Avoiding Email Data Security Breaches

Table of Contents

For all of us, email can be both a blessing and a curse. On one hand you have the speed and convenience of communication and an audit trail, and on the other hand you have a significant information security risk. In recent years, a number of large Information Commissioner’s Office (ICO) fines have arisen due to simple human error in relation to email communication.

What are Some of the Email Risks?

There are a range of risks attached to email communication, one of the biggest involving emails containing personal data being sent to the wrong email address. This could be the result of a number of factors including:

A typo in the address held for the person on the organisation’s CRM database
Transcription error by the sender
The sender incorrectly selecting another addressee suggested by the email system’s autofill predictive text feature
Accidentally including other recipients of the email in the ‘cc’ line (i.e., visible to all) rather than ‘bcc’ (‘blind copy’).

There is also the risk of an individual forwarding an email which contains sensitive information within the email trail.

Such errors are greatly amplified when the contents of the email contain highly sensitive personal data, for example, ‘delicate’ medical information. The results of such apparently ‘simple’ oversights can be catastrophic, both for the individuals concerned and the sender organisation.

How Can We Reduce the Risks?

There are, of course, technological solutions which organisations can deploy to minimise the risk of staff members causing ‘email’ data breaches. For example, where the email system identifies an unfamiliar email address in the ‘To’ field, before the email is sent. However, while these tools may pick up a database typo or an incorrectly addressed email, they do not address the other types of misdirected email risks, e.g., the mistakenly clicked-on autofill or the use of ‘cc’ instead of ‘bcc’. In other words, the addresses in themselves are perfectly valid, but the sender has inadvertently entered them in the wrong email, or in the wrong line on the right email.

Need for ‘People’ and ‘Process’ Controls

Where technology cannot eliminate a risk, organisations must concentrate their risk reduction measures on the other two elements of organisational risk management, i.e., ‘people’ and ‘process’. This can be achieved through the delivery of training sessions where the goal is to instil the importance of users getting into the habit of pausing for a few seconds before pressing the ‘Send’ button. Users should be encouraged to pause and double check that the recipient email addresses on their emails are correct (sometimes called the ‘check twice, send once’ approach). They need to check that typos don’t result in messages being delivered to an unintended recipient, potentially leading to an unauthorised disclosure of personal data. Users also need to be reminded to check full email trails to ensure there is no inadvertent disclosure of sensitive information or personal data within the trail.

Second Pair of Eyes

Some organisations, which regularly send emails containing sensitive personal information outside the organisation, have found it beneficial to institute a procedure (‘process’) for mitigating the risk of incorrect addressing, and which is often referred to as a ‘second pair of eyes’. This involves an ‘appropriate’ colleague, perhaps the email writer’s line manager, checking the intended sender’s email, prior to sending, to ensure that all recipients are correctly specified and the appropriate ‘cc’ or ‘bcc’ line has been used. Whether adopting such a ‘second pair of eyes’ protocol is feasible in your organisation will depend on such factors as the volume and frequency of emails containing sensitive personal being sent, the number of appropriate reviewers available and any other technical solutions used, for example, some automated email software packages allow bulk emails to be sent to individual addressees, removing the need to use the ‘cc’ or ‘bcc’ fields.

Satisfy GDPR Requirements

Principle 6 and Article 32 of the UK GDPR require organisations to implement appropriate technical and organisational security measures proportionate to the risk involved in their processing of personal data. Taken together, these two simple but effective data risk reduction organisational measures, which could be summarised as ‘Take a second, or use a second pair of eyes’, could help your organisation meet the requirements for email security controls, sitting alongside your organisation’s email acceptable use policy.

find OUT more on:

Information Commissioner’s Office

ICO

Fines

Sensitive Information

GDPR Principles

Recent blogs

Planning Your ISO 27001 Audit Programme

Data Protection Considerations for Artificial Intelligence (AI)

The Finer Details of PCI DSS v4.0

How to Develop a Robust Business Continuity Plan

I’ve Got my Cyber Essentials - Now What?

How URM can help?

Consultancy

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.

Training

Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!

By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.

Consultancy

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.