Managing Personal Information Shared By Email
Human error data breaches through email are extremely common. The convenience, familiarity, and relative informality of email mean that your team aren’t always as careful managing personal information through email.
Customer inquiries, complaints and support requests often involve the disclosure of personal information (you can’t usually ask a chatbot for help without entering a swathe of personal information). Then, there’s internal matter management and business operations ‘as usual’ and the high volumes of personal information sharing that can come with that.
But a haphazard approach to personal information management through email comes with risks and costs. Given that security of personal information is currently an OAIC regulatory priority, it also currently comes with an increased risk of enforcement . We’ve outlined technical measures, training, and policies that can help your organisation manage these risks.
A Common Scenario
In its July-December 2023 Data Breach Report, the Office of the Australian Information Commissioner (OAIC) noted the following scenario highlighting the dangers of lax privacy hygiene in email management:
A health service provider experienced a phishing attack that resulted in unauthorised access to the contents of multiple email accounts.
The health service provider collected a large volume of personal and sensitive information via its email accounts, meaning there was a significant number of records that required review after the breach. The health service provider did not have a data retention policy governing the storage and destruction of information collected via its email accounts. The email accounts contained historical personal information that the entity no longer required and personal information that was already captured in another record management system.
This led to a costly exercise of engaging a third-party service provider to analyse the unstructured data held within the compromised email accounts. It caused lengthy delays in conducting a data review to identify what personal information was compromised.
Had the health service provider established and operationalised a data retention policy, it would more likely have turned its mind to whether it needed or was required to retain the historical personal information in the compromised email accounts. Had the health service provider taken the further step of destroying any personal information it no longer needed or was required to retain, it would have reduced the scale and cost of the data breach.
This approach to email management is extremely common. And, at the same time, email is a common target for cyber criminals. So, better privacy hygiene for business email should be towards the top of the list of priorities for boards and managers in Australia.
Tips To Improve Privacy In Email Management
Given the extremely broad practice of sharing personal information in organisational emails, it requires a multi-pronged approach to management – through policies, training, and technical measures.
Organisational Policies
Data Retention Policies
The data you collect and store should be kept for as long as it serves the business purposes for which it was collected, or to meet your legal and compliance obligations and no longer (usually). Beyond this, you should have data retention policies in place to ensure it’s deleted, destroyed, or de-identified.
While every organisation’s needs are different, these are some general rules of thumb for emails that are usually safe to delete by default:
- Meeting reminders
- Room bookings
- Event bookings (with tags to keep information for longer periods)
- Multiple emails in the same email chain (keep only the last email)
- Duplicate copies of information (including email attachments that are stored elsewhere)
- General notices to staff
- Personal or social emails.
Email Use Policies
Avoiding personal information sharing in email wherever possible is a good practice. Here are some measures you should include in your email use policies:
- One email chain = one subject
- Do not mix personal email use with organisational emails
- Do not share personal information with employees via email, other than information required by human resources
- Avoid asking for unnecessary personal information in email communications.
- Regularly review and delete emails containing personal data that is no longer needed.
You should also create policies relating to how and when employees can share personal information when needed. Ideally, personal information would be shared only via links with a login required to access it.
Privacy Training
Since human error is such a significant risk when it comes to data breaches, training is a worthwhile investment. Here’s what your team should learn and receive regular updates on:
- Strong passwords and password hygiene
- What constitutes personal information
- When personal information can be shared, and how to share it
- What can and should be deleted, and when
- What to do if they accidentally share personal information by email
- How to avoid common mistakes (such as using CC instead of BCC).
They should also receive refresher training on your email management policies, including appropriate email use and data retention.
Finally, it’s helpful to make it clear how your team can ask questions and receive support. This can help to create a culture of privacy awareness and hygiene, as well as allowing your organisation to identify any blind spots, common questions, and areas for improvement.
Technical and Security Measures
There are a host of available technical security measures that can be deployed to make your email management more secure and to reduce your risk of a data breach. We think that every email account within your organisation should be protected by multifactor authentication, since it’s affordable and offers significant protections.
From there, you may also consider a combination of the following measures (amongst others):
Email Encryption
- Transport Layer Security (TLS): Ensure TLS is enabled and enforced for all incoming and outgoing emails to protect data in transit.
- End-to-End Encryption (E2EE): Consider implementing E2EE solutions like PGP or S/MIME for highly sensitive communications, ensuring only the sender and intended recipient can decrypt the content.
Access Controls and Authentication
- Strong Passwords & Multi-Factor Authentication (MFA): Enforce complex passwords and implement MFA for all email accounts to prevent unauthorized access.
- Role-Based Access Control (RBAC): Restrict access to sensitive emails based on employee roles and responsibilities using RBAC.
- Regular Password Audits: Conduct periodic password audits to identify weak or compromised passwords and enforce updates.
Data Loss Prevention (DLP)
- Email Content Filtering: Deploy DLP solutions to scan outgoing emails for sensitive information (e.g., PII, financial data) and block or quarantine them if necessary.
- Keyword and Pattern Matching: Configure DLP to detect specific keywords, patterns, or regular expressions that may indicate sensitive data leakage.
- Policy-Based Controls: Implement DLP policies to enforce data handling rules and prevent unauthorized sharing of sensitive information.
Email Security
- Anti-Phishing and Anti-Malware: Use robust email security solutions with advanced threat detection capabilities to identify and block phishing emails, malware, and other malicious attachments.
- Secure Email Gateways: Implement secure email gateways to filter inbound and outbound email traffic for spam, viruses, and other threats.
- Email Archiving: Use secure and compliant email archiving solutions to retain emails for legal and regulatory purposes while ensuring proper data retention and disposal.
Improved Privacy Hygiene With Privacy 108
If your organisation could benefit from improved privacy hygiene, reach out. Our team would love to work with you.