It’s 6 o’clock on Friday evening and you’ve just finished a financial forecast ready for an investor meeting next week. You press send and reach for your coat but then that sinking feeling hits. In the rush you’ve selected the wrong recipient and sensitive information is in the wrong hands within second.
In the UK, 88% of data breaches reported to the Information Commissioner’s Office (ICO) are caused by human error. The most common mistake is sending information to the wrong person. The number one culprit? Email. So what do you do? Peter Matthews, CEO of Metro Communications, knows what to do.
CFOs should not ignore the potential impact of such breaches on a company’s finances and reputation. Research for IBM suggests that the average cost of a data breach in the UK rose to £2.7m in 2018, with health, financial and service sectors most likely to experience breaches.
Few FDs would claim to be immune to accidental data transfer via email. So, what can you do if you inadvertently send a confidential message to the wrong person?
Recall or ‘unsend’ it
Email services offer different ways to cancel sent messages. In Outlook it is possible to recall and then delete an email providing it hasn’t been opened by the recipient. Gmail allows you to delay messages from leaving your outbox. If a sensitive email has been sent to a fellow employee then your IT department should be able to delete it, if they are informed fast enough.
Contact the recipient
Get in touch with the recipient as soon as you notice the mistake and ask them to delete the email without reading or sharing it. Request that they email you to confirm they’ve done so. Log the incident in an ‘cyber accident book’.
Report and act quickly
Report the incident internally and ensure it’s followed through to its conclusion. An employee of SSE Energy who sent a sensitive email in error promptly reported it in accordance with the company’s policies and procedures. However, SSE’s failure to notify the commissioner in a timely manner led to a £1,000 fine and negative publicity. The regulations have since been amended so that directors, managers and company secretaries can be fined up to £500,000.
Inform and advise customers
Good customer service goes a long way. Boeing was mocked for failing to use its own data protection software to prevent an accidental breach which compromised the personal data of 36,000 customers. But it was applauded for informing customers about the nature of the incident, taking action to ensure files were deleted, and giving detailed advice about how customers could check their personal data wasn’t being misused.
Notify the regulator, if necessary
Inform the regulator within 72 hours if you believe there’s a risk to customers. Even where you don’t feel an incident is notifiable, it is still worth recording, internally. This will help you review incidents as part of a health check and if you ever have to demonstrate regulatory compliance it could prove invaluable.
Once you’ve contained the incident, revisit your strategy and consider the need for other forms of action such as staff training, policy reviews, access rights, restrictive covenants and encryption. Data classification that ‘weights’ the sensitivity of each file and document on your company’s drive and then links highly confidential information to a closed group of authorised recipients, with blocks on copying such information onto memory sticks, can be helpful. Preventative tools like this make it difficult to email the wrong data to the wrong person and they also log user behaviour, flagging up employees who try to reclassify data so they can send it out of the business.
The law doesn’t distinguish between deliberate and accidental breaches, so don’t expect a discount on fines for damaging disclosures caused by an honest mistake, and don’t be surprised to find lawyers queuing up to help those whose financial, personal or health data has been incorrectly transferred.
But let’s look at it positively. Employee error is a significant contributor to data loss, but it is easier to prevent and generally takes less time to control than a malicious hack. Indeed, many accidental incidents can be contained or even prevented by steps so simple that everyone should be taking them. However, if you’ve decided you want to take a ‘belt and breaches’ approach then it’s time to trust yourself less. Preventative measures such as data classification will ensure you send that sinking feeling to your deleted folder once and for all.