Cyber Risks: Unintended Data Disclosure
Unintended data disclosure is usually caused by human error, and it is a persistent risk that can be managed through good data governance and regular employee training.
Unintended data disclosures can occur in every type of work environment. Legal requirements to keep patient information confidential make it particularly challenging in healthcare. Organizations in many industries increasingly use third-party service providers, and that can lead to documents containing significant amounts of sensitive data needing to be secured appropriately. We provide clients with training and the technology resources required to reduce their risks of unintended or unintended disclosure.
The most common forms of unintended data disclosure
Communications sent to the wrong recipient
Not all data losses result from a cyber attack. Emails, faxes, or mailings can be inadvertently sent to the wrong recipient, particularly when employees are busy.
For example, medical information such as patient discharge instructions or prescription information can be sent to the wrong patient or another individual.
Exposure through social media
The widespread use of social media and smartphone cameras can result in an employee sharing sensitive data, such as information about a healthcare patient.
Failure to separate collections of sensitive information
Using third-party service providers for administrative purposes can result in files containing a collection of sensitive data, such as employee payroll or tax documents, exported from the provider. An employee may accidentally share the file with the wrong recipient.
Configuration errors
When access is not properly restricted, sensitive data on network file shares or stored in the cloud can be left accessible to unauthorised users.
This a particular risk when a server is updated for maintenance and forgotten temporary changes in configuration can leave the server exposed to unauthorised access.
How to protect against unintended data disclosure
Data governance
Assess and classify your data based on the level of its sensitivity. Establish procedures that protect and secure the handling of your sensitive data, including assigning permissions based on the principle of least privilege (especially with roles giving access to all data, or for roles allowing bulk downloads of data).
Limit social media access in the workplace
Establish a social media policy. Train your employees on risks related social media posts that might reveal sensitive information, particularly employees in healthcare. As AI becomes more popular, establish rules to restrict what can be shared via tools like ChatGPT.
Train employees on their role in securing data
Employees should be trained on how to ensure that any sensitive data, including paper records, is stored securely when they finish work the day. Workstations should be locked when the employee steps away, to prevent anyone nearby from unauthorised access.
Manage employee workloads
Time-stretched employees are the most likely to make mistakes, for instance picking up several sheets of paper instead of one, sending an email to the wrong recipient, or failing to verify a patient’s information.
Secure cloud resources and manage network file shares
Use role-based access controls to manage access to your network file shares. Use group policies to manage the sharing of documents externally. Block access to unauthorised cloud storage platforms. Regularly audit configuration settings on your organization’s cloud-based resources.
What to do if you suspect an unintended data disclosure
Data disclosures of any kind are important to deal with quickly, and thoroughly. Depending on your geography and region, there may be very specific regulatory requirements that must be addressed, as well as the potential impact any data leakage could have on the subjects. In particular we recommend engaging with forensics experts such as ourselves to understand the full scope of the issue, as well as legal counsel experienced in cyber incidents and privacy concerns. Our Cyber Services team can walk you through all the considerations.
Unintended data disclosures pose risks across all sectors, from healthcare to administrative services. Our comprehensive approach, integrating training and technology resources, empowers organizations to mitigate these risks effectively.
Protecting against unintended data disclosure demands proactive measures, from robust data governance to employee training. Our guidance equips organizations to navigate the complexities of data security and compliance, ensuring resilience in an evolving digital landscape.