[BreachExchange] How to Survive an Accidental Emailing Crisis

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 22 18:53:18 EDT 2018


https://www.4hoteliers.com/features/article/11124

Sensitive information is sent via email every single day, and making a
mistake can create serious issues; This post looks at the most common risks
and shares recommendations on how you might react if and when an email
containing sensitive information is sent to the wrong address.

You may have noticed that the number of cases where confidential data is
mistakenly emailed is on the rise. Recent examples include a lawyer
communicating privileged information to the Wall Street Journal and
customer service staff sending an attachment containing private details on
multiple occasions.

As silly as these humans errors may sound, they can and do take place in
organizations of all sizes due to a combination of factors such as
negligence, extensive contact lists with confusingly similar names, and
webmail autocomplete.

So what should you do when you or your staff inadvertently communicate
sensitive info to the wrong person via email? This post explores some key
considerations as well as best practices to manage an accidental emailing
crisis and safeguard your reputation.

Is there actually a crisis?

For sure it never looks good when you contact someone by mistake, but that
doesn’t mean your corporate reputation is really at risk. If an email sent
to the wrong recipient and its attachments didn’t contain personal or
commercial information, you might just follow up with a quick note
apologizing. Not very pretty, but probably enough.

But if the message or thread include details belonging to one or more of
the following categories, then you should start to worry and proactively
plan your crisis response.

- Personally Identifiable Information (PII): Names, social security
numbers, addresses, salary, bank accounts, credit card numbers, etc.
- Commercial details: Contracts, ongoing negotiations, request for
proposals, rates, etc.
- IP assets: Patent applications, trade secrets, research and technological
developments, etc.

What should you do next?

Though chances of success are very thin, try recalling your message
immediately, hoping that the unintended recipient(s) didn’t read it yet.

If that doesn’t work, you may need to report the incident as data breach
notification involving citizens’ details is mandatory in most States in the
US and countries around the world — with failures to comply leading to
substantial fines.

Additionally, you need to define a strategy to mitigate the negative impact
that the crisis could have on all relevant internal and external
shareholders. Points to consider at this stage include:

- What to communicate and to whom
- How to support affected parties
- Media response and perceptions over time
- Actions to stop further leakage
- Preparation of follow-up responses

How can you prevent and mitigate crises?

Often the best way to deal with a crisis is to take precautionary measures
so it doesn’t happen in the first place. Having strong security policies is
an excellent place to start.

Train new recruits and remind employees regularly about the importance of
double checking recipients — especially when the TO and CC fields contain
external addresses. Also, explicitly require your staff always to verify
whether each attachment is correct before they send or forward it.

Another best practice is to encourage everyone to speak up when they make a
mistake. The longer you or someone in your organization wait before
reporting a potential breach, the worse a crisis is likely to get with each
additional send, forward, and print of the sensitive message — a perfect
illustration of the snowball effect.

Last but not least, you can use technologies to help you better control how
data is being transmitted via email. Email data loss prevention (DLP)
solutions, for example, can help to detect risky email sending behaviors
and add a confirmation layer in the form of a popup window when responding
to many recipients, attaching files containing PII, adding an external
recipient to an email thread, or else.

Summing up

Accidental emailing may not be your top of mind when you think of crisis
management, but like any other data breach, it can cause tremendous damage
to your reputation when not tackled adequately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180322/35fea61f/attachment.html>


More information about the BreachExchange mailing list