The Call is Coming From Inside the House: Internal Privacy Breach Threats

This post is authored by Bridget Mead, a third-year student at Drexel University’s Thomas R. Kline School of Law. Ms. Mead is a legal-intern with the XPAN Law Group.

While most may believe that the biggest threat to data privacy are dark web hackers who manage to break into the networks of major international organizations and access sensitive PII, a “GDPR in review” report recently released by the Data Commission of Ireland tells us otherwise. The report, a “overview of the trends observed by the Data Protection Commission (DPC) over the first year of the mandatory breach reporting regime introduced by the General Data Protection Regulation (GDPR)”,  states that only 7% of data breaches handled by the DPC were caused by a cyber incident. 83% were caused by Unauthorized Disclosure, explained as email or correspondence to the wrong recipient, disclosure through an online portal or a processing error (i.e., a lot of human error). These findings support the premise that the biggest threat to consumer data privacy are employees and internal policies and procedures around data privacy and security, not external bad guys. Another recently published report, the Data Exposure Report, compiled the responses from over 1000 international business information security and decision-makers. The surveyed individuals reported that only 25% of breaches in the last 18 months were caused by external actors.

Mainstream media coverage of major data breaches tend to bury facts related to employee mistakes and highlight stories of dark web hackers breaking into secure systems. This focus aligns with our Hollywood version of cyber warfare. But, this practice misleads not only the general public but corporate decision-makers. While CEOs search for the latest technology to build their cybersecurity fortress through the use of firewalls, MFA and VPNs, they are foregoing the maintenance, communication and enforcement of formal data privacy policies among their own employees. Policies, which, if communicated, monitored and updated properly, would significantly lessen the risk of internal misconduct leading to a breach. The shaping of these policies require an investment of time, instead of money, as legal, compliance, and IT departments must work together to formulate strategic plans which address not only holes in current policies but require looking forward as technology and business develop. 

Because unauthorized access or disclosure of sensitive data presents the biggest risk to privacy, having well-defined roles for employees and maintaining a detailed data categorization are key. Not only should employees understand their own roles and levels of data access, but they should be aware of access levels across the enterprise. Detailed data categorizations will allow IT to grant access to sensitive data only as it is necessary and use of de-identification will ensure that sensitive data is not being viewed or is accessible by the wrong employee. 

To illustrate the non-cybersecurity related risks to an inadequate data privacy program, we can look to both the GDPR and the forthcoming CCPA.  Article 18 of the GDPR gives data subjects the right to restrict the processing of their data. If a controller or processor fails to meet the request of the data subject to restrict the processing, that failure could be a breach of the data subjects privacy and a violation of the GDPR. A lack of policies or a lack of compliance with policies can create a privacy breach without the involvement of dark web hackers. The CCPA expressly prohibits the selling of personal data of a consumer under age 16 without consent. Therefore, if an entity sells data, and that data includes the personal data of a 14 year old, and the 14 year old didn’t consent to the sale, privacy has been breached. These are just two examples of the regulatory provisions, which if violated, constitute a privacy breach. And, these examples show that these types of privacy breaches have nothing to do with security OR any external threat actor. 

Security and technology, alone, cannot solve security and privacy. In this new age of evolving threats and evolving legal obligations, security and privacy must become a cross-departmental concern. The most secure system, using the latest cutting edge hacker monitoring technology cannot make up for inadequate policies and procedures, or a lack of training on policies and procedures related to data privacy. Defense against privacy breaches must account for internal and external threats. And, in all of this, knowledge is key: you need to know your systems, your data, and your vulnerabilities (both internal and external) before you can make strategic decisions of how to create a robust and comprehensive approach to security and privacy.  As we often say in security and privacy, luck favors the prepared! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.