Why Accidental Leaks Should Have You Worried

In the lead-up to the General Data Protection Regulation (GDPR) coming into force, many organizations will be increasing their data protection by scrambling to prevent against cyberattacks and hackers. In most cases, however, it’s far more likely that information will leak unintentionally.

The information commissioner’s office (ICO) found that, of all data breaches reported between January and March of this year, 37% were a result of information being sent to the wrong recipient. It could be via a staff member sending an email to the wrong person or attaching the wrong document and exposing sensitive information. To be compliant with GDPR, it is just as crucial that organizations ensure data is managed and protected against accidental disclosure, in the same way they work to shield it from cybersecurity threats.

What is Accidental Information Disclosure?

Accidental Information Disclosure is the unintentional release of sensitive information outside an organization, usually because of human error. Sending an email to the wrong person—particularly when that email contains confidential or sensitive information—can put an organization’s reputation on the line. In order to be compliant with GDPR, businesses need to have security measures in place to protect personal data from being leaked unintentionally.

How AID Can Impact an Organization under GDPR

Under GDPR, organizations face fines of up to 4% of global revenue or €20 million, whichever is larger, if they fail to adequately manage and protect the personal data of EU citizens. For example, if a staff member were to send an email containing a spreadsheet of client details to the wrong person, this is considered inadequate data management and protection. Someone other than the client or the organization that lawfully captured their personal data for a business purpose now has access to sensitive information like addresses, bank account details, and National Insurance Numbers. That organization will then be subject to the same fines as if it were a victim of a cyberattack.

Metadata and Accidental Information Disclosure

It’s not just the information on the surface of an email attachment that can result in accidental disclosure. Each document created in a Microsoft® Office® program contains metadata, showing everything from total editing hours to tracked changes, author name, and date created. Though seemingly innocent, this metadata can be damaging —not to mention embarrassing—if it reaches the wrong person.

DocsCorp conducted a survey of small to medium (SME) business owners in the U.K. to learn how prepared they were for GDPR. 30% of business owners surveyed said they didn’t know about metadata, putting them at risk of breaching GDPR unintentionally since they are unaware of what information they are sending outside the business.

Remote Working Can Increase the Chances of Data Leaks

Our SME survey also found that 58% of businesses polled allow their staff to work remotely occasionally or, in some cases, permanently. This means that the stringent security measures organizations use must go beyond the desktop and cover data handled inside and outside the company’s network. Usually, large organizations will have staff working via Citrix or other thin client technology that means security is just as good as inside the network. Others will be working from employer-provided laptops that will also most likely be adequately secured. Small firms are at the most risk of having loose security measures in place and must take necessary steps to patch any holes in their security network.

How To Protect against Accidental Information Disclosure

Using a metadata cleaning tool is the simplest way to minimize the chance of accidental leaks happening. A solution that integrates directly with your email is the best form of defense, since it can scrub attachments of metadata prior to them leaving the organization. A metadata scrubber can remove any hidden cells or embedded objects as well as track changes and comments. The metadata cleaning step will help users slow down and take the time to double check email recipients and attachments.

Email recipient checking is an incredibly important security measure to have in place. The ICO found that 37% of all reported data breaches between January and March of 2017 were due to information being sent to the wrong recipient. Don’t run the risk of being fined millions. Ensure you have the right software before the May 2018 compliance deadline and protect your business from breaching GDPR.
 

This article was originally published in the November 2017 edition of PortrAIT Magazine.