*Reassuringly dull cyber security

Return to sender


Email is an essential communication tool for organisations. Unfortunately, it is commonly the source of a number of data protection errors which can cause personal data breaches.

Common errors that create risk

Below are some examples of common email errors:

  • Email sent to incorrect recipient due to human error.
  • Email sent to incorrect recipient due to the message service predicting the recipients email address based on the first characters entered.
  • Attaching an incorrect document to an email.
  • Forwarding an email chain to an unintended/unauthorised recipient.
  • Email sent to multiple recipients using ‘To’ or ‘Cc’ fields* instead of the ‘Bcc’ field **.

*Cc – Allows everyone whoe receives the email to see the email addresses of all other recipients.
*Bcc – Enables you to send an email to multiple recipients without revealing the email addresses of others contained within the recipient list.

In addition, using ‘To’ or ‘Cc’ allows the recipients to ‘Reply all’ which presents further risks to disclose additional personal information by the recipients themselves – risks they would not have been subject to if the ‘Bcc’ function was used. 

Errors are not always harmless

Often is it wrongly assumed that these email errors are harmless and that nothing can or should be done about them. However, even if there is no financial loss suffered, sometimes these errors can result in people being concerned or even distressed that their personal information has been inadvertently disclosed. That’s why it’s prudent when these errors occur, to take action, as recommended below.

Recommendations that avoid risks

  1. If you need to send an email to multiple recipients, the ‘Bcc’ field should be used.
  2. Ensure the appropriate recipient has been selected before sending an email.
  3. Ensure the appropriate attachments etc have been selected before sending an email

Actions to take

  1. You should send a follow up email to the incorrect/unauthorised recipient(s) that
    • Asks them to delete the email (and any attachment(s)); and
    • Advises them that they do not have the right to use the email address(es) (or access any attachments) sent to them; and
    • Asks them to confirm to you that he/she has delete the email (and any attachment(s))
  2. You should send an email to the affected individual(s) (i.e. whose email address and any attachment(s) has been sent to an incorrect/unauthorised recipient) that:
    • Explains what has happened
    • Inform them what you have done/will do
    • Offer an apology
  3. If you think that there will be any risk – regardless of severity (e.g. low/medium/high/severe) – to someone (anyone) as the result of an email sent to an incorrect/unauthorised recipient, you must notify the ICO.

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

The biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the (GDPR) regulation.

Phil Everitt, Management Information Systems Manager
Leicester Tigers

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group