Human Error Accounts for 34% of Notifiable Data Breaches: 3 Key Take Outs from the Latest OAIC Report
The Office of the Australian Information Commissioner has released its Q2 statistics on notifications received under the Notifiable Data Breach (NDB) scheme. The 245 breach notifications in Q2 are on par with each other quarter since the scheme was introduced in July 2018 and while the majority of NDBs (62%) are attributed to malicious or criminal attacks, we noted with interest that a staggering 34% are due to human error – that is, mostly avoidable errors made by staff. A consistent theme of our blogs is reinforcing the message that employees are the front line of defence for organisations.
There are 3 key statistics we took away from these human error NDBs.
First, nearly half of the 84 human error NDBs are attributed to personal information being sent to the wrong recipient by email, mail, fax or other means (e.g. hand delivery). This includes things like having an incorrect mail address on file or mistyping an email address.
Second, unauthorised disclosure overshadows all other human error NDBs in the number of individuals affected, affecting a whopping 9,485 individuals per NDB on average. These are the kinds of data breaches we often hear about in the media, and include disclosures in written format (including online) and a failure to redact or de-identify personal information before disclosure.
Our third take away is that failure to use the ‘BCC’ field punches above its weight when it comes to the number of individuals affected. This kind of breach involves not using the ‘BCC’ field and disclosing all recipient email addresses to all other recipients by including them in the ‘To’ or ‘CC’ fields, and accounts for a modest 5 NDBs received, but affected a healthy 601 individuals on average for each NDB.
There are a staggering number of individuals affected because of data breaches caused by human error. The harm caused to each of the affected individuals along with an organisations’ reputational damage and their resources being tied up investigating and curing the breach is rightly putting businesses on alert. These statistics are a reminder to ensure staff undertake privacy awareness training and to implement a NDB plan so that in the event of a data breach, the business is prepared for it.