Simple Email Mistakes That Can Cause Serious Data Security Breaches
Careless human error is one of the main causes of IT problems. Many companies know how disastrous these mistakes can be. As the Ponemon Institute's 2014 Cost of Data Breach Study pointed out, nearly one-third of all data breaches were caused by careless human error.
Email mistakes in particular stand out as significant causes of data breaches. While these mistakes are understandable in many cases, they are still very costly.
Major Examples of Email Mistakes
One notable example of an email mistake that caused a data breach involved the Goldman Sachs investment management firm. In June 2014, a Goldman Sachs contractor accidentally sent a message to a gmail.com email address instead of the corresponding gs.com email address. The latter email address is connected to the company's in-house email network.
The email contained a confidential document, and the mistake sent Goldman Sachs scrambling for a solution. To prevent the gmail.com recipient from opening the message, Goldman Sachs took Google to the New York State Supreme Court. In its petition, the investment management firm said that the message contained "highly confidential brokerage account information" and asked Google to help it prevent a "needless and massive" data breach.
The case was unprecedented, in that Goldman Sachs argued that email senders should have the right to "unsend" an email if it was sent by mistake. In the end, however, the court did not have to rule on the case, since Google voluntarily blocked the recipient's access to the email.
Another noteworthy email mistake occurred in April 2014. An employee at the risk advisor and insurance brokerage firm Willis North America accidentally sent a spreadsheet to a group of employees enrolled in the company medical plan's Healthy Rewards Program. The spreadsheet contained confidential information, including employees' names, email addresses, birthdates, Social Security numbers, employee ID numbers, office locations, and the details of their medical insurance plans.
Willis North America agreed to pay for 2 years of identity theft protection for the 4,830 people affected by the breach. Although the leaked information did not include details about the victims' health conditions or the health information of their dependents, Willis North America was still cited for violating the US Health Insurance Portability and Accountability Act (HIPAA).
A similar incident occurred in September 2013, when a Cisco employee accidentally sent an email to a "sept_training1" mailing list. The list included thousands of other Cisco workers. A large number of these workers replied to the email by asking to be removed from the list, and many of them accidentally clicked "Reply All" when responding to the message. This resulted in millions of unwanted email messages taking up space on Cisco's network. The mistake severely damaged the employees' productivity, and cost the company hundreds of thousands of dollars.
The Costs of Email Mistakes
According to the Ponemon Institute, data breaches caused by careless human error cost companies on average $117 per compromised record. If an email mistake affected thousands of people, as was the case for Willis North America, then it could result in sizable losses. Several issues can cause these high costs.
As the Cisco case showed, losses in productivity can cost a company a significant amount of time and money. Another cost stems from paying for identity theft protection for the victims. Additionally, if the email mistake led to a data breach, then the company could find itself facing lawsuits or punitive fines. Data breaches like these could also reveal sensitive company information to the general public.
Email mistakes, especially those that cause data breaches, can also tarnish a company's reputation, which can lead to lost business opportunities. As one example, Goldman Sachs faced substantial damage to its reputation after its email-related data breach in 2014.
Avoiding Careless Mistakes
To prevent any mistakes, create clear-cut policies and procedures about sending emails, especially those with sensitive information. You'll also need to educate your staff members about the problems caused by carelessly sending emails. Employees are more likely to think twice about sending a message when they know just how costly a mistake can be.
By the same token, you should develop a workplace environment in which employees feel comfortable talking about their IT concerns. By making your staff members feel comfortable about discussing these issues, you can improve the odds that one of them will ask a question that could avert a mistake.
Data loss prevention (DLP) software can also help in this regard. This software can stop employees from sending confidential information by accident. Look to your IT staff or service provider for help when searching for a DLP solution that matches your individual needs.
About the Author
Geoff Stewart is a highly experienced and skilled IT Challenger at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.
Surety IT’s mission is to address and overcome the 4 biggest problems businesses have with their IT systems and support, which are: Poorly performing systems, unreliable systems, unresponsive IT support and poor IT related advice.
We’ve developed a proprietary process that allows us to do that by: thoroughly understanding your business requirements, gaining an in-depth knowledge of your IT systems, identifying mission critical technology issues vital to your business performance and ensuring our ‘Solution Path’ process is specifically designed and tailored for you with value based solutions and support.