T 3.1 Loss of data confidentiality or integrity as a result of user error

Errors caused by people of all kinds can lead to or enable the loss of confidentiality or integrity of data or information. The extent of the consequential damage depends on the sensitivity of the data involved. The following are examples of such human errors:

• Employees inadvertently forget to pick up their printouts containing personal data from the network printer.
• Confidential information is discussed within earshot of outsiders, for example while talking during a break in a meeting or while talking by a mobile telephone in public environments.
• Data media are sent out without deleting the data previously stored on them using a suitable deletion method.
• Documents are published on a web server without checking whether or not they are actually intended and released for publication.
• Due to incorrect administration of access rights, an employee is able to modify data without realising the possible critical impact of such a violation of integrity.
• New software is tested using data that has not been anonymised. Unauthorised employees could then be able to read protected files or confidential information. It could also be possible for third parties to gain access to this information when there are no corresponding rules regulating the disposal of "test printouts".
• Data stored on still partially intact file systems may fall into the hands of unauthorised persons when hard disks are removed, loaned, sent in for repair, or taken out of service if the hard disks were not irreversibly erased in advance.
• If an outsourcing service provider works for several clients, data from one outsourcing organisation could become accessible to another client of the outsourcing service provider due to human error. Possible causes include the following, for example:
  • Selecting the wrong e-mail address from the address book
  • Careless use of the copy/paste function (e.g. configuration files from the systems of different customers).
  • Sending post to the wrong address (e.g. back-up media, contracts)