Technology is a great enabler that can multiply the efficiency of any organisation many times over. But that same power can also multiply the opportunity for mistakes to happen and the impact of those mistakes when they do take place.
Last week a London sexual health centre admitted that it had mistakenly leaked the details of nearly 800 patients who have attended HIV clinics. The 56 Dean Street Clinic in Soho broadcast the names and email addresses of 780 people when a newsletter was issued to clinic patients. Patients were supposed to be blind-copied into the email, but instead details were sent to everyone as a group email.
The impact of a data leak for this particular group of individuals is potentially enormous. One patient, James, was quoted as saying “I couldn’t believe it when I got it and I’ve been full of worry since. I am not ready to disclose my HIV status to my wider friends or family. I fear now that I have no choice.”
When an incident like this happens then, in terms of a response, time is of the essence. The news is going to leak out on social media within a few hours at most and there are many people who need to be consulted and informed, not least the victims of the data breach themselves.
In this case the clinic seems to have reacted with commendable speed. The director of the clinic at Dean Street reportedly sent an apology within an hour after the leak and admitted that a member of staff’s human error had led to the breach. The Information Commissioner’s Office was also informed of the incident and will be holding an investigation. Fines for breaches of data protection can reach £500,000.
In this business disruption incident the technology that led to the error (a group e-mail) was also able to help correct it quickly. But imagine that this mistake had not come to light for a couple of hours, by which time the office had closed. The people who need to be consulted about how to respond were all on their way home and the clinic’s e-mail system was unavailable until someone could get back into the office.
Then you have a real problem in terms of contacting your response team to get the necessary agreement to a course of action quickly enough and following that through with a communication to your stakeholders and the victims of the data breach. If the social or news media get to them first then your reputational and liability issues start to multiply very rapidly.
To cover yourself against such an eventuality what you need to make sure you have is:
- An IT alerting system that is available out-of-hours and out of the office i.e. cloud based.
- An incident management platform that you can access from your mobile device.
- A series of incident specific action plans that address each of your main risks, including a data breach.
- A facility to hold back and release confidential data (such as patient details) when, and only when, it is needed in a real life incident.
Human error is inevitable when humans are involved. You can’t prevent it, but you can plan for it and in doing so give your business the best opportunity of recovering when it happens. Don’t leave the fate of your business to chance.