Trouble originating between chair and keyboard caused most UK breaches

UK data breaches caused by good old human error rose again early this year, accounting for 62 per cent of all data breaches reported to UK data protection watchdogs in the first quarter of 2016.

This far outstrips other causes of breaches, such as insecure webpages and hacking, which stands at nine per cent combined.

The figures are based on a Freedom of Information request to the Information Commissioner’s Office by Egress Software Technologies and cover the first three months of 2016. Egress put in similar requests in both 2014 and 2015, meaning it can make a comparison of data breach figures over recent years.

Mistakes including data posted or faxed to the wrong recipient, loss and theft of paperwork and data emailed to the wrong recipient account for a big chunk of data breach blunders reported to the ICO. Other causes included insecure disposal of hardware and paperwork, loss or theft of unencrypted devices, and failure to redact data.

The courts and justice sector has experienced a six-fold increase in reported data breaches over a three year period, a worrying statistic given that these institutions are responsible for handling all manner of particularly sensitive data. Other organisations that have experienced a growth in breach incidents are insurance firms (317 per cent) and charities (109 per cent).

Although not experiencing such a dramatic rise in breaches, with only a 13 per cent increase, healthcare organisations continue to top the list for total number of reported incidents at 184.

Data breaches in all sectors are on the rise: two-thirds (66 per cent) of business sectors had experienced a rise in breaches over the last three years.

EU GDPR

Although advised to disclose data breaches as soon as possible, corporate organisations are not currently legally mandated by law to act. This is set to change under the EU General Data Protection Regulation (GDPR), which will enforce mandatory notification within 72 hours for breaches in cases where sensitive personal information is put at risk.

The practical upshot is that reports of breaches in private sector organisations are likely to show a sharp rise once the legislation comes into effect in May 2018, irrespective of the severity of the underlying data breach problem.

The debut of the EU GDPR will increase the ability of data regulators across Europe to levy heavier penalties of up to four per cent of annual worldwide turnover for organisations found to have breached the regulation. UK private sector organisations have, to date, suffered only 18 per cent (£1,233,500) of financial sanctions handed out under the current Data Protection Act.

“Enforcement of the EU GDPR will begin in 2018 – and organisations need to be ready in advance so that they don’t fall foul of the new legislation,” said Egress chief exec Tony Pepper. “Corporate organisations are already increasingly coming under the spotlight following several high-profile breaches of consumer data over the last 12 months and the EU GDPR will only amplify this.” ®