Sending an email to the wrong person is one of the most common data breaches.
It’s also usually down to human error, usually because someone is time pressured or trying to do more than one thing at once or not familiar with the software.
This happened to one of my clients the other day, they rang me to say they had sent a report about one of their clients to one of their other clients by mistake. What did they need to do next?
They had tried to recall it through the email system but this is never very reliable and the recipient may still get the email with the message that it has tried to be recalled.
So here’s what I told them to do:
1. Email the individual who got the wrong report and explain there was a mistake and ask them to delete the email. Also ask them to confirm that the email has been deleted.
2. Email the company whose report was sent incorrectly and explain what has happened, saying you have asked the other company to delete it and they have confirmed that has been done. Explain that you are following your normal data breach procedures but if they have any questions, who they need to contact.
3. Complete the data breach form and pass it to the responsible officer for them to review and consider what further action may be necessary.
4. Review how the incident occurred and establish if there is a way to prevent it happening in future.
I should say that the report that was sent incorrectly doesn’t contain any personal information but it is obviously about a different company’s interactions with my client, so needs to be dealt with in the proper way.
We find that people often mismanage data breaches and make it worse by doing the wrong thing so it was lucky they were able to call me when they needed to.
Here’s the link to our free Data Breach Policy Workbook – Give me the Workbook
So how would you handle this type of data breach?