A Real Legal Risk
Sooner or later, we all make the error of hitting the send button too quickly, only to discover that we sent an email to the wrong person or copied someone by mistake. Sometimes, you are saved by the message recall feature, but this does not always work. Then you scramble to send an email to the mistaken recipient, humbly asking them to delete the email. That is, if they have not already replied in confusion. Or worse, one of the other recipients might notice the mistake first and contact you in alarm. Sometimes, the dust settles and life carries on, but in many cases this type of accidental data disclosure has serious ramifications, and you may end up in legal hot water.
When you send an email to the incorrect recipient, there is a real risk that you may be improperly disclosing personal data and committing a reportable data breach. This data could be contained in the body of the email or in the attachments. But sometimes, even the mere inclusion of email addresses in the wrong field can lead to a data breach. The UK’s Information Commissioner’s Office (the ICO) reprimanded NHS North Highland about such a situation recently. In that instance, the NHS sent an email about HIV services to 37 recipients, but their email addresses were inserted in the “CC” (copy) field instead of the “BCC” (blind copy) field. This potentially disclosed the recipients’ HIV status to others—a serious data breach. The ICO has also reported two other similar incidents, which might have disclosed individuals’ personal data about institutional abuse or gender dysphoria.
Misdirected Emails Can Lead to Legal Claims
Frequently, a misdirected email can give rise to a duty to report a data breach to the relevant data protection authority, particularly if the breach can lead to risks to the rights and freedoms of individuals. This could be the case, for example, if the disclosure might lead to discrimination against them or if they might suffer financial losses.
However, a misdirected email can also lead to a damages claim. An example of such a situation has been heard by the England and Wales High Court, when a couple sued a law firm for sending an account to the wrong recipients. In their case, they were unsuccessful because they could not prove actual loss or distress, but it is not difficult to think of situations where it will be possible to prove this, for example, if sensitive banking details or information about a celebrity’s health condition is leaked. Recently, the European Court of Justice also confirmed that a data subject will have a claim for damages if they can prove that a provision of the GDPR was infringed and that this led to actual material or non-material damages.
What Must You Do?
Article 32(1) of the European Union’s General Data Protection Regulation (GDPR) requires companies to take appropriate organizational and technical measures to ensure a level of security appropriate to the risks involved in their processing of personal data. This duty also applies to the way in which companies manage their email systems to avoid misdirected emails.
The Danish Data Protection Authority (Datatilsynet) has issued detailed guidance regarding outbound email security and requires organizations to comply with this by March 1, 2024. It has emphasized that all data controllers who use the auto-complete function in email programs are required to implement appropriate security measures to mitigate the risk of accidentally sending confidential or sensitive information to incorrect recipients. Here are some key points from the guidance:
- Data controllers must conduct and document a risk assessment to evaluate the potential for unauthorized disclosure of personal data through emails, especially when using the auto-complete function.
- Data controllers are obligated to implement both organizational and technical measures to reduce the risk of such breaches.
- Organizations that frequently use email to send sensitive data cannot rely solely on organizational measures (e.g., policies, guidelines, and awareness raising). It has stressed that technical measures are also mandatory and requires in some cases that organizations implement one or more specific technical measures that will alert a sender if an email is being sent to an incorrect recipient.
- In case of a data breach, a renewed risk assessment is required to reassess and potentially update the security measures. Even if an organization has procedures against sending confidential data via email externally, risks still exist for internal email communication.
Datatilsynet has also provided these examples of technical and organizational measures that an organization can implement to reduce the risk of misdirected emails caused by auto complete:
- Create guidelines for internal and external communications;
- Raise awareness of the guidelines amongst employees and keep on reminding them about the risks associated with misdirected emails;
- Consider requiring that email addresses must be copied from a client relationship management system (CRM) instead of inserted manually or by way of auto complete;
- If someone will send a large volume of data by email, consider requiring that another individual double-checks the email addresses before the email is sent;
- Delete email addresses that have not been used recently;
- Activate a sending delay to allow the sender to delete or edit an email before it is dispatched;
- Switch off the auto complete function.
In the UK, the ICO has also published detailed guidance relating to the sending of bulk emails, recommending that companies switch off the autocomplete function in email software and enable delays to give senders an opportunity to correct an error if they spot an incorrect email address. Ireland’s Data Protection Commission has provided practical advice too. With the adoption of the new NIS2 Directive, which aims to ensure a higher level of cybersecurity in the EU, it is expected that more legal guidelines and requirements will soon be rolled out in Europe.
When determining the appropriate organizational and technical measures to guard against misdirected emails, you must take into account various factors, such as the current state of the art. This means that you should consider the tools and technology that are currently available and used in the industry. This includes, as the ICO points out, setting up rules to alert and warn email senders when they use the CC field, but dedicated tools have the potential to be much more effective.
Practical Solutions
A small number of dedicated solutions are available on the market to help companies prevent dangerous misdirected emails. For example, Preava, (a VeraSafe venture), has developed an email security plugin aimed at stopping misdirected emails and malicious data exfiltration.
With such outbound email security tools readily available on the market, they are becoming part of the state of the art. Since this is the threshold for adequate data security, an organization might very well be found lacking if it suffers a data breach due to a misdirected email and has failed to employ such a solution. Accordingly, all organizations should review their email security measures and evaluate the available solutions on the market to ensure that they appropriately safeguard personal data and mitigate against potential regulatory enforcement action and legal claims.
You may also like:
Data Privacy Automation: the Pros, Cons, and Pitfalls of Streamlining Compliance
Drizzly Data Breach: the FTC’s Findings and Implications for Online Businesses
Lessons from FTC Enforcement on Security Language in Privacy Notices
Related topic(s): Compliance Tools and Advice, GDPR, EU Privacy Laws