Data leak claims – increasing frequency and value

29 Aug 2024

by Phil Farrar

Historically, data claims have involved information being left behind at third party premises or on a train, stolen from a vehicle or office, or being shared inadvertently with a third party by an employee. Invariably the release contained the data of one person, or maybe two or three.

These claims still occur. Most are due to the electronic accidental release of data, often through an e-mail. This is either sent to the wrong person, or an attachment contains information the recipient was no meant to see.

However, what is new in 2024 is the increase in the frequency of claims and their overall value. The value of the claim is very often driven by the number of people affected by the data release, with the use of spreadsheets a major factor.

In the last few years RMP have seen at least one data breach involving as many as 17,500 current and former employees, and on a more modest scale one involving 160 members of the public

While individual DPA/GDPR claims which trigger policy cover are relatively modest, the cost of managing the event can be significant. What is fuelling the increase in data sharing errors in part, is the electronic environment we all operate within, and the increased pressure we all work under.

We are all involved in more volumes of, and faster processing of electronic data, and it’s the human element that is usually the weakest point in data protection. As we push through our daily working lives to keep pace with e-mail traffic and electronic document transfer, the potential for errors is bound to grow.

Data releases today fall into three categories:

Accidental release
Malicious release
Hacking or cyber attack

Accidental releases are defined as data being shared that was not the intention of the sender. It can include responses to Freedom of Information Act requests with the inclusion of spreadsheets which contain more information than intended. This is often in the supporting spreadsheets to the main spreadsheet of data.

The key issue is that data has only been hidden and not deleted. Data in such situations can be revealed by someone with a basic working knowledge of spreadsheets. Indeed, the Information Commissioner in September 2023 called on public authorities to stop using spreadsheets in FOI responses.

Malicious releases can come from within an organisation and a disgruntled employee would usually be the source. Organisations should maintain strict controls over employee access to sensitive data. Employees’ changing roles can be a source of weakness if their data access in one role is not amended to reflect their new role, leaving an organisation vulnerable to a data release from someone outside of a department.

Hacking and cyber attacks can be devastating and can involve many thousands of personal data records. Good IT defences that are updated, as well as keep pace of developing technology are essential. The growth and sophistication of the use of artificial intelligence in malicious acts and what role that may play in future attacks must be monitored.

Just as much concern is the keeping of data unnecessarily: a charge which can be levelled at most organisations. The rule is simple, if you have no legal right to retain the data, or don’t have any reason to retain, then don’t. This follows the principle of minimisation of data.

If you become aware of a data breach, make sure your insurers are aware of it immediately, be they your liability or cyber insurers. Some cyber policies provide a package of support to help you manage the data breach, which is especially useful if the breach involves hundreds of affected people.

Your liability insurers can help manage the situation and sign off plans to address the breach, prior to you incurring costs which may or may not fall within the scope of your policy cover.

It is imperative that individuals and organisations remain vigilant to the ways unintended data releases arise, and work smartly to prevent loss.

Here are some risk management considerations:

Proactive – pre-event

Have cyber security measures.
Employ controls over employees’ ability to access data.
Check all attachments to FOI requests, not just the response.
Ask if you have a reason to hold data and if not, get rid of it.
Check and recheck data sent to external parties, especially if it could be sensitive.
Highlight emails being sent outside of the organisation and flag up new email addresses.
Use the e-mail send delay option – two mins is a good measure.

Reactive – post-event

Respond swiftly and decisively to breaches.
Employ specialists - they can help manage you through difficult of situations.
Seek legal advice – it may save you from doing something you may regret.
Employ a proportionate response.
Engage with your insurers or brokers early.
Prevent similar future losses – use lessons learned.

Author

Phil Farrar

National Development Director, Risk Management Partners

Phil began his career in 1986 with Municipal Mutual and worked at two of their branches before joining the broking world (Aon) in 1992 where he stayed for 12 years working as part of their National Public Sector Team. He joined RMP in 2004, where he was responsible for service delivery in the North of England and Scotland as well as managing his own accounts. Since 2012, Phil has been RMP’s National Development Director.

Email:: [email protected]
Website:: rmpartners.co.uk/

RMP Disclaimer

This article and related document links do not purport to be comprehensive or to give legal advice. While every effort has been made to ensure accuracy, Risk Management Partners cannot be held liable for any errors, omissions or inaccuracies contained within the article and related document links.

Readers should not act upon (or refrain from acting upon) information in this article and related document links without first taking further specialist or professional advice.

RMP Disclosure

Risk Management Partners Limited is authorised and regulated by the Financial Conduct Authority. Registered office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company no. 2989025

Data leak claims – increasing frequency and value

Related topics

You may also be interested in

Ransomware data breach claims

Data breaches, compensation and costs

Data! Data! Data!

Data protection and the dissemination of personal information

Add food waste to the risk menu

Leading from the front