Murphy’s Law in the Internet of Things

“Anything that can go wrong, will go wrong” is the famous saying that is uttered when there is a notable data breach. If an organisation loses data, either via hacking or negligence, then data protection becomes a topical issue where we empathise with the unfortunates whose personal information has been compromised. 

Today's news, however, is usually forgotten by tomorrow and only those affected by a data breach - the relevant data controllers, data processors and data subjects - are left to suffer the consequences. Unfortunately, these repercussions are now being felt by more and more people as data breaches become ever more commonplace.

The latest incident concerns a London sexual health clinic which accidentally published the personal details of patients who have attended HIV clinics. The mistake, caused by human error rather than technology failure, occurred at the 56 Dean Street clinic in Soho. The clinic accidentally sent a newsletter to 780 patients who were copied into the “To” section of the email, rather than the “bcc” bar. This meant that the recipient list included full names and email addresses. Worse still, upon noticing their mistake the clinic attempted to retrieve the inflammatory email and accidentally sent it again!

According to The Guardian, the lawyer investigating claims on behalf of a number of those affected has said that the clinic could now face hundreds of legal claims. 

This embarrassing breach comes on the heels of two recent high-profile data protection cases involving sensitive personal data in the UK:

In March this year, North Tees and Hartlepool NHS Foundation Trust was publicly reprimanded after a file containing sensitive patient information was found at a bus stop. The Information Commissioner’s Office, which uncovered the failures during an investigation, said the Trust was “careless” in its handling of “highly sensitive” personal information. 

Also in March, the Serious Fraud Office was fined £180,000 after a witness in a 2013 investigation was accidentally sent evidence relating to 64 other people involved in the case. The Office lost 32,000 pages of data and 81 audio tapes linked to a bribery probe when it returned more material than intended to a source in the investigation.

Sensitive personal data is defined in Article 8 of Directive 95/46 as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.” The Irish Data Protection Acts list these definitions while also extending sensitive personal data to include “the commission or alleged commission of any offence by the data subject, or any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings”.

Essentially, the examples above illustrate that human error can, and does, happen and that there are always consequences for everyone involved. Murphy’s Law doesn’t always apply but when sensitive personal data is involved it may be a handy proverb to keep in mind.