Business person sitting at a laptop computer holding an illustrated illuminated letter with multiple other letters flying into the screen (to indicate that they're being sent)

Email Snafu – What to Do If You Send Personal Information to the Wrong Email

The OAIC’s latest reporting shows that 33% of human error data breaches in Australia are the result of someone emailing personal information to the wrong person. So, what should your team do if this email snafu arises?  

5 Steps to Follow Immediately If You Send Personal Information to the Wrong Email

  1. Recall the email, if possible.  
  2. Note the time and date of sending.  
  3. Email the recipient(s) and ask that they not read, save or forward the information in the email. You should also ask that they delete the email from their systems (including any backup system) and confirm that they have done so.  
  4. Require employees to notify a manager or supervisor, as soon as possible.  
  5. Implement your data breach response plan.  

Your data breach response plan should identify common causes of data breaches and lay out specific steps to take in that instance. Given the high instance of emails being sent to the wrong recipient, this event should have a specific plan laid out long before your first breach occurs.  

Read our tips to communicating better following a data breach. 

Sensitive Information Should Be Strongly Protected, Always 

There are many methods organisations can adopt to protect sensitive information shared via email.  

Implement Policies – And Ensure Your Team Knows Them. 

The first is to reduce the volume of sensitive information being shared by email to what is strictly necessary. You should have clear policies in place about what sensitive information can be shared by email and in which circumstances. Your team should be trained on these policies, as well as the key role they place in protecting the personal and sensitive information the organisation holds. Team members should be regularly reminded of these policies, too.  

Encrypt Your Emails During Transmission. 

This should be a standard procedure at every organisation.  

Implement Measures to Ensure Only the Intended Recipient Can Access Sensitive Information. 

There are countless measures you can implement to reduce the risk of an unintended recipient being able to access sensitive information. Some of the more common measures include:  

  • Sending the information via the cloud (with access control), instead of as an attachment.  
  • Requiring the recipient to enter a password to access the information.  
  • Removing a recipient’s ability to download, forward, or cut and paste the information.  
  • Implementing a customer portal that requires recipients to log in to view their documents instead of sharing them via email.  

Quick Tips to Reduce the Risk of Sending An Email with PI To The Wrong Recipient

Create a Culture of Double-Checking Emails.  

It pays to encourage your team to slow down when they send emails. Your organisation should create a culture of double-checking content before anyone hits send.  

At a minimum, your users should double-check:  

  • The recipient; 
  • The recipient’s email address; and 
  • Any attachment is the correct attachment (including by opening the attachment in case there has been a system or naming error). 

There are technologies that allow you to ‘prompt’ your team to check each of the above before hitting send. If you’re concerned about a data breach occurring this way, it’s worth implementing these technical measures.  

Delay your emails.  

We’ve found it is relatively common for users to hit send and then immediately realise there is an error in the email.  

You can set Outlook to send emails after a ‘delay’ of up to two hours. This delay feature helps to reduce the incidence of these email errors.  

 If you need help developing your data breach plan or implementing measures to reduce your organisation’s privacy risk, reach out. Our team of privacy consultants is here to help.  

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.