Over the last couple of weeks, our Hosting and Tech Newsletter has covered two different stories about organisations that have got into hot water because of email data breaches. In this post, we’ll look at the potential security issues involved in sending emails and explain how you can prevent your organisation falling foul of regulatory compliance.
The two stories we covered both involved organisations that would have had compliance measures in place: one was a law firm and the other a city council. The law firm was fined for sending private information about an individual and their family via emails, while the council is still under investigation for sending out a mass email containing the names of hundreds of disabled children and their carers’ email addresses.
If these kinds of incident can happen in professional organisations like law firms and city councils, they can happen anywhere. It is important for all organisations, therefore, to understand the ways data can be lost and how to defend against it. Here are the main issues.
Using To or CC instead of BCC
While people may have shared their email address with your organisation, they may not have given you express permission to share that information with third-parties. If you do share it, even accidentally, it becomes a data breach. You can do this inadvertently if you send an email to multiple recipients and put all their addresses in the ‘To’ or ‘CC’ (carbon copy) field of your email. When that email arrives, everyone who gets it will see either the email address or, if you have them in your contact list, their name and the email address.
To avoid this form of data breach, it is advisable to put your own email address in the To field and put every other email address or contact in the BCC (blind carbon copy) field. Using the BCC field prevents any of the email addresses or names being disclosed to recipients. If you are using Outlook and the BCC field is missing, you can add it by clicking on ‘Options’.
One of the potential compliance issues with email comes from the time-saving practice of recycling an old email rather than creating a new one. It can be quicker to find an old email and click on reply than create a brand new one and have to search for the recipient or type in an email address.
The problem is that if the old content is undeleted it will be contained in the body of the new message. Indeed, some emails can contain copies of many old messages going back over long periods. If this older content contains sensitive information, it won’t be an issue if you and the original recipient have access rights to that information. However, if you decide to copy someone else into that email who doesn’t have access rights, then it becomes a data breach. This also applies if you or the recipient forward it to someone without access rights.
While it can be useful to keep old messages in the content to save time looking up old emails, if new recipients are added to the conversation, old content should be deleted as a precaution.
Attachments, too, can be included in replies and inadvertently sent or forwarded to people who are not meant to see the information they contain. However, another problem is that senders don’t always check the attachment before sending it. There’s the possibility that the attachment might contain personal information that the recipient is not meant to see or even contain links to documents and files which are data sensitive.
Sending to the wrong recipient
It can be very easy to click on the wrong recipient from a contact list and this is another common cause of data breach. The ICO website lists several examples of organisations fined for making such errors, including North Somerset Council which was fined after emails containing details of a child’s serious case review were sent to the wrong NHS employee, and Surrey County Council which was fined after an employee emailed a file containing sensitive data of 241 people to the wrong address.
Protecting your email
Organisations can drastically reduce the chance of an email data breach by drawing up an email use policy, training staff on best practice and issuing regular reminders. This won’t, however, guarantee the issues above won’t happen, nor will it prevent problems with cybercriminals hacking into mail servers or an employee’s email account.
The best way to protect email is to use S/Mime encryption. Email certificates are the simplest solution for this, verifying your identity to recipients and encrypting emails and attachments to keep contents secure in transit and rest. They stop email tampering, help prevent phishing scams and assist organisations with GDPR, ISO27001 and other regulatory compliance.
Emails are the most common form of internal and external communication used by organisations. While they provide a highly convenient way to send messages and attachments, users have to be mindful of the potential for data breaches. Hopefully, this post has highlighted the risks and helped you find ways to mitigate them.
For more information, visit our Email Certificates page.