Reviewing your data

protection strategy in 2018

Tough new data protection laws are coming. Are you prepared?
The rate at which businesses get their hands on our data
has outrun governments’ ability to regulate it. Until now.
2018 brings with it huge changes to the way organizations
are obliged to collect, manage, and protect personal data
if they want to do so legally. Corporations like Yahoo! and
Uber who have been victims of mass data leaks are proof
that even the biggest players in the game will have to do
things differently. So, what needs to change? This white
paper looks at new data protection regulations in places like
Europe, America, and Australia, and how to protect against
the number one cause of data breaches.
Worried about
data breaches in 2018?
You should be.
Living in a world where information is
at our fingertips allows us all kinds of
opportunities to connect. But, it also
makes it easy for data breaches to
happen with just one click. Think about
it this way; how often have you sent
an email with an attachment to the
wrong person? We have all done it (or,
at least heard of someone who has).
Every time it happens you risk leaking
sensitive information.
So, how confident are you that you
won’t accidentally send an email
to the wrong person? Or that you
won’t attach the wrong document
to an email?
Over 50% of reported data breach
incidents in Q1 of 2017 were from data
being “disclosed in error” according
to the Information Commissioner’s
Office (ICO). In other words, mistakes
like sending an email to the wrong
person or forgetting to remove hidden
metadata was the number one cause
of leaks.
A main focus of the General Data
Protection Regulation (GDPR) is
‘Privacy by Design and Default’,
which is the concept of implementing
appropriate preventative measures
rather than focussing on damage Send?
limitation and penalties following a
data breach.
Preventing accidental data disclosure
by email should be one of your top
security concerns for 2018. Otherwise
your company may end up in a serious
financial crisis. Read on to learn about
the new regulations and a simple
solution to make sure your workplace
is protected – the smart way.
2
Your organization will be affected
by the new data protection laws.
Here’s another reason to worry: right now, information and impose harsh penalties when
data regulations around the world are being it is not properly protected. How will legal
tightened and even harsher penalties enforced regulations affect you?
to protect consumers. In Europe and the UK,
GDPR is set to completely change the way
businesses store and manage personal data.
The sweeping new National Data Breach (NDB)
notification laws in Australia from February 2018
onwards require all businesses that experience
a data breach to report it. Multiple US states
have data regulations and a proposed federal
data breach notification law (dubbed the Data
Security and Breach Notification Act) is being
considered right now.

Governments the world over understand

cyber security is a huge threat to the safety
and privacy of their citizens. They continue to
tighten the law for businesses who hold valuable
(GDPR) General Data Protection Regulation
(NDB) National Data Breach
Data Security and Breach Notification Act

3
 EUROPE & UK
Your organization will be affected
by the new data protection laws.
GDPR requires data holders to
do everything in their power
to protect the personal data
of European citizens from
being leaked or exposed. Even
accidental leaks are viewed as the
data holder not doing enough to
keep personal information safe.
Because of this, unintentional
data breaches – like sending an
email to the wrong person, or
not redacting a person’s bank
account number – has penalties
just as if the business did not use
passwords and security systems
to protect against hackers.
Therefore, it is essential you have
the necessary safeguards in place
before these regulations come
into effect on 25 May 2018.
Penalties: minor offences are to
be punished by a fine of up to
€10,000,000 (USD $12,000,000)
or 2% of annual global turnover
(whichever is greater).
More serious offences could be
fined up to €20,000,00 (USD
$25,000,000) or 4% of annual
global turnover (whichever is
greater).
It should not be forgotten that the
available penalties are more than
just financial. The Data Protection
authorities have far reaching
powers that include the ability
to put a stop to a businesses’
data processing or naming and
shaming them publicly – either
of which could be far more
damaging than a financial fine.
According to analysis, if GDPR
Who does it apply to? was applied in 2016, UK business
Any organization globally that fines would have amounted to
holds or processes the personal £69m (USD $95m) rather than
data of European citizens. £880,500 (USD $1,210,000).
Source: “Last year’s ICO fines would soar to £69 million
post-GDPR.” NCC Group, April 28, 2017.
4
AUSTRALIA

Your organization will be affected

by the new data protection laws.
Beginning 22 February 2018, the
Notifiable Data Breaches scheme
(NDB) requires organizations in
Australia to report all eligible data
breaches to the affected parties
and the Office of the Australian
Information Commissioner (OAIC).
Under the law, data breaches are
those that result in serious harm to
any individual affected and include
emails sent to the wrong recipient.
Penalties: regulatory action and
court-ordered civil penalties
Who does it apply to? Australian
Government agencies, businesses
and not-for-profit organizations with
an annual turnover of $3 million
(USD $2,400,000) or more, credit
reporting bodies, health service
providers, and TFN recipients.

What is considered a data breach under the NDB?

1. Unauthorized access to or unauthorized disclosure of

personal information, or a loss of personal information
that an entity holds

2. If the above is likely to result in serious harm to one or

more individuals, and

3. If the entity has not been able to prevent the likely risk
of serious harm with remedial action

Source: Office of the Australian Information Commissioner (OAIC)

5
 USA

Your organization will be affected

by the new data protection laws.
Nearly all US states have their own data breach notification laws.
California was the first with legislation introduced in 2003. Different
industries have their own regulations – the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) covers medical
data and The Gramm–Leach–Bliley Act (GLBA), also known as the
Financial Services Modernization Act of 1999, covers financial data.

PepsiCo’s sticky situation with the

Wall Street Journal
A lawyer at PepsiCo’s firm Wilmer Cutler Pickering Hale
and Dorr accidentally sent a Wall Street Journal reporter
confidential documents full of past whistle-blower claims
involving the company. The firm is “taking additional
measures designed to ensure that emails are not
misaddressed to unintended recipients”.

