Guernsey’s Office of the Data Protection Authority (ODPA) has published its latest breach statistics with 26 personal data breaches reported during March and April 2022.
Of these, 11 breaches occurred via email, which is an ongoing trend and remains the most common type of breach reported.
The chart below helps illustrate the complexity of circumstances surrounding the incidents where personal data is compromised.
One of the more unusual breaches reported related to confidential and sensitive information being discussed in a telephone conversation and overheard by a third party. The incident caused significant distress and could have had far reaching consequences for the person who was being discussed.
This example is particularly relevant because people are often working from home so it serves as a timely reminder to us all that safeguards need to be in place to ensure confidentiality of personal data whatever the setting.
Another interesting reported incident involved a warehouse burglary in the UK. The products stolen contained personal information that indicated the clients’ lifestyle and could be classed as ‘special category data’ (information relating to things such as a person’s racial or ethnic origin, political opinion, religious belief, and health data, amongst others). Special category data is given a higher degree of protection because significant harm can be caused if it is mishandled or compromised.
Template documents can also be a weak spot. Two of the reported breaches in this period involved completed templates which had been saved in error, overwriting the original template. The filled-out templates contained confidential personal information which were then made available to other people.
One of these breaches occurred via an office intranet and the other was sent outside the organisation. The Bailiwick’s Data Protection Commissioner Emma Martins explains why data breach reporting is so important:
“Understanding and responding effectively to personal data breaches is a fundamental part of data governance for all organisations but the current heightened risks, especially around cyber-attacks, means that we must be extra vigilant.
“The challenges we face, regardless of size or nature of organisation, are shared and encouraging an informed and open conversation across the community is so important. The more we engage, the more likely we are to take meaningful steps to reduce risk and learn from the past. Data breach management does not exist in isolation, it must exist within a framework of compliance across the whole organisation and involving every member of staff.”
On 1st January 2022, the ODPA introduced an improvement to its breach reporting system so that any organisations reporting a breach can now specify both how it happened (i.e. the circumstances that led to the breach occurring) and what the outcome was (e.g. accidental disclosure of personal data).
This change addresses the complexity of circumstances surrounding incidents where personal data is compromised and allows the person reporting the breach to provide greater clarity as to the reasons why a breach occurred and the impact of the breach.
The ODPA will continue publishing anonymised statistics of the breach reports it receives from the regulated community, every two months, so that everyone can apply any lessons learned.