By Steven Orpwood, Business Analyst and DPO

 

A friend who’d had an accident and couldn’t leave the house for a month, asked Mallory to do some shopping and get some money out of the bank. He gave Mallory his debit card, and PIN, which he wrote down backwards (a very clever security measure), and out Mallory went. Unfortunately, Mallory was distracted by the police arresting a butterfly who was bullying a pigeon, and left the card and PIN on a park bench. My friend was understanding and cancelled the card immediately. Problem solved. Data breaches, what’s the issue…

 

A few days later Mallory was on the bus; He’d downloaded the company’s entire contact directory, including a number of public figures and members of the royal family, as he had some work to complete when he got home. He was staring at the USB device, wondering how the data got in, and how on earth it would get out, when the butterfly got on the bus and started picking on an okapi who was reading the Times. Distracted, Mallory handed the storage device to a man who had just sold him a credit card, and got off the bus. Once home he realised his error and considered his next steps. He decided that since his company let him see the data, it was probably fine for anyone to see it. Also, no one else had seen the data leave the building, so it was probably best to do nothing. Data breaches, what’s the issue…

 

Six months have passed and Mallory is now looking at job adverts. He is consoled by the fact that a number of his colleagues will be doing the same thing. Shortly after the USB device went missing, there were a number of instances of fraud against high profile individuals. An investigation pinpointed Mallory’s download as the source. Further investigation showed that the company had not trained its staff on the perils of data loss, nor secured the digital information. The ICO deemed that since the breach took place after the 25th May (I know, the dates don’t add up, but then you may have spotted a few other embellishments), it would be pursued under the GDPR. It seems that 4% of a multinational’s turnover for the previous year is a lot of money and the fine resulted in the closure of the UK office, 250 redundancies, and worst of all (for Mallory), Mallory being summarily dismissed for gross misconduct.

 

Evidently, data breaches are serious and are worth managing, because the potential impacts on companies, shareholders, employees and most importantly data subjects are great. I can back this up by referencing another mutual friend, who shall remain nameless, who spent his lunch hour changing the sex and middle names of everyone on his firm’s contact database. It seems that altering data is also classified as a breach, as are unlawful destruction, and unauthorised access. Who’d have guessed that. Anyway, my friend and Mallory do get to see each other much more now, so there are plusses I suppose…

 

Next time, we’ll discuss the measures needed to limit the potential for breaches and what to do if you have one.