[Editor’s note: Sensitive information is sent via email every single day, and making a mistake can create serious issues. This guest post looks at the most common risks and shares recommendations on how you might react if and when an email containing sensitive information is sent to the wrong address.]
You may have noticed that the number of cases where confidential data is mistakenly emailed is on the rise. Recent examples include a lawyer communicating privileged information to the Wall Street Journal and customer service staff sending an attachment containing private details on multiple occasions.
As silly as these humans errors may sound, they can and do take place in organizations of all sizes due to a combination of factors such as negligence, extensive contact lists with confusingly similar names, and webmail autocomplete.
So what should you do when you or your staff inadvertently communicate sensitive info to the wrong person via email? This post explores some key considerations as well as best practices to manage an accidental emailing crisis and safeguard your reputation.
Is there actually a crisis?
For sure it never looks good when you contact someone by mistake, but that doesn’t mean your corporate reputation is really at risk. If an email sent to the wrong recipient and its attachments didn’t contain personal or commercial information, you might just follow up with a quick note apologizing. Not very pretty, but probably enough.
But if the message or thread include details belonging to one or more of the following categories, then you should start to worry and proactively plan your crisis response.
- Personally Identifiable Information (PII): Names, social security numbers, addresses, salary, bank accounts, credit card numbers, etc.
- Commercial details: Contracts, ongoing negotiations, request for proposals, rates, etc.
- IP assets: Patent applications, trade secrets, research and technological developments, etc.
What should you do next?
Though chances of success are very thin, try recalling your message immediately, hoping that the unintended recipient(s) didn’t read it yet.
If that doesn’t work, you may need to report the incident as data breach notification involving citizens’ details is mandatory in most States in the US and countries around the world — with failures to comply leading to substantial fines.
Additionally, you need to define a strategy to mitigate the negative impact that the crisis could have on all relevant internal and external shareholders. Points to consider at this stage include:
- What to communicate and to whom
- How to support affected parties
- Media response and perceptions over time
- Actions to stop further leakage
- Preparation of follow-up responses
How can you prevent and mitigate crises?
Often the best way to deal with a crisis is to take precautionary measures so it doesn’t happen in the first place. Having strong security policies is an excellent place to start.
Train new recruits and remind employees regularly about the importance of double checking recipients — especially when the TO and CC fields contain external addresses. Also, explicitly require your staff always to verify whether each attachment is correct before they send or forward it.
Another best practice is to encourage everyone to speak up when they make a mistake. The longer you or someone in your organization wait before reporting a potential breach, the worse a crisis is likely to get with each additional send, forward, and print of the sensitive message — a perfect illustration of the snowball effect.
Last but not least, you can use technologies to help you better control how data is being transmitted via email. Email data loss prevention (DLP) solutions, for example, can help to detect risky email sending behaviors and add a confirmation layer in the form of a popup window when responding to many recipients, attaching files containing PII, adding an external recipient to an email thread, or else.
Accidental emailing may not be your top of mind when you think of crisis management, but like any other data breach, it can cause tremendous damage to your reputation when not tackled adequately.
Alexandre François is Head of Content at Safesend Software, a solution specifically designed to prevent accidental emailing by intuitively prompting outlook users to confirm email addresses and attachments before they click the send button.