So, you just caused a data breach, by CCing the wrong person in an email…

I had two encounters today both of which I thought I’d share.

The first thing that happened

A received a call from a friend who had made a mistake at work, due to the area I work within they decided I could save them ?

Yes, it happened THEY COPIED THE WRONG PERSON IN AN EMAIL.

Happily working away and an email drops in from a client, they click it open and there it is… the line we should all dread:

“I assume this wasn’t meant for me?”

Now this used to be something comical, but its an issue that has become more serious over time, and errors like this can simply not happen.

With all the Data Protection rules, the E-privacy Regs, yes – and sorry, GDPR, my friend was in panic mode as they still didn’t really understand their situation. Both the affected parties were amazing clients who prided themselves on solid security practices. To say my friend was mortified would be an understatement.

Thankfully this occurred 72hrs ahead of formal GDPR impact. Not that it should matter, rules have been in place for years, we hold certifications, “but I’ve never made this mistake at work before and now you have to tell people if you screw up!” was the panicked cry.

This is where I truly considered how such an easy mistake, that many people have made, could impact a wider business.

I advised my friend to notify their IT team immediately and ask them to confirm their current process. That’s another email response he dreaded. Could it be career suicide?

In the interim I suggested that he draft an apology to the recipient, asking them to permanently delete the email, then provide written confirmation of this by return.

Then draft an email to the company whose email message he had shared, disclosing the information shared AND details of the company (NOT the individual) with whom he shared the information, with a huge apology.

The following day his IT team confirmed he should contact both parties and ensure he provided the written responses to the incident, so they could be attached to the logged incident on file.

How the hell can this happen?

My friend was rushing, autocorrect put in an email address, it obviously wasn’t checked 100% – it was as simple as that. My friend is still only human… most of the time ?

In light of all the regulations, requirements, and potential fines it really made me take note of how a simple, simple mistake could potentially cost dearly.

Thankfully the email contained nothing that anyone would consider sensitive, but it did contain email addresses and direct line phone numbers.

IMAGINE… think of the last Really important email you sent out with sensitive information in it… maybe an email to HR with employee information on – whatever it was… the repercussions and potential ramifications now are HUGE!

A slip of the autofill on Outlook and them not paying full attention could have been much worse.

We may all be getting a bit fed up with GDPR, we may all feel a little more stressed and little more annoyed with information security, but:

DO

• Confess immediately and the teams around you will support you. Mistakes happen, the main thing now is reacting responsibly
• Lost your phone, laptop, tablet? (and yes that note pad you scribble in counts too) bite the bullet and report it immediately
• Assess the measures available within your technology stack to prevent “human error” e.g. disabling autofill in outlook etc.
• Provide appropriate and ongoing Security Awareness Training
• Ensure ALL colleagues know what to do in the event of an issue like the above. The are variations but now we have to be extra vigilant

DON’T

• EVER try to hide it
• Get complacent, relying on technology – personally double check where you are sending your information/emails/documents/links
• Worry too much, people make mistakes – its how you address and learn from it that counts

The second thing that happened…

I had to attend a conference and was handed an attendee list.

I took it as though it was on fire, looked at the girl and asked if it was GDPR compliant. The look of horror on the girl’s face, apparently I’d been the first person to ask her!

I had to smile. The Data Protection journey ahead is unlikely to by easy but I’m sure we will have fun along the way!! Stay safe people, don’t click on links and check where you send your stuff.