Whether discussing data encryption, network security, or internal data privacy management practices and policies, the most sophisticated IT security protocols, the most learned team of specialists, and the most compliant of data management practices and policies cannot escape, prevent, or remedy what many businesses and organizations have rightly labeled as the root cause of data security failures: human error. While they tend to possess greater network security than smaller organizations, the risk of human error should be of particular a concern to medium and large size organizations whose internal controls over data and employees are inevitably diluted by their size and numbers.
Compounding this problem is an environment in which data is becoming easier and cheaper to store. Think for a moment of the difference between a manual filing system versus a USB Flash Drive. For only a few dollars, thousands of pages of data can be uploaded, downloaded, or stored on a single data storage device, which is easily removable, transferable, rewritable, and physically much smaller. As the trend in media storage devices is towards diversification as well as improvement in size and price per capacity, the duplication and multiplication of data is favored, and the risk of data mismanagement through human error is further increased.
The risk of exposure created by human error and our current technological landscape was recently illustrated in Ontario, Canada, when the names, birth dates, addresses and gender of 2.4 million Ontario voters was recently compromised after two memory sticks where mishandled by employees of an elections warehouse. Despite having internal policies in place to this effect, the data was neither encrypted nor password protected, and the sticks were not stored in their proper location. In addition to having their personal data misappropriated, a fact which of itself should be considered as an expensive and highly valuable loss, the 2.4 million voters now face the potential of identity theft.
As evidenced by the Canadian government's Bill C-12, the Canadian Privacy Commissioner's guidelines entitled "Getting Accountability Right with a Privacy Management Program", and the recent decision in Jones v. Tsige (2012) by the Ontario Court of Appeal, or even the recent hearing by the Supreme Court of Canada regarding Facebook bullying, Canadians are increasingly becoming sensitive to issues surrounding their privacy in the cyber world. Strong IT security measures, a learned team of IT specialists, and privacy compliant policies and practices undoubtedly form part of the solution against data breaches and other unwarranted forms of network intrusions. However, maintaining cyber-insurance to cover potential regulatory fines, post-loss remedial measures, business interruption, customer reimbursement, and expensive legal defence costs is the only solution in dealing with data security failures caused by human error.