Technology can do wonders to strengthen the security and privacy activities of an organization, but it can only go so far. Sometimes employees are clumsy when handling personal information and the result can be painful.
The latest example is the roughly $345,000 fine levied Wednesday by the U.K. information commissioner against the country’s Independent Inquiry into Child Sexual Abuse for an email mistake.
On Feb. 27, 2017, an inquiry staff member sent a blind carbon copy (bcc) email to 90 inquiry participants — some of whom might have been victims of abuse being investigated — telling them about a public hearing. A “bcc” wouldn’t have allowed recipients to see the names of other people. So far so good.
However, after noticing an error in the email a correction was sent — but this time email addresses were entered into the ‘to’ field, instead of the ‘bcc’ field. This allowed all of the recipients to see each other’s email addresses, identifying them as possible victims of child sexual abuse.
Fifty-two of the email addresses contained the full names of the participants or had a full name label attached.
The inquiry was alerted to the breach by a recipient of the email who entered two further email addresses into the ‘to’ field before clicking on ‘Reply All’.
Things got worse.
Now knowing there was a problem the inquiry told its email service provider to create a mailing list for participants. It relied on advice from the provider that it would prevent individuals from replying to the entire list. However, five months after the incident a recipient clicked on ‘Reply All’ in response to an email from the inquiry, via the mailing list, and revealed their email to the entire list.
“This incident placed vulnerable people at risk, which is concerning,” wrote the privacy commission investigator. The inquiry “should and could have done more to ensure this did not happen. People’s email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant.”
The inquiry has apologized to the affected people.
The investigation found:
- The inquiry failed to use an email account that could send a separate email to each participant;
- it failed to provide staff with any (or any adequate) guidance or training on the importance of double checking that the participant’s email addresses were entered into the ‘bcc’ field;
- The inquiry breached its own privacy policy by sharing participants’ emails addresses with the IT company without their consent.
This mistake isn’t uncommon, said Halifax privacy lawyer David Fraser of the McInnes Cooper law firm. ”It’s the sort of thing where people are too casual when dealing with email. When you’re dealing with sensitive information you really need to make sure you’re exercising an appropriate level of care and attention. And if you’re an organization that handles sensitive information you probably need to put additional measures in place in order to make sure these sorts of things don’t happen.”
One solution is an email filter that won’t send a message with more than a certain number of recipients. Or a system that will only send a message to one recipient at a time on a specified list of addressees.
”It’s increasingly common to see customized [email] solutions that are intended to offer protections for a number of reasons,” Fraser said, “and obviously privacy is a significant and compelling interest.”
Regulators here don’t have the power to levy such a hefty fine issued by the U.K., he added, but he hopes “it will re-calibrate people’s understanding of what is at stake …. It stands as a lesson that ‘We need to be extra-careful with this sort of stuff.'”
Fraser is involved in a privacy suit against Health Canada on a somewhat similar incident, although it involved physical mail. in 2013 40,000 letters were mailed to people interested in upcoming changes to the federal Marihuana Medical Access Program. Unfortunately the envelopes’ see-through window with the recipients’ addresss also showed the name of the program, so anyone seeing the envelope might have thought the recipient was using medical marihuana.
The federal privacy commissioner concluded this was a violation of PIPEDA.