Unwanted Data Acquisition in Emails

Return to sender: the threat of unwanted sensitive data acquisition via email

Over 281 billion emails are sent every day. In today’s technology-driven world, email is undoubtedly the main tool for business communication, and it’s estimated that the average employee will receive 121 emails per day. However, email communication does pose a major threat to organizations because of the amount of sensitive data constantly being sent and received.

In a post-GDPR world, organizations should be more aware than ever of data loss and the risks that it can cause to a business. An important factor within this is understanding that receiving unwanted data via email could lead to a €20 million fine.

GDPR compliance means that unauthorized access to personal data must be reported to a data protection regulator as it could have a detrimental impact for the individual concerned. Therefore, if employees receive emails that contain sensitive information and ignore the email, neither deleting nor reporting the incident, the entire company is held liable for irresponsible data handling.

There are a variety of ways that emails can cause unwanted data acquisition, and therefore a compliance issue:  

‘The Wrong Dave’ Scenario

Employees are often in a situation where they will need to send an email with sensitive information either included in the message or an attachment. Outlook ‘stores’ the history of email addresses that a person has sent emails to previously, so there will often be more than one person with the same first name – for example, David (‘Dave’).   In a rush, the email containing sensitive information could be sent to the wrong Dave. Only after it is sent – sometimes just a split second later – does the employee realize the mistake they have made. But it’s already too late; ‘the wrong Dave’ has now been sent sensitive information he should not have access to.   The company Dave now works for is responsible for protecting that sensitive data.

If this goes unaddressed, the company Dave works for could be fined under GDPR, or another data protection act, such as PCI DSS if the email contains financial details. If Dave just deletes the contents without notifying his IT department who can properly ‘cleanse’ the email and archive systems, that sensitive information remains stored on his corporate network.  This leaves his organization vulnerable to additional costly work as well as compliance fines should the matter surface later through an audit check, a ‘right to be forgotten’ (RTBF) request or should a data breach occur.

Customer Service/Support

Customers will often email their service or supplier organizations, or employees of those organizations directly, with a query or request. In many cases, the customer will include sensitive information that the employee or help desk should not have access to. For example, an account number would suffice to find and action a request but the customer may also include their full name, telephone number and email address details too. Where a payment needs to be made, they may even include their personal credit card details in the email.  These emails remain sitting in the company or employee Inbox.

While employees are likely to not think twice about receiving this kind of information, there is actually a major compliance issue attached to this. The email holds personal details that only select employees should have authorized access to. This data is classed as unstructured data as it isn’t presented in the form of a database.  Customer data like this should be processed and appropriately protected in compliance with GDPR.

‘Invisible’ (Hidden) Sensitive Data

Simply receiving sensitive data in the body of an email is just the beginning of the problem in relation to acquiring unwanted data. A document or spreadsheet might have been sent to an employee, but unknown to the sender, there were hidden columns that contained sensitive information which should have been removed. Or, hidden metadata containing sensitive information such as an Author Name, email addresses, or other sensitive data such as Revision History is included in a Word file.  This unwanted data acquisition makes it even more challenging for organizations to track, protect and/or delete the sensitive data to comply with RTBF requests and GDPR in general.

Mitigating Unwanted Data Acquisition Risks

To mitigate risks, organizations should take a number of risk mitigation steps that both improve employee mindset around handling sensitive data as well as to enforce rules that ensure unwanted sensitive data acquisition is reduced.

1. Educate your staff

The first step will always be around employee awareness. Make sure staff understand the risks and consequences around acquiring sensitive data that they shouldn’t have access to. This will help to create a culture of awareness and ensure employees are taking more care when handling sensitive data on a day-to-day basis.

2. Create and implement data handling policies and processes

To ensure staff handle and process sensitive data securely, official processes and policies should be implemented around data sharing, including receipt of sensitive information so employees – as well as new starters – don’t fall out of the habit after initial training. Making sure policies and procedures are updated as new compliance pieces come into effect will also help to mitigate the risk.

3. Deploy Redaction and Sanitization technology

Technology should be implemented to prevent any mistakes, acting as a safety net for businesses rather than a silver bullet. Clearswift’s Adaptive Redaction solution has the ability to detect and remove sensitive information from email messages and attachments before it enters the network.

Rather than taking a ‘stop and block’ approach, Clearswift’s solution will detect and redact only the sensitive information (eg. PII, PCI) rather than the blocking the entire email from being delivered. This will safeguard employees from unwanted sensitive data acquisition without stopping communications or operating efficiency altogether. Further to this, Clearswift's sanitization technology can automatically detect and remove ‘hidden’ sensitive information (eg. Author Names, Revision History) contained within inbound documents and files via email.

The same Clearswift technology that prevents unauthorized inbound data acquisition can also be used to prevent outbound data loss, without compromising continuous collaboration.

Additional Information

Clearswift Email Security Solutions

Information Security (Adaptive Redaction)

Document Sanitization