Around the world, tough new laws have raised data protection to a matter of critical operational risk.
Data breach notification laws from the United States to Australia, as well as the General Data Protection Regulation (GDPR) in Europe, have the objective of protecting consumers, and forcing companies to implement more secure practices.
The GDPR, for example, requires organisations to notify any breaches of security leading to personal data being lost, or accessed, disclosed, modified or destroyed without authority. In the first nine months after the GDPR commenced, more than 64,000 data breaches were notified to European data protection authorities, and more than €55 million had been levied in fines.
While detailed statistics from the European regulators are not yet available, there is evidence emerging from the Australian Notifiable Data Breach Scheme which suggests a high degree of avoidable human error features in many data breaches. Given the similar usage of information systems worldwide; and the same types of security controls aimed at compliance with privacy legislation - this is a general a pattern which could be extrapolated to other jurisdictions.
Of the Notifiable Data Breaches (i) reported since the commencement of the scheme in Australia, 35% have been the result of human error. Of those, the single most common cause of a data breach has been personal information sent to the wrong recipient by email (28%). Failure to use BCC when sending an email to multiple people accounted for another 8% of human error breaches.
....more than a third of all data breaches caused by human error involve sending emails.
It comes as no surprise to most IT Security personnel and Risk Managers that human error is a significant factor. Indeed human error is a significant factor in the malicious breaches which often start with a phishing attack. Even with all the best training to reduce the likelihood of incidents occurring, mistakes will still happen.
There are several ways these types of errors could be prevented with Janusnet technology:
- Janusseal users can be prompted if there message that contains sensitive information before transmitting to another party;
- Recipient counts prior to transmission help reduce the likelihood or extent of the information handling error;
- When data handling mistakes occur, our products can automatically move the TO and CC recipients into the BCC field; and
- It is possible to prevent certain types of Personal Data from being delivered to mobile devices from corporate networks.
(i) Reference: The Australian Government, Office of the Australian Information Commissioner Notifiable Breaches Reports.