Whether discussing data encryption, network security, or
internal data privacy management practices and policies, the most
sophisticated IT security protocols, the most learned team of
specialists, and the most compliant of data management practices
and policies cannot escape, prevent, or remedy what many businesses
and organizations have rightly labeled as the root cause of data
security failures: human error. While they tend to possess greater
network security than smaller organizations, the risk of human
error should be of particular a concern to medium and large size
organizations whose internal controls over data and employees are
inevitably diluted by their size and numbers.
Compounding this problem is an
environment in which data is becoming easier and cheaper to store.
Think for a moment of the difference between a manual filing system
versus a USB Flash Drive. For only a few dollars, thousands of
pages of data can be uploaded, downloaded, or stored on a single
data storage device, which is easily removable, transferable,
rewritable, and physically much smaller. As the trend in media
storage devices is towards diversification as well as improvement
in size and price per capacity, the duplication and multiplication
of data is favored, and the risk of data mismanagement through
human error is further increased.
The risk of exposure created by human error and our current
technological landscape was recently illustrated in Ontario,
Canada, when the names, birth dates, addresses and gender of 2.4
million Ontario voters was recently compromised after two memory
sticks where mishandled by employees of an elections warehouse.
Despite having internal policies in place to this effect, the data
was neither encrypted nor password protected, and the sticks were
not stored in their proper location. In addition to having their
personal data misappropriated, a fact which of itself should be
considered as an expensive and highly valuable loss, the 2.4
million voters now face the potential of identity theft.
As evidenced by the Canadian government's Bill
C-12, the Canadian Privacy Commissioner's guidelines
entitled "Getting Accountability Right with a Privacy
Management Program", and the recent decision in Jones
v. Tsige (2012) by the Ontario Court of Appeal, or even the
recent hearing by the Supreme Court of Canada regarding Facebook
bullying, Canadians are increasingly becoming sensitive to issues
surrounding their privacy in the cyber world. Strong IT security
measures, a learned team of IT specialists, and privacy compliant
policies and practices undoubtedly form part of the solution
against data breaches and other unwarranted forms of network
intrusions. However, maintaining cyber-insurance to cover potential
regulatory fines, post-loss remedial measures, business
interruption, customer reimbursement, and expensive legal defence
costs is the only solution in dealing with data security failures
caused by human error.
The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason.
Any company that collects personal data from consumers should take proactive steps to have appropriate legal counsel review its data security practices, as well as its terms of service or privacy practices, to identify any potential problem areas.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.