ODPA highlights incorrect email myths

Published: 22 March 2021

Twenty-nine personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 28 February 2021, roughly half of these were due to emails being sent to incorrect recipients. 

Overall, from the latest statistics, 16 breaches (55% of the total) related to data sent to the incorrect recipient by email. Six incidents (20% of the total) were due to data being sent to an incorrect recipient by post. The total reported remains broadly consistent with previous reporting periods in terms of number and type of breaches. The 29 breaches were reported in by organisations from a range of sectors.

The ODPA wishes to highlight possible misconceptions about sending emails to an incorrect recipient: this is a very common occurrence, and is a universal issue. An email going to the wrong person(s) isn’t always a breach and therefore these incidents do not necessarily have to be reported in to the ODPA. It depends on the context the email was sent in, the email’s contents, and whether the circumstances pose someone a risk. Many emails that go astray contain no personal data (‘any information about, or related to, an identified, or identifiable, living person’) and therefore pose no data protection/privacy risk to anyone, in those cases the data protection law would very likely not apply and you would not be legally obliged to report it to the ODPA. If in doubt speak to your Data Protection Officer, if you have one, or call the ODPA for advice. 

Cyber incidents have been prominent in the news recently due to issues with some Microsoft Exchange email servers being vulnerable due to a security flaw. All Bailiwick organisations who have an ‘on-premise’ (as opposed to cloud-based) installation of Microsoft Exchange are encouraged to seek advice from their information security provider or a cyber security expert if they have not already done so. 

It is important to remember that cyber incidents come in all shapes and sizes: global and indiscriminate incidents, like the Microsoft issue, grab headlines, but small-scale, targeted attacks can be just as damaging. The ODPA has recently been made aware of a targeted phishing attack on a local company where their email was hacked and a customer was sent a message that appeared to be legitimate asking them to pay the company via different bank details. 

The Bailiwick’s Data Protection Commissioner, Emma Martins, commented

‘These high-profile attacks serve to remind us all of the importance of being informed, prepared and vigilant. Businesses in all sectors are increasingly reliant on data and once we start to better understand its value, we will more positively engage with the need to ensure appropriate protections. It is essential to build those protections in to hardware and software systems as well as operational and administrative processes. Data security is a collaborative effort for the entire organisation, however large or small. Understanding the reality of the risk is not an optional extra, it is critical. The threat landscape is increasingly complex and highlights the importance of contracting with providers that can provide trusted and responsive advice and support. Investing in and maintaining high standards of data security has become a fundamental part of running any business. Taking data governance and security seriously will reap rewards for businesses; failing to do so has the potential to do irreparable damage to them.’

This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

Breach categories explained 
The ODPA individually assesses each breach reported to them and assigns them to one of the nine categories listed below. The categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. 
  1. Loss of data/paperwork/device (accidental)
  2. Data sent to incorrect recipient – email (accidental)
  3. Data sent to incorrect recipient – post (accidental)
  4. Data sent to incorrect recipient – fax (accidental)
  5. Inappropriate/Unauthorised Access (accidental or deliberate)
  6. Inappropriate/Unauthorised Disclosure (accidental or deliberate)
  7. System error (accidental)
  8. Cyber incidents (accidental or deliberate)
  9. Other (accidental or deliberate)
Number of personal data breaches reported to the ODPA
View statistics for every two month period from October 2018 - present

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. 

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported. 

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.