We undeniably should be doing everything we can to prevent data breaches. But to expect that we'll ever reach a day when any and all data breaches are eliminated is unrealistic. The fact is that humans are imperfect creatures capable of making all kinds of mistakes. As a case in point, consider a recent £60,000 fine levied by the Information Commissioner's Office (ICO) against a local council that allowed a used cabinet to be sent to a second-hand shop with client files still inside.
On 20th March (2017) the ICO released a bulletin explaining that it had fined Norfolk County Council after a customer purchased a cabinet from a local second-hand shop only to discover case files still inside. Those case files contained sensitive information relating to seven children, according to the bulletin.
ICO Head of Enforcement Steve Eckersley wrote in the statement:
“Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned – in particular about adults and children in vulnerable circumstances. For no good reason, Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information.”
The ICO did not release a lot of details about the case, but these should be easy to deduce based on typical human behaviour. It is likely that council officials decided to dispose of the cabinet and assigned a low-level employee to clean it out in preparation for transfer. The employee failed to remove all the files from the
cabinet before it left the council's facility.
Once at the second-hand shop, its employees also failed to thoroughly inspect the unit before putting it on the sale floor. It was purchased, taken home, and only then opened to reveal the case files.
Multiple Failures Along the Line
The point of our blog post is not to assign blame or to ridicule the County Council mentioned in any way. Rather, it is to show that there were multiple failures along the line that led to the new owner of the cabinet ultimately finding sensitive data. It is not unlike network data breaches that are the result of multiple failures.
In the Norfolk County Council case, the employee who cleaned out the cabinet failed to do so thoroughly. That was followed by an inadequate inspection by a member of management and those responsible for transporting the cabinet to the second-hand shop. Shop staff also failed in that they did not thoroughly inspect the cabinet prior to offering it for sale.
In the arena of network security, there are many more layers and a lot more hands buried deep in the security pie. Therefore, the potential for failure is increased. We are doing a very good job of protecting personal data stored on networks and we must continue doing our best to improve the security, however we are never going to eliminate it fully. Unfortunately, failure is part of being human.