Source: “Wilmer ‘Inadvertently’ leaks Pepsi client secrets to

Wall Street Journal.” Legaltech News, September 27, 2017.

6
How can I
The market is flooded with email The best tools to stop accidental
security products but they will data leaks happening over email
only protect you after you’ve sent are recipient checking, attachment

stop accidental
the email – which is often too checking, and metadata cleaning.
late. Email users need a solution
that steps in before the email has See page eight for how these

data leaks
a chance to leave their Outbox if solutions can help protect you
they want to be fully protected against the three most common
against accidental data leaks. sources of accidental data leaks.

happening
Adding checks to your email
sending process doesn’t have to
mean it gets slower or less efficient.
Taking a few moments to confirm

over email?
that a) the email is going to the
right person and b) it contains
only the information you intend
it to, can keep data secure and
organizations compliant with laws
and regulations whilst avoiding
reputational damages or costly
mandatory breach notifications.

7
Potential Leak:
Accidentally emailing the wrong person
How to Stop it:
An email add-in to confirm recipients
The ICO found that 37% of all
data breaches reported between
April and June 2017 were due to
information being sent to the
wrong recipient. If it happens
internally it can be embarrassing,
but if an email is sent externally
and gets in the wrong hands, it
can be seriously damaging to a
business’s reputation and have
major financial consequences.
Email recipient checking
technology assesses the domain
names of recipient email addresses
and assigns a risk level based on
whether they are internal, external
or public domains. The sender
is then required to confirm the
Send
external and public recipients and
their email addresses. Once this is
complete the email can be sent.
Email recipient checking solutions
commonly protect against other
sources of inadvertent data
disclosure such as Reply All or
Reply All when blind copied on a
thread (BCC). In these instances,
users must confirm that is the
intended action. A law firm
partner recently shared with us
that she had accidentally sent her
tax return to the entire firm by
Replying All on the wrong thread
and in doing so revealed full
details of her earnings.
8
Potential Leak: With over 205 billion email sends on an average week day it is no
Sending the wrong document wonder there are so many opportunities for error. Employees making
mistakes when sending emails is often the basis for organizations
or file deploying additional security measures. Some are minor matters,
but others are more serious – like sending customer lists to business
partners with connections to competitors. Now, under new regulations,
How to Stop it: this could cost a business millions of dollars.

An email add-in that confirms
each attachment is the correct
one to attach
An email recipient checking solution should also offer an attachment
checking function. On the same screen at the same time, users can
confirm that both the email addresses and attachments are correct.
Intervening before the email leaves the Draft folder stops information
leaks in their tracks.

In January 2018 Leicester Council

sent details of “hundreds, potentially
thousands” of vulnerable people to
taxi firms
The council accidentally sent a spreadsheet containing the
details of people requiring care or with special needs to 27
taxi companies while soliciting tenders to transport such
people. A recall email was sent over 24 hours later asking
recipients to delete the email without trying to open or read
it. Councillor Ross Grant, however, said that “There is no
guarantee this has not been copied and spread, we cannot
put the genie back in the bottle”.

Source: “Leicester Council sent care children list to taxi firms.”

BBC News: UK, January 12, 2018.

9
Potential Leak:
Hidden information in
email attachments

How to Stop it:

A document metadata
cleaner add-in
Every document contains metadata. File metadata, for example,
is embedded in the file and is different to the information that is
typed on the page – such as Track Changes or comments. It can
tell the reader who created the document, how long was spent
editing it, and where the document is saved. Cleaning a document
of metadata means that the recipient will only be sent what would
be printed.

Removing potentially harmful forms of metadata from attached

files is the third risk area that should be considered when
investigating ways to prevent email related data leaks. Technology
to remove metadata has been available for some time and, like
recipient and attachment checking, should also be deployed at the
point of sending so that problems are addressed before emails
leave the organization.

10
Conclusion
Human error is an unavoidable part of everyday life. While some
slip-ups might be harmless, the ones that aren’t can be disastrous
for a professional reputation and a company’s bottom line. When it
comes to the data your organizations holds, it is incredibly important
that all necessary steps have been taken to protect it from ending
up in the wrong hands. Implementing an email security system alone
isn’t enough – checks need to be in place before an email can leave
the organization. Every email user should be in full control of what
information they are sending and to whom. Take time to find the
right solutions and implement them now, before the new global data
protection regulations come into force.

11
 Sponsored by:

Try the smart solution to stop information leaks over email
cleanDocs from DocsCorp is the only solution to offer recipient
checking, attachment checking, and metadata cleaning in a single
product, as protection against the most likely causes of accidental
data breaches. Users won’t have to change the way they work since
the cleanDocs Microsoft Outlook add-in only pops up when
needed. Then, you can check and confirm each email recipient and
attachment on one screen, and in just a few clicks. Plus, you can
rapidly clean email attachments of hidden metadata to prevent leaks
of often-unseen information.
DocsCorp designs easy-to-use software and services for document
professionals who use enterprise content management systems. We
provide solutions for metadata removal, document processing, PDF
manipulation, and document comparison.
The DocsCorp product suite is built to drive business efficiency
and increase the value of existing technology investment. We help
transform any organization’s slow and outdated processes using
sophisticated solutions that integrate with most major document
management systems.

Send the right information to the right person every time and remove DocsCorp is a global brand with customers located in the Americas,
the risk of accidental leaks. Learn more about cleanDocs as a solution Europe, and Asia Pacific. More than 500,000 users in 67 countries rely
at docscorp.com/cleanDocs on DocsCorp software every day.

SYDNEY
LONDON
PORTLAND (OR)
PITTSBURGH
MANILA

info@docscorp.com
www.docscorp.com

12