Tips to Reduce Data Breaches when Sending Emails
Email provides a fast and efficient way of communicating information. However, errors when sending an email which result in the inadvertent disclosure of information are one of the leading causes behind data breach incidents reported to OVIC.
This resource sets out what you can do to reduce the chances of information being inadvertently disclosed when sending emails. These tips are general in nature and you should check whether your organisation has its own email policies. The tips in this guidance refer to features in Microsoft Outlook, but other email programs often have similar features.
Disabling Outlook’s AutoResolve function
If you use Outlook, one function that is turned on by default is the AutoResolve function. It recommends recipients based on the letters you type into the ‘to’, ‘CC’ and ‘BCC’ fields by searching through a list of recipients you have previously emailed.
Whilst AutoResolve can save time by allowing you to type in the name and not the entire email address of a recipient, it can also result in an email being sent to the wrong recipient.
This can occur where two or more recipients you have recently emailed share the same first and/or last name, or where you start to type a recipient’s initials and inadvertently select the wrong recipient from the drop-down list.
To reduce the chances of these errors occurring, consider disabling the AutoResolve function. If disabling AutoResolve is not an option, consider double checking email recipients (as set out below) and typing in the recipient’s first and last name.
Double checking email recipients
The main reason for emails being sent in error is simple human error. So, while it may sound simple, the main way to prevent data breaches when using email is to be careful and pay attention.
For example, when checking the recipients of an email, double click on a recipient’s name as displayed in the ‘to’, ‘CC’ or ‘BCC’ fields so that their full email address is visible. Then confirm if this is the address that you are intending to use.
This reduces the chances of you sending an email to a recipient with the same first and/or last name at a different organisation or sending emails outside your organisation where the email is intended for internal distribution only.
Setting a delay rule
Have you ever realised that you have made an error when sending an email mere moments after you have clicked ‘send’? This is a common occurrence, so you are not alone.
If you are using Outlook, you might want to consider creating a rule which delays Outlook from sending an email for between two to five minutes after you have clicked ‘send’. This would allow you to go into your Outbox and change or delete the email if you do find an error after you have clicked ‘send’.
This is a much better strategy than trying to use the ‘recall’ feature whenever you have already sent an email to the wrong recipient. In practice, this is usually ineffective at removing the email from the recipient’s inbox.
Be careful when forwarding emails with multiple conversations, also known as ‘email threads’. There is a risk that more information than is necessary will be disclosed to a recipient where you forward the entire email thread. If an email thread is too long or contains information that the sender doesn’t need to know, consider alternatives, such as drafting a new email.
Sending group emails
If you are sending an email to several recipients and you do not want each recipient’s email address to be visible to all other recipients, you should insert the recipients’ email addresses into the ‘BCC’ rather than the ‘to’ or ‘CC’ fields.
If you frequently send group emails, it is also a good idea to have processes in place. Consider using distribution list management programs, checklists and even asking a colleague to review your email to confirm that everything is in order before clicking ‘send’. If you do use a distribution list, make sure to review it regularly for accuracy and that it only contains recipients who require the information.
If you are using Outlook, a useful in-built function that you should consider using is MailTips. MailTips are informative messages, also known as ‘prompts’, which appear whilst you are composing an email and Outlook detects a potential error.
When the prompt appears, it will tell you what the potential error is and provide you with an opportunity to fix it before sending the email.
Some prompts you can setup MailTips to perform include:
- if an email is being sent to an external recipient outside your organisation, a prompt that it is an external recipient;
- if an email contains an attachment, a prompt to check that the correct attachment is attached; and
- if emailing multiple external recipients which are included in the ‘to’ or ‘CC’ field, a prompt reminding you to use the ‘BCC’ field instead.