17 September, 2020
The Information Commissioner's Office (ICO) has published its recent data security incident trends for the first quarter of 2020/2021. The figures published are compiled by the ICO and are based upon the number of personal data breaches reported to them. The figures show how many incidents have been reported rather than detailing the number of actual incidents.
The latest trend figures show that the vast majority of reported breaches did not relate to cyber security issues, but were as a result of human error or organisational security measures. Of the 1446 breaches reported, only 412 of those related to cyber security breaches. The remaining 1,034 breaches were non-cyber related such as information being sent to the wrong e-mail address recipient, information posted to the wrong recipient, failure to use the 'bcc' function in e-mails and a failure to redact information correctly.
These latest trend figures show that there is still work to do to address human error and looking at measures that can be put in place to reduce the risk of information being sent to the wrong recipient. Training and awareness raising will play a key part in an organisation's data protection compliance to ensure staff are aware of the importance of keeping personal information safe and secure, and the consequences of a failure to do so. Technical security measures can also be introduced to reduce the risk of human error - e.g. e-mail filters which flag potential failures to use the 'bcc' rather than 'cc', time delays on outgoing e-mail messages and the disabling of autofill when entering e-mail addresses.
The latest trend figures also show that there has been a reduction in the number of breaches being reported to the ICO. Compared to the first quarter of 2019-2020, there has been 1,645 fewer breaches being reported to the ICO. There are a number of reasons for this fall in breaches being reported - from organisation's generally improving their data protection compliance to fewer breaches being reported where organisations are unsure whether or not the breach is reportable (following on from guidance published by the ICO which indicated that there had been some over-reporting by organisations following the GDPR coming into force). The impact of Covid-19 will also undoubtedly have had an impact on the reporting figures as resources have been diverted to other areas of business need during the pandemic.
As discussed above, training and awareness raising play a key part in organisational security measures to prevent personal data breaches. An effective data breach reporting procedure will assist an organisation in identifying actual, suspected and 'near miss' breaches ensuring breaches can be reported to the ICO where this is legally required and enabling organisations to look at lessons learned as a result of a breach or a near miss in order to reduce the risk of such an incident occurring in the future. As data breaches can result in severe consequences for organisations, such as regulatory action from the ICO and/or claims for compensation from affected individuals, it is vital organisations take steps to address any lessons learned and mitigate the risk of enforcement action and claims for compensation.
A copy of the most recent data security incident trends published by the ICO can be found here - https://ico.org.uk/action-weve-taken/data-security-incident-trends/
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.