused a company an enormous fine, but more importantly – significantly breached employees’ privacy without them knowing it.
A simple mistake is enough
It is true that individuals themselves help hackers to commit malicious attacks. However, human errors can be much simpler than that. Unintentional personal data breaches happen more often than it might seem. Losing a package by a courier company, sending an email to a wrong recipient, not concealing email addresses when sending a mass message. These simple mistakes are enough to constitute a data breach.
In April 2021, Polish company Cyfrowy Polsat S.A. suffered a breach due to a human error. While the entity was fined mostly for not implementing sufficient privacy measures, the incident was caused by the courier company losing several packages containing personal data of numerous clients. Again, as with H&M, it was a simple human error that allowed an unauthorised access to personal data. Such incidents happen regularly – it is almost inevitable to not have a package lost by a courier company. While the company is not to be blamed (unintentional accident happens to everyone), we must realise that even such incidents amount to a data breach. Only in that way, can they be avoided.
As many others, University of Liverpool is just another example of an imputation that suffered from a data breach due to a human error. Here, the consequences and lack of privacy were significant as they related to sensitive data. The university wrongly sent an email to all undergraduate students about the individual’s wellbeing appointment and all details regarding the session.
Arguably, such an incident might have serious consequences not only for the person whose data was breached, but also other individuals who were considering reaching out for serious professional help. Due to a simple mistake, private information about mental state was revealed. It comes without a doubt that such incidents discourage individuals from getting professional help. No one would want their health records to become public. Especially, when the topic is as sensitive as mental state.
Change of approach
Educating employees and spreading awareness is vital to accurately protect privacy. Individuals cannot notify a data breach if they do not know what comes within the definition. Employers cannot fulfil their obligations if they do not realise what they are. While human errors will probably still happen, they can be significantly limited.
Acknowledging the need to act and not conceal one’s mistake is a much needed change of approach. It is a common belief that reporting a mistake and later on an incident will automatically impose a fine on the whole company. Once the problem is recognised and known, it gets easier to avoid it. Security measures help with cyberattacks. Educating helps with human errors. Both issues must be treated equally to successfully increase privacy protection.
1. Michel Cukier, „Study: Hackers Attack Every 39 Seconds”, 2007, University of Maryland, < https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds>.
2. Devon Milkovich, “15 alarming cybersecurity stats and facts”, Cybint, https://www.cybintsolutions.com/cyber-security-facts-stats/.
3. „Awareness to prevent cybersecurity breaches”, Cybervadis, https://cybervadis.com/articles/awareness-to-prevent-cybersecurity-breaches/.