SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

OPC finds leading cause of privacy breaches is human error

Wed, 1st Dec 2021
FYI, this story is more than a year old

Human error is the leading cause of serious privacy breaches, according to a new report released today by the Office of the Privacy Commissioner (OPC).

Privacy Commissioner John Edwards says, "We are seeing clear patterns emerging since mandatory reporting of serious privacy breaches came into effect with the Privacy Act 2020 on 1 December last year.

Since reporting of serious privacy breaches became a legal requirement, OPC has seen a nearly 300% increase in privacy breach reporting compared to the same 11-month period the year before.

Human error has been the leading cause of serious privacy breaches during this period (61%), with email error accounting for over a quarter of those breaches.

Other types of privacy breaches in the human error reporting were accidental disclosure of sensitive personal information, data entry errors, confidentiality breaches, redaction errors, postal and courier errors, OPC states.

Edwards says, "Organisations can easily prevent email and other human errors with the right training and procedures."

OPC's new report 'Privacy Breach Reporting' analyses the types of privacy breaches being reported, and is driving the Office's new compliance and enforcement activities.

Edwards says, "My Office has already issued a warning to an agency for having multiple privacy breaches caused by email error, and we are prepared to take further enforcement action if agencies repeatedly experience privacy breaches caused by email error."

Edwards emphasises that timely privacy breach notification is a mandatory obligation.

He says, "In June this year, I made my expectations around the timeliness of privacy breach notification clear. A notifiable breach should be reported to my Office no later than 72 hours after an agency has become aware of it.

"Currently, less than half of all serious privacy breach notifications are being made within the expected timeframe."

Edwards continues, "Under the Privacy Act 2020, organisations or businesses which experience a privacy breach that has caused, or has the potential to cause serious harm, must report it to the Privacy Commissioner."

Breaches should be reported using OPCs online NotifyUs reporting tool. NotifyUs also contains an anonymous self-assessment module to help agencies to decide whether their breach meets the threshold for notifying the Commissioner.

Failure to report a serious privacy breach is a criminal offence which may result in a fine of up to $10,000.

OPC also noted that human error privacy breaches cause serious harm.

For example, an agency served court information sheets that were produced in both redacted and unredacted form, with the unredacted version intended only for the court.

However, both versions were accidentally included in the information pack sent out to the relevant parties and the ex-partner was therefore able to see the home address of the victim.

The ex-partner has a history of violence and had threatened to kill the victim, also claiming they had access to a gun.

An email containing detailed health information about a group of patients was intended to be sent internally to the staff of a medical provider.

A typing error in the TO field resulted in a member of the public receiving these patients medical records.

Having their sensitive personal information exposed in this way caused considerable emotional harm to a number of these patients.

An agency staff member intended to send an email to three internal recipients containing sensitive personal information about external people. Regretfully, they selected someone external from their contact list.

Although an IT warning alerted the staff member that they had selected an external recipient, they ignored the warning and sent the email. The recipient contacted the agency and agreed to delete the message.

However, they subsequently used Facebook Messenger to contact the mother of two girls who were mentioned in the email.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X