February marks 12 months since the start of the notifiable data breach scheme here in Australia, and nine months since the European notification scheme started under the GDPR. American notification laws have been running for years now. All of which means overworked regulators, executives losing their jobs, and plenty of media attention on individual cases of data breaches.
But are any lessons being learned by organisations about how to prevent data breaches in the first place?
With the latest stats from the OAIC showing that yet again the private health sector topped the list of sectors reporting data breaches, and the latest news suggesting that 15,000 cardiology patients’ records were rendered inaccessible and held to ransom in a cyberattack, it seems that there is plenty of work yet to be done, by health service providers in particular, to get data protection right.
(But by the way if that’s you, there is some good news! We recently partnered with the AMA to produce a free eLearning module specifically for health service providers. Just released, Privacy Compliance for Medical Practices is even RACGP-accredited for continuing professional development, so Doc – you’ve got no excuse anymore.)
So in the interests of trying to prevent the next data disaster from happening, I thought a review of some of the causes of data breaches might be order. Not that this is in any way scientific, more like my personal musings, but here goes … the Salinger Privacy List of the Top 10 Things Not To Do.
# 1 – Not redacting documents properly
Remember back in the good old days, when redaction was easy? When my latest crush turned sour I would simply slather Liquid Paper on my tartan pencil case to paint over the love heart featuring said boy’s initials. Evidence covered up, I could move on to the next unwitting subject of my fickle affection.
OK, I’ll admit, it wasn’t a perfect method. Anyone could have scratched the Liquid Paper off to reveal the original writing, thick texta having soaked through the fabric.
These days, the digital equivalent of scratching off the paint seems to happen with disturbing regularity, particularly in relation to documents released under FOI or published in court filings. Redaction software exists, so why do people keep getting this wrong?
Examples of personal information released by accident because redaction either didn’t happen at all, or was done so badly that it was trivial to reverse, have included the accidental publication of the private mobile phone numbers of hundreds of federal politicians, former prime ministers and senior political staffers; the publication by Comcare of the personal details of an injured worker; the publication of information contained in hundreds of confidential submissions from families of children who have self-harmed and been the victims of bullying; calculations of actor Geoffrey Rush’s historic income and predicted future earnings submitted in court documents; data released under FOI revealing both prison security details and personal information about hundreds of prisoners; and data mistakenly embedded in a Word document published online by the Department of Immigration revealing sensitive personal information about more than 9,000 asylum seekers.
# 2 – Leaving databases and backups on publicly facing servers
This was the cause of the Red Cross data breach affecting more than 1M people in Australia, the Capgemini leak of Michael Page recruitment data, as well as the leak of more than 43,000 pathology reports in India, and the personal information about more than 198 million American voters from the Republican National Committee. IT managers should know better.
# 3 – Leaving unsecured AWS ‘buckets’ of data in the cloud
This has happened to the ABC, as well as Accenture, Viacom and a recruitment company holding data on military veterans and others holding security clearances. Plus to a contractor holding staff records from AMP, the Department of Finance, the Australian Electoral Commission and others.
And then, in a data breach affecting 123 million American households, to credit reporting bureau Experian and its partner analytics firm Alteryx. And then FedEx. Really, why does this keep happening?
# 4 – Storing passwords in plain text
Not hashing or encrypting user passwords was the cause of an app maker being fined for breaching the GDPR. Although it’s not clear, this might also be how a bank employee managed to disclose online banking passwords of customers to a third party.
# 5 – Allowing sensitive data to be stored on unencrypted mobile devices
A paediatric hospital in Texas, contrary to prior security advice, failed to deploy encryption or other measures on all of its mobile computing devices. So no surprise the heightened risk when a staff member left behind at an international airport an unencrypted non-password-protected BlackBerry, containing the electronic health records of 3,800 patients. Yet still not learning the importance of information security, a few years later the same hospital suffered the theft of an unencrypted laptop from an unsecured work area; the laptop contained the electronic health records of 2,462 individuals. The hospital was fined US$3.2M for the two instances providing evidence of their failure to comply with data security rules.
This also happened to a company providing mobile monitoring of patients with cardiovascular disease. When the employee’s laptop, containing health information about 1,391 patients, was stolen from their parked car, the company was fined US$2.5M.
# 6 – Mishandling the mail or other transmission of records
There have been examples from Victoria of posting confidential children’s court records to a violent family member; or in NSW where 2,693 photo ID cards, including driver licences and gun licences, were sent to the wrong people.
# 7 – Poor disposal of paper records
Examples include the medical letters about more than 1,400 public and private patients found in a public bin in Sydney after being dumped by a contracted transcription service provider; and private hospital medical records found lying in the street in Victoria.
And while last year’s data leak involving Cabinet documents may have revealed more about government affairs than personal information per se, news that decades’ worth of Cabinet documents were found inside locked filing cabinets sold off by the Government suggests that the Australian Government is also quite good at screwing up data disposal.
# 8 – Poor handling by a third party supplier or contractor
A study of data breaches by the Ponemon Institute and IBM found that third-party involvement was the top ranking factor that led to an increase in the cost of a data breach. Examples include customer data leaked from a supplier to Domino’s Pizza, and a data breach involving 8,500 current and former staff of the Department of Social Services which was blamed on a third party contractor.
# 9 – Failing to use audit logs to identify rogue behaviour
What is the point of all those audit logs, if no-one is using them to look for evidence of unusual activity by staff such as to suggest misuse of their access to data? An investigation by the UK privacy regulator the ICO found that an employee of a health fund was able to deliberately extract (and illegally sell) personal information about more than half a million customers from its CRM system, because the audit log was not being monitored.
# 10 – Not configuring tech to protect emails leaking data
A shipping company discovered that data was being ever-so-slowly exfiltrated from its finance and payroll departments over an 11 month period, with around 50,000 emails being auto-forwarded from three employee email accounts to two email addresses outside the company. Security commentators suggested the mail settings should typically be configured to prevent auto-forwarding of protected emails outside a company.
So what are the lessons to be learned from our Top 10 Things Not To Do? In other words, what should you do?
Make sure your information security settings are tight, and that controls like audit logs and email gateways are actually being used and monitored. Check your contractors are doing the same. And train all staff to get privacy and security right in absolutely everything they do, from sending out the mail to taking out the trash. Train, train, and train again.
Want to know more? Check out our 5 March webinar on Notifiable Data Breaches; our up-coming Privacy Management in Practice workshops, which include plenty of focus on identifying and mitigating privacy risks; and our template Data Breach Response Procedure.
Photograph © Shutterstock