In the General Data Protection Regulation and other data protection regulations around the world, data breaches are a topic of concern. In all cases, the regulators do not want data breaches to happen (because it goes against the data protection mandate), and generally speaking, there is a requirement to notify a given authority when a data breach is detected. But despite the general expectation that data breaches are caused by nefarious external agents acting with malicious intent, there are many other types.
- An employee who accesses personal data records on customers or patients that are outside his or her task domain, or otherwise beyond what they need to access for their job. The ICO in the UK prosecutes people when this happens, such as a hospital worker, a housing worker, and a council worker, among many others profiled on the ICO blog.
- An organisation that should know better didn’t scrub the metadata on its published research, legal advice and reports, thereby disclosing details of employee names when its policy is to not disclose employee names.
- An employee leaves a firm and takes details on customers to a competitor or to their own new firm in the same market space. Again, the ICO prosecutes people for breaches of this nature, such as a recruitment consultant who stole the details of 272 individuals.
- A county council didn’t put appropriate access security on a database containing personal and sensitive information, which meant that members of the public could access the data with a search engine.
Beware your actions.