A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.
This part discusses a specific type of data security breach that is, unfortunately, familiar to almost every organization – errant emails.
One of the easiest ways in which data can be lost – literally in the blink of an eye – is when an email is inadvertently sent to the wrong person. Anyone who has ever done this is familiar with the immediate sense of panic that follows when you realize that the private email meant for your colleague actually went to your boss. In the data security context, this can be particularly problematic when the errant email contains personally identifiable information which, if sent to the wrong recipient, might pose a threat to the data.
Companies should encourage employees to self-report immediately upon realizing that an email was sent to the wrong person. The recipient usually should be contacted right away and asked to delete and not read the email. Depending on the sensitivity of the information and the recipient, the company may wish to ask them to confirm in writing that the email was deleted, the attachment was not opened, and they did not share the email with anyone else. Legal counsel should be consulted to determine if the data breach statutes would require notification to the affected individuals or whether applicable laws permit the company to do a risk of harm analysis to determine that notification is not necessary. If a risk of harm analysis is permitted, the specific facts involved often drive whether notifying individuals is necessary. For example, if a data file is inadvertently sent by an employee of your organization to client X instead of client Y, but the person that received the file at client X has confirmed, in writing, that they deleted the file before opening it, made no copies of the file, and did not view its contents, there is a strong argument that the confidentiality and integrity of the data file was not compromised. If a state data breach notification statute only requires notification where there is a compromise of the data’s confidentiality or integrity, notifying the impacted individuals may not be needed. Conversely if a data file is inadvertently sent by an employee of your organization to a former colleague who had been terminated for misusing company information, and the recipient is not willing to verify that she has not opened the file, there may be reason to believe that the confidentiality and integrity of the data file was compromised which, in turn, may trigger some state breach notification statutes.
TIP: Many errantly sent emails are the result of the “auto-complete” feature available in most email software programs, like Outlook. Although this feature is convenient and efficient, to avoid inadvertently sending an email to the wrong recipient, your company may want to disable auto-complete from company computers.