At Onno's administrative office, an incorrectly addressed email caused a data breach
I am the owner of a small administrative office. Currently, we are very busy filling in tax returns for our customers. We do this partly from home and partly at the office. At the office, we work with a secured file system that cannot be accessed from home.
Since the crisis, my employees – when they are at the office – increasingly take files from the system and mail them to their work email. So they can continue working on them from home. Yesterday, this went all wrong due to a stupid accident.
One of my employees accidentally mailed 5 personal, financial files from the office to a customer instead of the work email address of his colleague who was working from home. He discovered this because the lady who received the email contacted us. Fortunately, she indicated that she has removed all data – including BSNs and financial annual statements.
I would want to know myself if such personal information ends up with someone else.
I chose to inform the persons concerned immediately about this data breach. Even though the data have been removed. In fact, purely because I would want to know myself if such personal information ends up with someone else.
I have realised insufficiently that mailing files is far too risky in the first place.
As an administrative office, I am very much aware that we work with highly sensitive information. Before the crisis, my policy was therefore that working from home was not allowed. At the start of the crisis, I quickly made sure that my employees can access their work email from home, though. By doing this, I wanted to prevent them from sending files to their unprotected private email.
I thought this was enough, but I have realised insufficiently that mailing files is far too risky in the first place.
Did you know that...
- As the owner of a business, you are responsible for taking appropriate security measures for your specific situation? Including in view of human mistakes.
- Securing personal data is a continuous process? Changing circumstances – such as working from home – may call for other measures.
- When you have a data breach, you may be obliged to report this to the Autoriteit Persoonsgegevens (AP)? This must be done within 72 hours after becoming aware of the data breach. Whether you have to report a data breach to the AP and the victims depends on the risk of damage. You have to make an estimate of this for yourself.
- In this story, the recipient seems to mean no harm. But how can you be sure that the personal data have really been destroyed?
- When in doubt, you best can report this to the AP? In doing so, you also demonstrate that you take responsibility for limiting the damage as much as possible.
Links
* The privacy stories on this website are based on actual reports to the Autoriteit Persoonsgegevens. Due to the privacy of those involved, the personal data and some circumstances have been changed. We use models (stock photography) for the images in these stories.
Why is protecting personal data so important? These people share what happened to them.