October 28, 2021

Volume XI, Number 301

Advertisement
Advertisement

October 27, 2021

Subscribe to Latest Legal News and Analysis

October 26, 2021

Subscribe to Latest Legal News and Analysis

October 25, 2021

Subscribe to Latest Legal News and Analysis

The To: Field and the Unintended Data Breach

On November 7, 2014, the Australian Department of Immigration and Border Protection gave notice of a data breach that morning affecting the leaders of the G20.  As described:

The personal information which has been breached is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (ie prime ministers, presidents and their equivalents) attending the G20 leaders summit.

Affected by this data breach were, among others, President Barack Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, and UK Prime Minister David Cameron.  The cause of the data breach was the autocomplete feature of the "To:" field in Microsoft Outlook.

The autocomplete feature is a useful way to send an e-mail without having to look up an email address.  Unfortunately, without careful attention, it is easy for any person within a government agency, nonprofit organization, or commercial enterprise to accidentally send a message to the wrong person.  

As with the unfortunate Australian government employee, it is all too common for emails to contain personally identifying information and for such emails to be unencrypted.  It is easy to imagine the same occurring with trade secrets, protected health information, or attorney-client privileged material.

Massachusetts businesses are required to protect personal information pursuant to G.L. c. 93H and the implementing regulations at 201 CMR 17.00.  Business owners and managers should take care to review their e-mail policies regarding the transmission of unencrypted personal information and the use of the autocomplete feature as part of their written information security program.  Employers should take care, further, to ensure that such a program does not conflict with the NLRB's December 2014 decision in Purple Communications.  

© 2021 by Raymond Law Group LLC.National Law Review, Volume V, Number 91
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Massachusetts has the most comprehensive data protection rules regarding businesses in the country. Your business must comply with these rules and have a written information security program (WISP)_. Failure to do so can result in prosecution and civil liability.

At Raymond Law Group LLC, we offer compliance counseling for businesses to safeguard them from future data loss and privacy issues. We can assist you in developing your WISP or security and privacy plan. Our attorneys also represent businesses and individuals who have violated privacy laws. Regardless of your company's...

617-314-6462
Advertisement
Advertisement
Advertisement