How using a simple thing like email can lead to an ICO fine – even in the legal sector

• by Ellie Hurst
• Advent IM Blog

From Derek Willins, Advent IM BDM with helpful tips from Ian Warren, Advent IM Security Consultant

In June a headline caught my eye, it was about a police constabulary that was fined £80,000 by the Information Commissioner’s Office (ICO) after sending a bulk email that identified victims. It went on to say, they had used the To. function and not the Bcc. function. This got my attention.

Before I joined Advent IM in July, whenever I thought about data security, large scale servers and firewalls came to mind. But I quickly discovered that data security incidents and the law, cover a wide range of issues.

Since April 2015, the Information Commissioners Office (ICO) has shared quarterly data on reported data security incidents. In Q1 2018, the single most  reported data security incident was ‘Data sent by e-mail to the wrong recipient’. This issue alone accounted for 15% of all data security incidents in the quarter. Incidentally, a failure to use Bcc on mass mails, was a further 3% of incidents. This was the reason why the police constabulary was fined £80k. By using To. instead of Bcc, all recipients of the mass e-mail saw each other’s address.

One important and sensitive industry sector which heavily over-indexes (139 in Q1) for e-mail data security incidents is the legal profession. The data gives no clues on why this is so. Maybe they are more honest at reporting incidents than other sectors? Maybe they send more data by e-mail than others? Maybe they know the law but not the practical implementation of it? The list goes on. I asked a lawyer friend, and as expected, he said all of the above.

Anyway, a secure e-mail policy is part of a wider Information Security Management System – which all businesses should have in place by now. But clearly this is not the case. So, I share some tips to help reduce e-mail incidents;

• Create an e -mail policy, teach it, and check that people follow it.
• Encourage early reporting of errors.
• Switch off the autofill function for To. and Cc. (and Bcc. of course).
• Switch off ‘Reply all’ function.
• Introduce an outbox delay of a few minutes for external mail – to allow mistakes to be rectified.
• Put nothing sensitive in the body of e mail, put it in an attachment.
• Have filters to identify key words or phrases – which creates a pop-up alert for user to check before sending.
• Have a pop-up alert for all external mail – so the user pauses to check the recipient is correct.
• All attachments to be encrypted and passworded.
• All mass e-mails to be double checked with another pair of eyes.

There are many things that can be done to help reduce mistakes by busy human beings. We all make mistakes, but strong procedures will minimise them without impacting productivity.