What is your process for checking outgoing email attachments?

This case really showcases the importance of keeping track of all of the information that comes from your business!

On 2 August 2011 a member of the public reported that they had received an email from HMP Cardiff with a file accidentally attached that contained the details of 1,182 inmates. As if that wasn’t bad enough, it wasn’t the first time the mistake had been made - on 4^th and 5^th July 2011 the prisoner details had been sent to two other unintended recipients who hadn’t yet contacted the data controller or the prison. 

A total of three emails with the attachment had been sent to three different individuals, after a new prison booking clerk had been arranging the prison visits. The clerk had only meant to email a family member about a visit but had accidentally pasted the text file as an attachment. All three mistakes were made by the same clerk, doing the same thing by accident. Because the file had to be manually cut and pasted on a daily basis onto a disk, and then saved onto a database, the paste action had picked up the last file from the clipboard instead of the correct one and accidentally sent the sensitive data - three times.

Once the mistake had been discovered, the police became involved and each recipient was asked to confirm in writing that the message had been deleted and not shared. The police even accessed their email accounts to make sure that it had been fully deleted. 

HMP Cardiff has since put in place measures to stop this ever happening again; existing training and on-going support is now topped up with monthly checks and the data transfer procedure has been changed so that rather than a disc, an encrypted memory stick is used for data transfer. And instead of copying and pasting it to the stick, staff are told they have to locate the text file and use the ‘send to’ function, which stops it being left on the clipboard to be pasted where it ought not to be.

Most of us would cringe, just thinking about a mistake like this - how many times have you attached the wrong document to an email or not attached it at all? When you’re dealing with sensitive data though, the repercussions can be extremely serious. The National Offender Management Service was fined £140,000 for the breach.

This error, made by an inexperienced member of staff, would not even have come to light if the third person who had received it hadn’t realised the seriousness of the mistake and reported it. Is it possible that this sort of thing could happen to you? What measures do you have in place to prevent sensitive data being accidentally shared with the wrong people?

Do you have a contingency plan in place for emails, and for protecting sensitive information? If you need advice on procedures and policies that keep your information safe, contact me and I will be delighted to provide you with guidance and advice.

Email - the equivalent of an electronic postcard - really it is

I have had a couple of conversations with organisations recently about email security.

Sending an email is like sending an electronic postcard, anyone can intercept it and read the content. We all know when we write a postcard that the postman reads it before he delivers it. That's why so many postcards go along the "wish you were here" line.

Email is no different, it can be intercepted and read. Talking with a range of organisations recently, you would be surprised what they will put in or expect to be put in an email that is unencrypted.

A common request is credit card details. One charity I worked with used to relay credit card details across the organisation via email. Not only is this a breach of PCI DSS (the credit card security standard) but means that those credit card details are insecure. And its not just small organisations that have this misconception. A large hotel chain recently asked me to confirm a booking by sending my credit card details back by email.

Next is the transmission of personal information across an organisation. How often does an organisation send a spreadsheet of personal information within an organisations without protecting it? If you send personal information, take steps to protect it.

A common misconception is that sending an email internally means it is secure as the perception is that it doesn't go outside the organisation. Most emails go outside the organisation and then come back in again, just because you are sending it within the organisation does not make it any more difficult to read.

Finally there is the scope to send the email to the wrong person. With the ability to store numerous email addresses in an email programme, it can be very easy to select the wrong name from the list especially if you have a lot of one name. How many Richard's are there on your list? (there are four on mine). Do you always get the right one? Always check before sending that you have the correct addressee.

So here are a couple of basics
- Email is like a postcard, treat it as such and think of it in this way. Would you put that information on a postcard?
- Sending an email with personal information in it - password protect it ( and don't send the password in the same email as the information!).
- DO NOT PUT CREDIT CARD DETAILS IN AN EMAIL. It leaves the information vulnerable to theft.
- Always make sure that you are sending the information to the correct person.
- Have an email policy which outlines the organisations expectations, it means staff all understand the rules of email. 

New EU Data Breach deadline - are you prepared?

New EU regulations are coming into force that may compel organisations becoming aware of a data breach to report it within 72 hours of the breach being discovered. Do you have a policy in place for this if the worst should happen to your data?

Under the new proposals, which form part of the EU Cybersecurity Directive, any organisation that holds data about EU residents will have to inform data protection regulators and also any customers affected by a breach of security within the deadline or face hefty fines. The fine could be as much as two per cent of a company’s global revenue (to a maximum of € 1million) depending on how severe the breach is.

The rules, which are still being negotiated, are expected to take effect by 2018.

It’s also worth noting that the legislation also suggests that data processors can be found directly liable for any fines and claims made by data subjects; if the data controller proves that it was not responsible for the event giving rise to the breach, the processor of the data may find themselves with a large fine instead. A data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller. So if a utilities company employs a smaller, independent call centre to call its customers, and the call centre is responsible for a breach of security, the call centre would be likely to be the organisation getting penalised if the owner of the data (the larger company) can prove it had policies in place to inform the authorities within the deadline, and had made the processor aware of them.

Some company executives feel that the deadline is harsh; US rules require data breaches to be reported within a month and the regulations will affect companies all over the world if they operate in an EU country. Other privacy experts believe that the move may be counter-productive because if the breach/hacking hasn’t been rectified before the 72 hours is up, revealing it to the public and the authorities before a solution is found could expose the company involved to attacks from more hackers, eager to find and exploit a vulnerability.

Meanwhile, others believe that the regulations will actually make it easier for companies to inform privacy authorities, as they only have to inform one of the 28 authorities and not all of them, and force affected organisations to deal with data breaches immediately. Advocates agree that having a mandatory notification process in place also stops companies from hiding serious data breaches and putting their customers at further risk.

Is your company ready to deal with the new regulations when they come in? How will you ensure that your staff are up to speed on what they must do in case of a data breach? If you’re unsure of how the new regulations will affect your business, contact me and I will be delighted to   provide you with guidance and advice.