5 'security excuses' that make each email a potential data breach

It is important that you always send personal data securely. That awareness is increasingly present on the work floor. Nevertheless, ZIVVER directors Rick and Wouter still hear numerous irrational arguments for not applying this rule. Which of these 'security excuses' do they hear most frequently? Wouter discusses them one by one.

 

Security excuse 1: Such a small file does not need security

The size of the data is often decisive. The larger the requested file, the greater the chance that the data will be sent securely. In itself this is logical enough, based on a quick assessment of the consequences of a possible data breach. In the experience of the sender, the risk increases with the amount of data.

The law sees this differently, however: a data breach is a data breach, even if only one person is involved. Furthermore, the new General Data Protection Regulation introduces the possibility that interest groups can approach other concerned parties in order to bring a joint lawsuit. If things go wrong for one patient, the chances are that other patients - without knowing it - also risk becoming a victim.

In addition to a possible claim for damages, reputation damage is already inevitable. Conclusion: anyone who sends personal data insecurely because it only involves a small quantity of data is assuming a false argument with potentially significant consequences.

 

Security excuse 2: The recipient requested the information him or herself 


My mother asked her hospital for a copy of the treatment report from her ophthalmologist. This was promptly sent to her by email, including her name, full address, patient number, insurance number, BSN (citizen service number) and the full treatment report. There was a warning at the bottom of the referral letter: 'Please note, this report may contain a citizen service number.' Anyone who intercepts that email will suddenly know a lot about my mother. The question is also what the function of the warning was at the bottom of the referral letter. Can you ignore it if a recipient has herself requested data?

We also encounter similar situations with notaries and lawyers. At the request of the customer, they often send a copy of a will, a prenuptial contract or purchase deed by email. If the client or patient has asked for it, security is apparently not important. Or maybe we think that the risk of a data breach is borne by the customer if he or she has requested information him or herself? That sounds easy enough. Until the information falls into the wrong hands, of course.

 

Security excuse 3: You do not need security for colleagues


If you send a colleague an email, you often do not immediately think of security. After all, the risk that sensitive information will end up in the public domain is smaller when using internal email. Unfortunately, this is not a criterion for the law: an email with sensitive information must always be sent securely, even if it remains inside the organisation. As soon as personal data comes to the attention of someone who did not have permission or a need for this, a data breach has occurred.

Moreover, there are enough painful scenarios imaginable involving leaked internal information. No employer would like to see information about salaries, reorganisations, treatment plans or test results, for example, reach the wrong employee. Prevention is better than cure. We know of cases involving an internal leak about salary data. The managers involved had to sign several confidentiality declarations and prove that the data had not been stored anywhere. The first is annoying, but think how complicated it would be to prove that you did not do something ...

 

Security excuse 4: The recipient does ensure good security


Municipalities and other parties must regularly share information with the police. This takes place remarkably often by unsecured email. An important motivation is the conviction that 'the police have undoubtedly got their security in order'. The same idea applies to other parties with regard to which you as sender assume that their security is sound. This is misguided logic - even apart from the question of whether you are certain that everything is really in order. Even if you send an email to an extremely secure recipient, someone can intercept that information along the way. With all the undesirable consequences that entails. And if you accidentally send the email to the wrong recipient (who does not work for the police), then you are really looking at a data breach.

 

Security excuse 5: The recipient probably doesn't want all that extra hassle


Healthcare professionals, civil servants and lawyers often find it difficult to burden their clients with 'extra hassle'. You often see them making an estimate: how many clients or patients will be irritated by this, or will not open this email because they have to take an extra step? That estimate is irrational. If one out of one hundred recipients has complained in the past, many people wrongly project this experience on the 99 other recipients that did not make a fuss. In fact, you are then selling very short the many recipients who appreciate the secure handling of their sensitive data!

And as with the previous considerations, the law, journalists, customers and chain partners have little understanding for this. Anyone sending personal data must always know the risks and take measures him or herself. Excuses never help limit reputational damage, or help avoid a high fine.

 

GDPR Checklist

This blog gives you an idea of what is involved in secure emailing. It is an important part of the GDPR. Our checklist contains all the steps you need to take to achieve GDPR compliance. The document addresses in greater detail matters such as drafting a processor's agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks.

Go to the GDPR Checklist

RELATED
Sending_or_receiving_credit_card_data_via_email_while staying_PCI_compliant

Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation. […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Idans welcome blog (2)

We are happy to announce our Chief Technology Officer: Idan York.

Idan will be responsible for vision outlining and implementation of technological strategies that align with ZIVVER’s expansion objectives. […]

Read more