Avoiding Email Data Security Breaches

Pause for a second and take advantage of another pair of eyes!

5 Oct

Table of Contents

For all of us, email can be both a blessing and a curse.  On one hand you have the speed and convenience of communication and an audit trail, and on the other hand you have a significant information security risk.  In recent years, a number of large Information Commissioner’s Office (ICO) fines have arisen due to simple human error in relation to email communication.

What are Some of the Email Risks?

There are a range of risks attached to email communication, one of the biggest involving emails containing personal data being sent to the wrong email address.  This could be the result of a number of factors including:

  • A typo in the address held for the person on the organisation’s CRM database
  • Transcription error by the sender
  • The sender incorrectly selecting another addressee suggested by the email system’s autofill predictive text feature
  • Accidentally including other recipients of the email in the ‘cc’ line (i.e., visible to all) rather than ‘bcc’ (‘blind copy’).

There is also the risk of an individual forwarding an email which contains sensitive information within the email trail.

Such errors are greatly amplified when the contents of the email contain highly sensitive personal data, for example, ‘delicate’ medical information.  The results of such apparently ‘simple’ oversights can be catastrophic, both for the individuals concerned and the sender organisation.

How Can We Reduce the Risks?

There are, of course, technological solutions which organisations can deploy to minimise the risk of staff members causing ‘email’ data breaches.  For example, where the email system identifies an unfamiliar email address in the ‘To’ field, before the email is sent.  However, while these tools may pick up a database typo or an incorrectly addressed email, they do not address the other types of misdirected email risks, e.g., the mistakenly clicked-on autofill or the use of ‘cc’ instead of ‘bcc’.  In other words, the addresses in themselves are perfectly valid, but the sender has inadvertently entered them in the wrong email, or in the wrong line on the right email.

Need for ‘People’ and ‘Process’ Controls

Where technology cannot eliminate a risk, organisations must concentrate their risk reduction measures on the other two elements of organisational risk management, i.e., ‘people’ and ‘process’.  This can be achieved through the delivery of training sessions where the goal is to instil the importance of users getting into the habit of pausing for a few seconds before pressing the ‘Send’ button.  Users should be encouraged to pause and double check that the recipient email addresses on their emails are correct (sometimes called the ‘check twice, send once’ approach).  They need to check that typos don’t result in messages being delivered to an unintended recipient, potentially leading to an unauthorised disclosure of personal data.  Users also need to be reminded to check full email trails to ensure there is no inadvertent disclosure of sensitive information or personal data within the trail.

Second Pair of Eyes

Some organisations, which regularly send emails containing sensitive personal information outside the organisation, have found it beneficial to institute a procedure (‘process’) for mitigating the risk of incorrect addressing, and which is often referred to as a ‘second pair of eyes’.  This involves an ‘appropriate’ colleague, perhaps the email writer’s line manager, checking the intended sender’s email, prior to sending, to ensure that all recipients are correctly specified and the appropriate ‘cc’ or ‘bcc’ line has been used.  Whether adopting such a ‘second pair of eyes’ protocol is feasible in your organisation will depend on such factors as the volume and frequency of emails containing sensitive personal being sent, the number of appropriate reviewers available and any other technical solutions used, for example, some automated email software packages allow bulk emails to be sent to individual addressees, removing the need to use the ‘cc’ or ‘bcc’ fields.

Satisfy GDPR Requirements

Principle 6 and Article 32 of the UK GDPR require organisations to implement appropriate technical and organisational security measures proportionate to the risk involved in their processing of personal data.  Taken together, these two simple but effective data risk reduction organisational measures, which could be summarised as ‘Take a second, or use a second pair of eyes’, could help your organisation meet the requirements for email security controls, sitting alongside your organisation’s email acceptable use policy.

Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!

By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
Thumbnail of the Blog Illustration
Data Protection
Published on
Data Protection Considerations for Artificial Intelligence (AI)

URM’s blog discusses the data protection considerations for utilising AI technologies, and how organisations can stay GDPR compliant in their use of AI.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
Conducting Data Protection Impact Assessments (DPIAs)

URM answers key questions around data protection impact assessments (DPIAs), providing detailed guidance on the best practice approach to conducting them.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
Chatbots and Personal Data: Benefits and Risks

This blog considers at high-level various possible legal ramifications of using Chatbots, especially ChatGPT, concerned with data protection risks.

Read more
Informative webinar. Thank you!
Webinar 'GDPR - Back to Basics'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.