5 'security excuses' that make each email a potential data breach

It is important that you always send personal data securely. That awareness is increasingly present on the work floor. Nevertheless, ZIVVER directors Rick and Wouter still hear numerous irrational arguments for not applying this rule. Which of these 'security excuses' do they hear most frequently? Wouter discusses them one by one.

 

Security excuse 1: Such a small file does not need security

The size of the data is often decisive. The larger the requested file, the greater the chance that the data will be sent securely. In itself this is logical enough, based on a quick assessment of the consequences of a possible data breach. In the experience of the sender, the risk increases with the amount of data.

The law sees this differently, however: a data breach is a data breach, even if only one person is involved. Furthermore, the new General Data Protection Regulation introduces the possibility that interest groups can approach other concerned parties in order to bring a joint lawsuit. If things go wrong for one patient, the chances are that other patients - without knowing it - also risk becoming a victim.

In addition to a possible claim for damages, reputation damage is already inevitable. Conclusion: anyone who sends personal data insecurely because it only involves a small quantity of data is assuming a false argument with potentially significant consequences.

 

Security excuse 2: The recipient requested the information him or herself 


My mother asked her hospital for a copy of the treatment report from her ophthalmologist. This was promptly sent to her by email, including her name, full address, patient number, insurance number, BSN (citizen service number) and the full treatment report. There was a warning at the bottom of the referral letter: 'Please note, this report may contain a citizen service number.' Anyone who intercepts that email will suddenly know a lot about my mother. The question is also what the function of the warning was at the bottom of the referral letter. Can you ignore it if a recipient has herself requested data?

We also encounter similar situations with notaries and lawyers. At the request of the customer, they often send a copy of a will, a prenuptial contract or purchase deed by email. If the client or patient has asked for it, security is apparently not important. Or maybe we think that the risk of a data breach is borne by the customer if he or she has requested information him or herself? That sounds easy enough. Until the information falls into the wrong hands, of course.

 

Security excuse 3: You do not need security for colleagues


If you send a colleague an email, you often do not immediately think of security. After all, the risk that sensitive information will end up in the public domain is smaller when using internal email. Unfortunately, this is not a criterion for the law: an email with sensitive information must always be sent securely, even if it remains inside the organisation. As soon as personal data comes to the attention of someone who did not have permission or a need for this, a data breach has occurred.

Moreover, there are enough painful scenarios imaginable involving leaked internal information. No employer would like to see information about salaries, reorganisations, treatment plans or test results, for example, reach the wrong employee. Prevention is better than cure. We know of cases involving an internal leak about salary data. The managers involved had to sign several confidentiality declarations and prove that the data had not been stored anywhere. The first is annoying, but think how complicated it would be to prove that you did not do something ...

 

Security excuse 4: The recipient does ensure good security


Municipalities and other parties must regularly share information with the police. This takes place remarkably often by unsecured email. An important motivation is the conviction that 'the police have undoubtedly got their security in order'. The same idea applies to other parties with regard to which you as sender assume that their security is sound. This is misguided logic - even apart from the question of whether you are certain that everything is really in order. Even if you send an email to an extremely secure recipient, someone can intercept that information along the way. With all the undesirable consequences that entails. And if you accidentally send the email to the wrong recipient (who does not work for the police), then you are really looking at a data breach.

 

Security excuse 5: The recipient probably doesn't want all that extra hassle


Healthcare professionals, civil servants and lawyers often find it difficult to burden their clients with 'extra hassle'. You often see them making an estimate: how many clients or patients will be irritated by this, or will not open this email because they have to take an extra step? That estimate is irrational. If one out of one hundred recipients has complained in the past, many people wrongly project this experience on the 99 other recipients that did not make a fuss. In fact, you are then selling very short the many recipients who appreciate the secure handling of their sensitive data!

And as with the previous considerations, the law, journalists, customers and chain partners have little understanding for this. Anyone sending personal data must always know the risks and take measures him or herself. Excuses never help limit reputational damage, or help avoid a high fine.

 

GDPR Checklist

This blog gives you an idea of what is involved in secure emailing. It is an important part of the GDPR. Our checklist contains all the steps you need to take to achieve GDPR compliance. The document addresses in greater detail matters such as drafting a processor's agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks.

GO TO THE GDPR CHECKLIST

RELATED
5_practical_tips_to_securely_share_personal_data_zivver_blog_en-1

5 practical tips to securely share personal data

Tip 1: Make sure the policy is clear What information do you need to send securely? Through which channel and with what security? Employees want to do things the right way, but don’t want to have to reinvent the wheel per situation. They have other things to tend to! So give them a clear overview of all the types of information your organization shares. Add a roadmap […]

Read more
All_it_takes_is_one_human_error_to_compromise_your_organizations_reputation_blog_zivver

All it takes is one human error to compromise your organization's reputation

Professionals understand the value of their companies' reputation. Firms with a powerful and positive reputation attract better employees, partners, and clients. They're regarded as offering additional value, which usually allows them to impose a premium. Customers tend to be more dedicated and purchase broader ranges of services and products. As the industry believes […]

Read more
All_it_takes_is_one_human_error_to_compromise_your_organizations_reputation_blog_zivver

All it takes is one human error to compromise your organization's reputation

Professionals understand the value of their companies' reputation. Firms with a powerful and positive reputation attract better employees, partners, and clients. They're regarded as offering additional value, which usually allows them to impose a premium. Customers tend to be more dedicated and purchase broader ranges of services and products. As the industry believes […]

Read more
The User Representatives - Always here to help you!

The User Representatives - Always here to help you!

  At ZIVVER the success of our customers is paramount! For that reason, we have a dedicated Customer Success team to help our customers maximize their value from our product. Part of the Customer Success team are the User Representatives. Their ultimate goal is to create happy ZIVVER users, by solving all issues, providing information and representing their voice […]

Read more
gdpr_it’s_gonna_be_fines_zivver_en_blog

GDPR: IT’S GONNA BE FINES!

With the inception of the GDPR in May 2018, several companies and their offices were not, and many are still not ready to be compliant with the enhanced European privacy rules and were scared for the potential high penalty payments. This fear was not without grounds. […]

Read more
Introducing-open-conversation-starters-A powerful-new-feature-live on ZIVVERs-platform-blog-eng

Introducing open conversation starters! A powerful new feature from ZIVVER.

One of ZIVVER's most convenient and unique features is the conversation starter. It allows people who don't have an account (guest users) to take the initiative for a conversation with a ZIVVER user, in the same secure email environment. It protects both senders and recipients from possible data leaks caused by guest users. […]

Read more