Twenty-nine personal data breaches were reported to Guernsey’s Office of the Data Protection Authority (ODPA) in the two months leading up to 28 February 2021, approximately half of these were due to emails being sent to incorrect recipients.
Overall, from the latest statistics, 16 breaches (55% of the total) related to data sent to the incorrect recipient by email. Six incidents (20% of the total) were due to data being sent to an incorrect recipient by post. The total reported remains broadly consistent with previous reporting periods in terms of number and type of breaches. The 29 breaches were reported in by organisations from a range of sectors.
Understanding the reality of the risk is not an optional extra, it is critical
The ODPA wishes to highlight possible misconceptions about sending emails to an incorrect recipient: this is a very common occurrence, and is a universal issue. An email going to the wrong person(s) isn’t always a breach and therefore these incidents do not necessarily have to be reported in to the ODPA. It depends on the context the email was sent in, the email’s contents, and whether the circumstances pose someone a risk.
Many emails that go astray contain no personal data (‘any information about, or related to, an identified, or identifiable, living person’) and therefore pose no data protection/privacy risk to anyone, in those cases the data protection law would very likely not apply and you would not be legally obliged to report it to the ODPA.
If in doubt speak to your Data Protection Officer, if you have one, or call the ODPA for advice.
Cyber incidents have been prominent in the news recently due to issues with some Microsoft Exchange email servers being vulnerable due to a security flaw. All Bailiwick organisations who have an ‘on-premise’ (as opposed to cloud-based) installation of Microsoft Exchange are encouraged to seek advice from their information security provider or a cyber security expert if they have not already done so. Read here for further information.
It is important to remember that cyber incidents come in all shapes and sizes: global and indiscriminate incidents, like the Microsoft issue, grab headlines, but small-scale, targeted attacks can be just as damaging.
The ODPA has recently been made aware of a targeted phishing attack on a local company where their email was hacked and a customer was sent a message that appeared to be legitimate asking them to pay the company via different bank details.
The Bailiwick’s Data Protection Commissioner, Emma Martins, commented: “These high-profile attacks serve to remind us all of the importance of being informed, prepared and vigilant.
“Businesses in all sectors are increasingly reliant on data and once we start to better understand its value, we will more positively engage with the need to ensure appropriate protections. It is essential to build those protections in to hardware and software systems as well as operational and administrative processes.
“Data security is a collaborative effort for the entire organisation, however large or small. Understanding the reality of the risk is not an optional extra, it is critical. The threat landscape is increasingly complex and highlights the importance of contracting with providers that can provide trusted and responsive advice and support.
“Investing in and maintaining high standards of data security has become a fundamental part of running any business. Taking data governance and security seriously will reap rewards for businesses; failing to do so has the potential to do irreparable damage to them.”