How To Reduce The Risk Of Your Team Sending Personal Information to The Wrong Person

We know that human error breaches are one of the largest causes of data breaches in Australia, and many of those result from team members sending personal information to the wrong person. Luckily, there are a host of technical and training measures you can take to reduce these risks for your organisation. 

• If you’re new to this topic, we recommend reading our earlier post about what to do if you email personal information to the wrong person and what the penalties might be for a data breach from emailing sensitive information to an incorrect recipient.  We walk through some of the basics in those articles, like having delayed email sending on within your organisation and creating a culture of double checking the recipients before sending. 

Technical Measures to Reduce The Risk of Accidental Disclosures

Fortunately, there are a host of technical measures you can use to reduce the risk of accidental disclosures of personal information. Here are some of the most common and most effective: 

‘Outside Your Organisation’ Notifications on Email

Highlighting when information is going to be sent outside of your organisation serves as a visual reminder to use additional caution when sending personal information – or confidential company information, for that matter. 

This setting is easily configured by organisation admins within the Microsoft and Google email environments. 

Share External Communications Through Stakeholder Portals or Access-Controlled Online Folders

We strongly encourage you to set up customer or stakeholder portals to better manage how your organisation communicates with those externally. Whether you’re a university sending out letters regarding scholarships, or a bank sharing information about a person’s account, sharing information through a secure portal can drastically reduce the risk of a data breach via email. 

If your operation is a little less sophisticated, you can also simply set up folders within SharePoint or Google Drive (or any other document management platform) and restrict access to the specific customer. Once you’ve finalised the communication to a third-party, you can move it to the specific folder and alert the person that there’s a new document waiting for them. 

While you still need to train your team on processes to ensure the right documents end up in the right folders, you maintain greater control over what customers can do with the documents they access (ie. whether they can download them) and insight into what has happened with the documents. 

Email Filtering & Data Loss Prevention Systems 

You can use tools that automatically scan and quarantine emails containing complete sets of personal information, for example a full phone number, date of birth, license number, or Tax File Number. These emails can be halted before they’re sent out and potentially subjected to additional scrutiny if, indeed, they are required to be sent at all. 

As a general rule, it’s a poor practice to manage personal information like this directly in email communications. 

Secure Mail Handling Procedures

Finally, if your organisation sends physical mail containing personal and/or sensitive information, it’s worthwhile considering the use of secure mail services, including signature requirements through an in-person drop off.

Empowering Your Human Resources To Reduce Data Breach Risks

While technical measures are important, and should absolutely be in place in your organisation. Training and empowering your team is vital. Here’s what the OAIC said on this topic, in its January-June 2024 Data Breach Report: 

“Mitigating the risk of the human factor as a root cause of data breaches involves not only reducing opportunity for errors with technical measures, but also educating staff. All staff should be aware of their privacy and security obligations.

Reasonable steps entities can take include:

• prioritising training staff on secure information handling practices

• holding regular training to keep staff up to date on the latest techniques used by threat actors and methods to detect phishing attempts

• minimising access to personal information to staff who require access to enable the entity to carry out its functions and activities
• proactive monitoring to identify possible unauthorised access by internal and external parties.”

In addition to regular, customised training, here are some good practices for keeping privacy and security top of mind for your team: 

Improve Emotional Intelligence

We quite like this tip as it can improve your operations beyond privacy and security. It also really emphasises the ‘human’ aspect of your operations, which is really important – given that your human resources represent the biggest risk to your organisation’s data. 

Offering emotional intelligence micro-learning opportunities for your team is a valuable way to help them upskill professionally and reduce the risk of privacy and security breaches. A critical aspect of emotional intelligence is being able to recognise when feelings of stress, fatigue, or being rushed crop up. When your team is aware that they are feeling a certain way, they are in a better position to manage those feelings. 

• If they’re feeling stressed or rushed, they can take a breath, dig into what’s driving those feelings, and request support or delegate work, instead of trying to rush through it all (which is when mistakes are likely to happen). 
• If they’re tired, they can take a brain break, go outside for a walk, or focus on work that only involves internal contact, which can reduce the risk of a data breach. 

Plus, it can help your team to identify phishing emails and other security risks. Emotionally intelligent workers may be better equipped to identify cyber threats that rely on human psychology – including a sense of urgency or playing to a person’s fears. 

Focus on “Why” Data Breaches Matter

Again, we love that this tip focuses on the human side of privacy and security. While the penalties, organisation reputation and the hit to the bottom line are important considerations, at the end of the data, if your team shares someone’s personal and/or sensitive data with someone they shouldn’t have – it can feel quite violating. 

People who are victims of data breaches, whether that’s through human error or ransomware, regularly report feelings of helplessness, lack of control, fear, and anger. 

During our corporate trainings, we regularly encourage trainees to consider how they would feel if they found out their data had been handled a certain way as a guide for whether certain privacy practices are okay (or not). This takes the privacy and security considerations beyond just numbers and letters on a screen and really emphasises that there are real humans behind the data. 

We’ve found that when your team is reminded of the humans behind the data breach, the preventative measures feel less burdensome or ‘over the top’. It also encourages team members to become advocates for data security and to think critically about what they’re doing day-to-day. 

Regular Scenario-Based ‘Drills’

We encourage organisations to regularly practice highly relevant practice scenarios so their teams can run through what to do if a data breach occurs. 

We love this approach because it can be handled at the supervisor/employee level, with supervisors creating realistic scenarios and having their team walk through what they would do in that instance. And it’s a relatively low-cost, low-barrier way to keep privacy top of mind. 

Plus, these scenarios can be used to identify gaps in training and opportunities for increased technical measures before a data breach occurs. 

Need help managing your organisation’s data? Reach out. Our team of privacy consultants is ready and able to help with cost-effective, tailored privacy training and to improve your organisation’s privacy posture. Get in touch via our online form. 

Keen to get twice monthly privacy updates from us? Subscribe to our newsletter! 

We share a monthly roundup of privacy news from Australia and around the globe, plus a monthly mailout sharing our blog posts and information about upcoming trainings, so you’re always in the know.