For all of us, email can be both a blessing and a curse. On one hand you have the speed and convenience of communication and an audit trail, and on the other hand you have a significant information security risk. In recent years, a number of large Information Commissioner’s Office (ICO) fines have arisen due to simple human error in relation to email communication.
What are Some of the Email Risks?
There are a range of risks attached to email communication, one of the biggest involving emails containing personal data being sent to the wrong email address. This could be the result of a number of factors including:
- A typo in the address held for the person on the organisation’s CRM database
- Transcription error by the sender
- The sender incorrectly selecting another addressee suggested by the email system’s autofill predictive text feature
- Accidentally including other recipients of the email in the ‘cc’ line (i.e., visible to all) rather than ‘bcc’ (‘blind copy’).
There is also the risk of an individual forwarding an email which contains sensitive information within the email trail.
Such errors are greatly amplified when the contents of the email contain highly sensitive personal data, for example, ‘delicate’ medical information. The results of such apparently ‘simple’ oversights can be catastrophic, both for the individuals concerned and the sender organisation.
How Can We Reduce the Risks?
There are, of course, technological solutions which organisations can deploy to minimise the risk of staff members causing ‘email’ data breaches. For example, where the email system identifies an unfamiliar email address in the ‘To’ field, before the email is sent. However, while these tools may pick up a database typo or an incorrectly addressed email, they do not address the other types of misdirected email risks, e.g., the mistakenly clicked-on autofill or the use of ‘cc’ instead of ‘bcc’. In other words, the addresses in themselves are perfectly valid, but the sender has inadvertently entered them in the wrong email, or in the wrong line on the right email.
Need for ‘People’ and ‘Process’ Controls
Where technology cannot eliminate a risk, organisations must concentrate their risk reduction measures on the other two elements of organisational risk management, i.e., ‘people’ and ‘process’. This can be achieved through the delivery of training sessions where the goal is to instil the importance of users getting into the habit of pausing for a few seconds before pressing the ‘Send’ button. Users should be encouraged to pause and double check that the recipient email addresses on their emails are correct (sometimes called the ‘check twice, send once’ approach). They need to check that typos don’t result in messages being delivered to an unintended recipient, potentially leading to an unauthorised disclosure of personal data. Users also need to be reminded to check full email trails to ensure there is no inadvertent disclosure of sensitive information or personal data within the trail.
Second Pair of Eyes
Some organisations, which regularly send emails containing sensitive personal information outside the organisation, have found it beneficial to institute a procedure (‘process’) for mitigating the risk of incorrect addressing, and which is often referred to as a ‘second pair of eyes’. This involves an ‘appropriate’ colleague, perhaps the email writer’s line manager, checking the intended sender’s email, prior to sending, to ensure that all recipients are correctly specified and the appropriate ‘cc’ or ‘bcc’ line has been used. Whether adopting such a ‘second pair of eyes’ protocol is feasible in your organisation will depend on such factors as the volume and frequency of emails containing sensitive personal being sent, the number of appropriate reviewers available and any other technical solutions used, for example, some automated email software packages allow bulk emails to be sent to individual addressees, removing the need to use the ‘cc’ or ‘bcc’ fields.
Satisfy GDPR Requirements
Principle 6 and Article 32 of the UK GDPR require organisations to implement appropriate technical and organisational security measures proportionate to the risk involved in their processing of personal data. Taken together, these two simple but effective data risk reduction organisational measures, which could be summarised as ‘Take a second, or use a second pair of eyes’, could help your organisation meet the requirements for email security controls, sitting alongside your organisation’s email acceptable use policy.
The results of apparently ‘simple’ oversights can be catastrophic
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs ROPAs, privacy notices, data retention schedules and training programmes etc.
We provide some questions which should help you in determining your level of compliance with the GDPR
The adoption of the General Data Protection Regulation (GDPR) in April 2016 had wide-ranging impacts. These affect all organisations.
We look at the requirement within both the DPA and the GDPR to verify the identity of an individual making a request before acting or releasing information