Share files carefully!
When we think about a data breach, the most likely scenario that comes to mind is of a hacker gaining unlawful access to an organisation’s network. However, as most Data Protection Officers (DPOs) are aware, the weakest link in data security is usually the mere mortal - people in the organisation.
While we may intuitively believe a disgruntled employee to be the culprit behind a data breach, a study by Data Protection Excellence Network (DPEX) shows that malicious hacks constituted only 13% of all enforcement cases announced by PDPC in 2018. Instead, the most common cause is sheer carelessness.
The most recent case was against a preschool provider, where a teacher sent a consolidated attendance list to a group of parents without realising that the list contained contact numbers and NRIC numbers of five of the members of the group. Although the teacher belatedly deleted the file, the breach had already happened - personal data once leaked, will be at risk forever.
Then there is the case of a sports federation where the NRIC numbers of students were accidentally disclosed in a PDF document on the federation’s website. The author of the document did not know that content copied from a PDF document and pasted into a new Word or Excel document would reveal content that had been “hidden” in the source Excel document prior to converting it to a PDF file. The irony is that the source Excel file was encrypted to protect the personal information, and this could have been easily prevented with a simple check.
There are many other cases, but these just go to show how fallible we can be. So what should organisations do to protect the personal data in their care?
A good place to start is to have an information security policy. Staff need to know whether their actions are permitted by the organisation. They should also know the requirements of the data protection law, as well as applicable sectoral regulations such as the Employment Act.
Staff should be aware that confidential information should be encrypted before hitting the “send” button. When sending unencrypted emails, all confidential documents or files should first be deleted. Just imagine what can happen if the files are accidentally forwarded to unauthorised individuals!
If you use cloud storage for your files, add more layers of protection with security functions like two-factor authentication (2FA) which will require both a login password, and a security code sent to your phone or email address each time you log in or add a new device to your account.
Also make use of the password-protect function in Microsoft and PDF documents to further protect the personal data in your care. In addition, when you send a protected document to someone, remember to give them the password separately - not in the same message that it is attached to!
Here’s another piece of advice that you can do immediately - check that the email address or phone number that you are sending the personal data to is correct! You can even send an initial message to the person to ask them to reply to confirm the accuracy before you send the actual file.
If you have to include several people in the same email thread, consider who really needs to receive the file, and whether the recipients need to know the other recipients' identities. Consider using the BCC function and when you do so, be sure that you have not mistakenly put the email addresses in the "CC" field. You may also wish to delete the previous email trail if the same email has to be forwarded to others.
As we often say, carelessness is our greatest enemy which we can never eliminate. Remember these tips and put them into practice, and start sending files more safely from today.