That unpleasant rush of adrenaline you get when you realize you’ve sent an email to the wrong address–we’ve all felt it. Sometimes these mistakes can be worse than embarrassing. They can be dangerous.
This article by Workshare and Kraft Kennedy first appeared in the New York State Bar Association Journal, September 2018, published by the New York State Bar Association, One Elk Street, Albany, NY 12207.
After employees of the Australian Commonwealth Bank repeatedly sent confidential information to “cba.com” addresses instead of “cba.com.au,” the bank bought the “.com” domain in 2018 to staunch the data leakage. It was too late – 651 internal emails had been sent to the wrong domain, releasing the privileged data of 10,000 customers.
Following a similar mishap, Goldman Sachs sought an order from the New York State Supreme Court to force Google to delete a confidential email sent by a contractor to a “gmail.com” address instead of “gs.com.”
In April, the British Information Commissioner fined the Royal Borough of Kensington and Chelsea for breaching the Data Protection Act after its council inadvertently sent a spreadsheet to journalists identifying the owners of 943 vacant property lots.
In all three cases, email combined with human error to result in disastrous, embarrassing, and dangerous data loss.
Email: The Leading Cause of Data Leaks
Email is the number one source of data loss for businesses, according to statistics collated by the Information Commissioner’s Office. Usually it happens as in the cases illustrated above, through unintentional sharing of information by employees, rather than malicious intervention by hackers. The cases above were made public, but many more stay under the radar to preserve reputations.
Such high-profile cases of data loss, along with new regulations, more stringent client audits, and increasingly crafty hackers have put legal teams under more pressure than ever to protect their clients’ sensitive data.
Firms are going to great lengths to make sure data loss does not happen to them. At some firms, IT and security administrators are manually investigating all email attachments sent to non-corporate domains. Many fruitless hours are then spent checking personal photos and recipes.
Adopting a different strategy, some security administrators are relying on the tags applied to a document when it is filed into their document management system (DMS) to flag an issue for review. But this tactic relies on attorneys filing documents before sending them. In fact, according to data collected by Workshare, only one out of three email attachments are ever tagged, which means around two-thirds of attachments move out of a firm’s email system unmonitored.
While there is certainly a space in the legal IT marketplace for an effective method to stop people from emailing confidential data, not many vendors have created dependable solutions. Kraft Kennedy has tested various formal solutions for our clients. Workshare Secure is one that can clean attachments of sensitive metadata that may be hidden within a file and cause embarrassing data loss. This might include stripping track changes, authorship information, embedded objects, or white text.
Administrators can also use the tool to apply specific security policies at a mail server level, which can check recipients against blacklists and whitelists. These policies can either deliver warnings or automatically block attachments from being sent. These two simple checks and measures can help ensure that confidential data is never inadvertently (or deliberately) sent to the wrong people or unauthorized domains, including Gmail, Yahoo, and Hotmail addresses.
Workshare Secure also provides risk analytics, which track the emails leaving a firm to build a picture of what’s “normal” email activity for the users in that firm and what’s not “acceptable.” Risk analytics can be configured specifically to predict which users and sharing behaviors may be putting a law firm at risk.
Our goal is to help security teams detect risk in three minutes or less using a suite of reports. The intelligent algorithms in Workshare Secure have been developed in conjunction with an advisory group of leaders in the legal industry and include dozens of factors to assess threats, such as whether users are sending files to personal email addresses and whether users are attaching files from multiple matters and different clients to a single email. With these reports, it’s possible to drill down to identify specific behaviors demonstrated by high-risk users. For example, it’s possible to see how many attachments a high-risk user has touched over a week. If it’s a higher than usual number, then they are a threat worth investigating. And, in any report, it’s possible to follow the trail right down to an individual email to quickly understand what’s happened.
Shoring Up Defenses
Data loss can result in both hefty fines and serious embarrassment, making it crucial to both detect where risk lies and to protect the firm against the most obvious areas of risk and weakness. Which attachments can and can’t legitimately be shared over email, however, can be a thorny issue for legal teams that deal frequently in confidential data. Before any technology is implemented, firms should discuss policy first.
Kraft Kennedy often works with law firms to help them draft appropriate policies and solidify them with the proper technology. With goals and guidelines in mind, the right security tools can help firms clean files, prevent sensitive metadata from being emailed to the wrong parties, and track the sending of data to comply with regulations and client audits.