5 'security excuses' that make each email a potential data breach

4 min read


It is important that you always send personal data securely. That awareness is increasingly present on the work floor. Nevertheless, ZIVVER directors Rick and Wouter still hear numerous irrational arguments for not applying this rule. Which of these 'security excuses' do they hear most frequently? Wouter discusses them one by one.


Security excuse 1: Such a small file does not need security

The size of the data is often decisive. The larger the requested file, the greater the chance that the data will be sent securely. In itself this is logical enough, based on a quick assessment of the consequences of a possible data breach. In the experience of the sender, the risk increases with the amount of data.

The law sees this differently, however: a data breach is a data breach, even if only one person is involved. Furthermore, the new General Data Protection Regulation introduces the possibility that interest groups can approach other concerned parties in order to bring a joint lawsuit. If things go wrong for one patient, the chances are that other patients - without knowing it - also risk becoming a victim.

In addition to a possible claim for damages, reputation damage is already inevitable. Conclusion: anyone who sends personal data insecurely because it only involves a small quantity of data is assuming a false argument with potentially significant consequences.


Security excuse 2: The recipient requested the information him or herself 

My mother asked her hospital for a copy of the treatment report from her ophthalmologist. This was promptly sent to her by email, including her name, full address, patient number, insurance number, BSN (citizen service number) and the full treatment report. There was a warning at the bottom of the referral letter: 'Please note, this report may contain a citizen service number.' Anyone who intercepts that email will suddenly know a lot about my mother. The question is also what the function of the warning was at the bottom of the referral letter. Can you ignore it if a recipient has herself requested data?

We also encounter similar situations with notaries and lawyers. At the request of the customer, they often send a copy of a will, a prenuptial contract or purchase deed by email. If the client or patient has asked for it, security is apparently not important. Or maybe we think that the risk of a data breach is borne by the customer if he or she has requested information him or herself? That sounds easy enough. Until the information falls into the wrong hands, of course.


Security excuse 3: You do not need security for colleagues

If you send a colleague an email, you often do not immediately think of security. After all, the risk that sensitive information will end up in the public domain is smaller when using internal email. Unfortunately, this is not a criterion for the law: an email with sensitive information must always be sent securely, even if it remains inside the organisation. As soon as personal data comes to the attention of someone who did not have permission or a need for this, a data breach has occurred.

Moreover, there are enough painful scenarios imaginable involving leaked internal information. No employer would like to see information about salaries, reorganisations, treatment plans or test results, for example, reach the wrong employee. Prevention is better than cure. We know of cases involving an internal leak about salary data. The managers involved had to sign several confidentiality declarations and prove that the data had not been stored anywhere. The first is annoying, but think how complicated it would be to prove that you did not do something ...


Security excuse 4: The recipient does ensure good security

Municipalities and other parties must regularly share information with the police. This takes place remarkably often by unsecured email. An important motivation is the conviction that 'the police have undoubtedly got their security in order'. The same idea applies to other parties with regard to which you as sender assume that their security is sound. This is misguided logic - even apart from the question of whether you are certain that everything is really in order. Even if you send an email to an extremely secure recipient, someone can intercept that information along the way. With all the undesirable consequences that entails. And if you accidentally send the email to the wrong recipient (who does not work for the police), then you are really looking at a data breach.


Security excuse 5: The recipient probably doesn't want all that extra hassle

Healthcare professionals, civil servants and lawyers often find it difficult to burden their clients with 'extra hassle'. You often see them making an estimate: how many clients or patients will be irritated by this, or will not open this email because they have to take an extra step? That estimate is irrational. If one out of one hundred recipients has complained in the past, many people wrongly project this experience on the 99 other recipients that did not make a fuss. In fact, you are then selling very short the many recipients who appreciate the secure handling of their sensitive data!

And as with the previous considerations, the law, journalists, customers and chain partners have little understanding for this. Anyone sending personal data must always know the risks and take measures him or herself. Excuses never help limit reputational damage, or help avoid a high fine.


GDPR Checklist

This blog gives you an idea of what is involved in secure emailing. It is an important part of the GDPR. Our checklist contains all the steps you need to take to achieve GDPR compliance. The document addresses in greater detail matters such as drafting a processor's agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks.


Written by
Picture of Wouter Klinkhamer

Wouter Klinkhamer

Wouter was van de oprichting in 2005 tot 2016 een vaste waarde in het team van Gupta Strategists. In die tien jaar groeide Gupta van een nieuwe nichespeler met 5 consultants naar de marktleider in strategisch zorgadvies in Nederland met 25-30 consultants. Wouter begon zijn periode bij Gupta als strategist en nam afscheid als partner. Wouter is bij ZIVVER betrokken vanaf het eerste moment dat Rick (op dat moment collega bij Gupta) met het idee speelde een oplossing te maken voor alle problemen rondom veilige uitwisseling van gevoelige informatie. Hij geniet ervan om ZIVVER te ontwikkelen van een goed idee naar wereldwijd succes. Zijn studieachtergrond als Bedrijfskundige en Jurist is nu van grote waarde om het bedrijf achter het idee zo goed mogelijk te laten werken. Je kunt Wouter tegenkomen in het Concertgebouw, op de racefiets of wandelend op de hei.

Originally published on June 29, 2018

Last update on June 29, 2018