People send emails to the wrong recipients for any number of reasons. A common cause is Microsoft Outlook’s autocomplete functionality, with people accidentally selecting the wrong name without realising – for example, it is very easy to accidentally add ‘Emma’ instead of ‘Emily’ or ‘John Jones’ instead of ‘Jon Jones’ when using autocomplete. Similarly, factors like being tired, working in a pressurised environment, and using mobile devices all have their parts to play in this problem.
In recent years, the phrase ‘misdirected emails’ has been coined to cover instances where an email is sent to the wrong person or the wrong attachment has been added to an email that has the correct recipients in it. These are very common causes of email data breaches and when they occur, the best-case scenario is the email or attachment didn’t contain any sensitive data and ultimately the sender is left a little red-faced and must resend the email to the correct recipient(s). However, when an email or attachment does contain sensitive personal data or health information, the consequences are a lot more serious.
In the UK, a misdirected email that contains personally identifiable information (PII) that can be accessed by the unauthorised recipient is classed as a breach of GDPR. The practice involved will need to notify the Information Commissioner’s Office (ICO) and, depending on the severity of the breach, the data subjects as well. The firm can face punitive action and fines from the ICO, and any media coverage/reporting of the breach can damage their reputation.
What’s more, for many healthcare organisations, the causes of email data breaches can be broader than just making sure the right recipients and attachments are added to emails. The content of email newsletter updates can be so sensitive that exposing the recipient list in the To/Cc fields, rather than using the Bcc field, can have a negative impact on patients (for example, disclosing those living with long-term conditions by association with their email addresses).
On top of this, you can again have the right recipients and attachments added to an email but if it is not sent securely (using encryption or solutions such as TLS), then the data can still be at risk of a breach.
How Egress prevents email data breaches
At Egress, we use technologies like contextual machine learning and advanced DLP to prevent email data breaches. We analyse a range of factors, including sender and recipient behaviour, and the sensitivity of the content being emailed, to do two things:
- Ensure emails are sent to the correct recipient(s). Egress matches each recipient with the types of content contained in emails and attachments, and notifies the sender if the wrong person has been added.
- Apply the correct level of protection. Egress determines the right level of security required relative to the risk of a data breach – whether that’s message-level encryption or being able to utilise TLS (when set up correctly).
Consequently, we’re helping people work more efficiently and more securely.
Author: Neil Larkins, CTO, Egress