As fans of The Smiths will be aware, some data breaches are bigger than others. (I'm pretty sure that's the lyric, anyway.) Clearly, a nation state attack on your servers is orders of magnitude more serious — and, arguably, forgivable — than leaving a company presentation on the train.
But some data breaches are entirely avoidable and, frankly, close to unforgivable. I’m talking of course about the email that copies a large number of recipients rather than putting them in blind copy. This happens all the time — and to be fair, there is sometimes little or no harm to the recipients as a result.
Today is not one of those times. The BBC is reporting that the UK Ministry of Defence recently sent an email mistakenly copying the addresses and profile pictures of more than 250 individuals seeking relocation to the UK from Afghanistan. “This mistake could cost the life of interpreters, especially for those who are still in Afghanistan”, the BBC was told.
Thankfully, life and death isn’t a factor that most of us need to consider when giving legal or compliance advice. And the MoD’s breach — like most of these cases — was that result of an unintentional human error. (“To err is human, to forgive divine”, etc.)
But these errors can, and should, be eradicated. Regular employee training is key, supported by additional prompts where appropriate (for example, sending today’s BBC story to employees to remind them of the perils of the cc-ing without thinking).
The fact that this type of thing hasn’t happened to your organisation before, or hasn’t been sufficiently serious to meet the regulatory notification requirements, shouldn’t change things. Given that one email can do serious commercial and reputational damage, and the steps to reduce the risk of it happening are easy to put in place, it's worth taking this aspect of your compliance seriously.
The MoD then sent another email 30 minutes later with the title "Urgent - Arap case contact" asking the recipients to delete the previous email and warning "your email address may have been compromised".