A data breach is the intentional or unintentional release of sensitive or private/confidential information to an untrusted environment. ISO/IEC 27040 defines a data breach as: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed (Wikipedia).
While eBay, JP Morgan Chase, Yahoo and many others suffered from attacks directly on their servers containing millions of personal data records, it also happens daily to unprotected and insecure email correspondence. An example: According to Financial Times, London-based online investment management firm Nutmeg experienced an email system glitch on September 1, 2015. The company told the source that a flaw in code resulted in the sending of an email containing the investment and financial information of over 30 accounts to the wrong recipient. While banking data wasn't included in the message, names, personal addresses, investment details, asset information and "risk appetite" data was, and as a result, 32 customers had their personal information released to the public.
The Massachusetts Department of Public Health is facing criticism after potentially exposing the information of thousands of patients, Health IT Security reported. The claims show that the department violated patient privacy protection regulations by sending emails with personal identifying information for those in the state's medical marijuana program. The email data breach compromised patient personal information, including their full names and registration numbers for the program. The patients were sent emails with the subject lines that stated they were approved in the medical marijuana program. After discovering this data breach, the state health department took off the patient information and revised the subject line of the email. The agency also said it will try to follow best practices when sending emails for the state's medical marijuana program.
Emails on the other hand are commonly sent by the Simple Mail Transfer Protocol (SMTP). SMTP does not encrypt the text of emails, so intercepted mail can be read easily unless encryption is used.
Although companies may secure its internal networks, vulnerabilities can also occur through email correspondence. An email disclaimer may be used to warn unauthorized readers, but these are thought to be ineffective. Once confidential data has become public, it is not possible to take it back. Other ways that one can secure personal email traffic include enabling TLS authentication in settings and use of an encrypted email service such as RMail. The Automatic TLS Mode feature of RMail detects whether a TLS secured connection is possible for the entire transmission path and delivers the message encrypted to the receiver via a secure connection. If TLS is not available, the original email is converted and sent as a secure, AES 256 bit encrypted PDF.
To document compliance with regulations, it is your responsibility to do the necessary, which means companies need to minimize exposure as much as possible, especially when sending private, personal or confidential information.
RMail offers a solution package with Automatic TLS Mode for encryption, provides an auditable proof of delivery with time stamps, can transfer large data files (up to 1 GB).
There is a lot at stake; the GDPR (General Data Protection Regulation), in force since April 2016, needs to be fully implemented by 25 May 2018, otherwise fines up to € 20 Million or 4% of the global business revenue may be imposed. It’s high time to take action.
1. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=uk: General Data Protection Regulation