Personal Email + Work Activity = High Risk Situation

Almost everyone has a personal email address, to the point where you are probably more shocked to discover someone who doesnt rather than a person who has several. In recent years, as the internet has become more embedded in our daily life this has exploded and people now access their email on their phone, tablets, laptop computers, home PCs, MP3 players – pretty much anything electronic.

Most employers now allow staff to access their personal email using work equipment and the generally increased staff satisfaction, coupled with improved productivity when employees dont need to go “away” to do personal admin tasks, has shown this to be a good thing for business.

However, as Cheshire East Council discovered, there is a huge risk attached to this: (from Guardian Government Computing)

Cheshire East council has been fined £80,000 by the Information Commissioner’s Office (ICO) for failing to have adequate security measures in place when emailing personal information.

The ICO said the serious breach of the Data Protection Act occurred in May 2011, when a council employee was asked to contact the local voluntary sector co-ordinator to alert local voluntary workers to a police force’s concerns about an individual who was working the area.

Instead of sending the email via the council’s secure system, the employee sent it via her personal email account. The email contained the name and an alleged alias for the individual, as well as information about concerns the police had about him. The correspondence was then forwarded by the co-ordinator to 100 intended recipients.

From the reporting available, it seems the Council employee sent it in this manner because the sector co-ordinator didn’t have “an appropriate email address and that using the secure email system would have prevented the information from being further disseminated.”

The situation escalated as a result of the sector co-ordinator not realising the information was sensitive and forwarding to others, and in the end nearly 200 people received copies. It is almost impossible to know if this is where the spread of information ended and the council have reported only approximately 100 recipients have deleted the information from their systems.

The ICO’s finding highlights two problem areas which are, sadly for Cheshire East Council, fairly predictable and can easily be mitigated against for a lot less than the £80,000 they were fined: (from the ICO website)

[A] robust system must be put in place to ensure that information is appropriately managed and carefully disclosed.


Cheshire East Council also failed to provide this particular employee with adequate data protection training.

These two simple failings point to three useful lessons that every organisation should take on board – and any business dealing with personal data who ignores this is risking heavy ICO fines:

Ensure that your working practices are supported by technology, not impeded by it. In this example, the council worker had a business need to send out the email but was prevented from doing so in a proper manner. When you do this to your employees, the pressures of your business will guarantee that they circumvent controls.

  • Lesson: Your technology must make it easier to be security compliant than to circumvent.

Make sure your staff are fully aware of the nature of the data they handle, how important it is and what should be done with it. Good employee education is frequently the most cost effective security control possible and it is likely that a single training session would have saved this council £80,000. It is important to ensure that your training also covers every level of management otherwise you risk zealous managers putting pressure on employees which invariably leads to security breaches.

While it is true the even the best trained staff will still make mistakes, the reality is that if you have a robust and well planned security training plan, there is a good chance this alone will mitigate against any fine the ICO might consider. It can show the difference between a genuine mistake and organisational negligence.

  • Lesson: Employee security awareness training is never a waste of resources.

Take action to identify, manage and control your risks before they happen. Prevention is certainly better than curing when it comes to security controls and nowhere is this more obvious than when personal data is involved. All too often businesses try to cut corners or reduce budgets – frequently on the ground that no breach has happened yet – but this is a false economy. By neglecting to implement solid, efficient security processes and training, Cheshire East Council has cost the public purse £80,000 plus around £60,000 to implement suitable controls and provide effective staff training. Good planning could have implemented suitable control processes, training and technology prior to the breach for around £40,000.

In this instance, rather than save the taxpayer through good budgeting, the lack of proper investment in security has cost the taxpayer £100,000. When your organisation looks at its budgets never allow yourself to be fooled into thinking that cutting back on security controls is a good way to save money.

  • Lesson: Always ensure that security is properly funded because it costs much more if you fail.

Hopefully Cheshire East Council will learn from this incident, but it is just as important for organisations who have not suffered a loss to sit up and take notice.

Use this opportunity to review your own systems, your own processes and your own organisational practices.

Ask yourself if you are taking the correct steps and have you properly implemented technical controls along with employee awareness training. Are you able to get the required level of assurance that everything is in place? If not, what do you need to do to get it?

Preventing a loss is almost always much more cost effective (in terms of time, money, reputation, customer confidence etc) then trying to patch up the holes after something has gone wrong.

If you would like to discuss this further, or find out what you need to consider as part of your organisational risk assessment, then get in touch with our expert security consultants. At Halkyn Consulting we have nearly 20 years experience in delivering cost effective security risk management, asset protection and loss prevention advice to private businesses and public sector organisations. We have worked with clients including truly global multinationals and small local enterprises. Any security related discussion we have – even informal ones – are treated in confidence and we never share details with other organisations.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.

This Post Has One Comment

  1. Dave Mathin

    Excellent advice. Sadly this is often only learned as the result of very painful experiences.

Comments are closed.