For many of us, sending and receiving emails has become our primary way of communicating at work. An estimated 269 billion emails are sent globally every single day.1 It's therefore not surprising that occasionally some emails are sent to the wrong recipient by accident.
Veritau estimates that these kind of email errors make up 35% of data breaches reported to its information governance team. In this article we provide advice about what you should do if you discover an email has been sent to the wrong person.
If you discover that you’ve sent an email to the wrong person, especially when that email contains confidential and/or sensitive data, then naturally you are likely to panic.
Try to stay calm. If you panic, then you are likely to make further mistakes which could worsen the situation. If you remain calm, you are more likely to be able to handle and contain the situation with confidence.
Containing the incident
In the first instance, you should contact the recipient as soon as you notice the error, requesting they delete the email without reading it and to confirm that they have done this.
In some circumstances you may be able to recall the email. However this will only work if both email addresses are within the same organisation and use Office 365 or Microsoft Exchange account.
Email recall will not work when sending an email outside of your organisation, or if the email has already been opened. Therefore you should not rely on this method to guarantee the email has been contained.
If you do attempt an email recall, we advise you to always follow up and check it has worked by either separately emailing the person again or calling them. Never assume it has worked.
Reporting the incident
Once you have made an effort to contain the email disclosure you need to report the incident to your line manager and also to the person responsible for data protection in your organisation. For smaller organisations (such as schools) there is likely to be a single point of contact who manages data breaches.
For larger organisations (such as councils or housing associations) it is likely you need to report an incident through an intranet e-form or make contact with the information governance team.
It is crucial that you tell your organisation about these incidents within 24 hours so that the incident can be managed. For the most serious cases, the organisation will have to report the incident to the data protection regulator within 72 hours. Failure to do so could lead to regulatory action being taken against the organisation.
Veritau top tip: You should report incidents within your organisation even if the email has been contained or if the email didn’t contain personal data. Your organisation needs to know about all ‘near misses’ as well as actual incidents so that it can implement safeguards to mitigate against any future potential incidents.
1) Take your time. Quite often the primary reason for mistakes being made is because the sender is rushing when completing the task. We know how busy work can get, but remember you will be even busier if you have to manage a data breach too. Take your time when sending emails.
2) Check the recipient list for spelling mistakes and organisation names. This might seem like a given but quite often it is very easy to assume that the correct name has been input. This is especially the case if you have the autofill function turned on.
3) Configure your email settings. Many email providers have tools and settings which can be configured. You can turn off autofill (which is a major contributing factor to email breaches) and also automatically flag when an email is being sent outside your organisation.
4) Check the email trail and attachments. Are all the recipients in the distribution box authorised to see earlier emails in the trail and/or the attachments?
For more information about data breaches, contact your organisation’s data protection officer or look at your organisation’s data protection and information security policies.
Contact Veritau’s information governance team: email@example.com | 01609 532526
1 Email Statistics Report, 2017-2021 The Radicati Group Inc (February 2017)