With email being one of the most common forms of communication, it’s not surprising that inboxes these days accumulate thousands of emails that, perhaps, aren’t always electronically filed or deleted (not ours of course).
As the Office of the Australian Information Commissioner (OAIC) has indicated in its most recent report on notifications received under the Notifiable Data Breach (NBD) scheme, email accounts are frequently being used for storage, and this raises inherent risk. Yes it’s convenient, but using email to send personal information, such as copies of passports, bank account details and credit card information, can very quickly lose its appeal. If the email account is accessed by a malicious actor through a phishing attack or a rogue employee, the end result can be exploitation of that information for criminal gain.
If your organisation insists on receiving or sending information by email, there are ways to reduce the risks, such as:
- regularly deleting emails that contain personal or sensitive information once it is no longer needed;
- automatically archiving emails;
- automatically deleting emails from deleted items; and
- password protecting or encrypting documents that contain sensitive information sent by email.
In addition to the above, other important takeaways from the report include:
- the 537 breach notifications from July to December 2019 show a 19% increase in the number of data breaches reported compared to the first half of 2019;
- the OAIC is happy to require that organisations reissue notifications if they are not satisfied that enough information or practical advice has been provided to the individuals;
- malicious and criminal attacks are still the majority of NDBs reported at 64%; and
- the number of NDBs due to human error is still very high at 32%. These are avoidable errors caused by humans, such as sending an email to the wrong person.
These statistics coincide with the trends we are seeing in our clients needing help. They are a reminder to ensure staff are given privacy awareness training and to implement a NDB plan so that, in the event of a data breach, you are prepared.