Historically, data claims have involved information being left behind at third party premises or on a train, stolen from a vehicle or office, or being shared inadvertently with a third party by an employee. Invariably the release contained the data of one person, or maybe two or three.
These claims still occur. Most are due to the electronic accidental release of data, often through an e-mail. This is either sent to the wrong person, or an attachment contains information the recipient was no meant to see.
However, what is new in 2024 is the increase in the frequency of claims and their overall value. The value of the claim is very often driven by the number of people affected by the data release, with the use of spreadsheets a major factor.
In the last few years RMP have seen at least one data breach involving as many as 17,500 current and former employees, and on a more modest scale one involving 160 members of the public
While individual DPA/GDPR claims which trigger policy cover are relatively modest, the cost of managing the event can be significant. What is fuelling the increase in data sharing errors in part, is the electronic environment we all operate within, and the increased pressure we all work under.
We are all involved in more volumes of, and faster processing of electronic data, and it’s the human element that is usually the weakest point in data protection. As we push through our daily working lives to keep pace with e-mail traffic and electronic document transfer, the potential for errors is bound to grow.
Data releases today fall into three categories:
- Accidental release
- Malicious release
- Hacking or cyber attack
Accidental releases are defined as data being shared that was not the intention of the sender. It can include responses to Freedom of Information Act requests with the inclusion of spreadsheets which contain more information than intended. This is often in the supporting spreadsheets to the main spreadsheet of data.
The key issue is that data has only been hidden and not deleted. Data in such situations can be revealed by someone with a basic working knowledge of spreadsheets. Indeed, the Information Commissioner in September 2023 called on public authorities to stop using spreadsheets in FOI responses.
Malicious releases can come from within an organisation and a disgruntled employee would usually be the source. Organisations should maintain strict controls over employee access to sensitive data. Employees’ changing roles can be a source of weakness if their data access in one role is not amended to reflect their new role, leaving an organisation vulnerable to a data release from someone outside of a department.
Hacking and cyber attacks can be devastating and can involve many thousands of personal data records. Good IT defences that are updated, as well as keep pace of developing technology are essential. The growth and sophistication of the use of artificial intelligence in malicious acts and what role that may play in future attacks must be monitored.
Just as much concern is the keeping of data unnecessarily: a charge which can be levelled at most organisations. The rule is simple, if you have no legal right to retain the data, or don’t have any reason to retain, then don’t. This follows the principle of minimisation of data.
If you become aware of a data breach, make sure your insurers are aware of it immediately, be they your liability or cyber insurers. Some cyber policies provide a package of support to help you manage the data breach, which is especially useful if the breach involves hundreds of affected people.
Your liability insurers can help manage the situation and sign off plans to address the breach, prior to you incurring costs which may or may not fall within the scope of your policy cover.
It is imperative that individuals and organisations remain vigilant to the ways unintended data releases arise, and work smartly to prevent loss.
Here are some risk management considerations:
Proactive – pre-event
- Have cyber security measures.
- Employ controls over employees’ ability to access data.
- Check all attachments to FOI requests, not just the response.
- Ask if you have a reason to hold data and if not, get rid of it.
- Check and recheck data sent to external parties, especially if it could be sensitive.
- Highlight emails being sent outside of the organisation and flag up new email addresses.
- Use the e-mail send delay option – two mins is a good measure.
Reactive – post-event
- Respond swiftly and decisively to breaches.
- Employ specialists - they can help manage you through difficult of situations.
- Seek legal advice – it may save you from doing something you may regret.
- Employ a proportionate response.
- Engage with your insurers or brokers early.
- Prevent similar future losses – use lessons learned.