Delivering Data Breaches by Email

   Words by Paul McQuillan

   on 09/03/2018 08:00:00

imageWhen we think of a Data Breach, we tend to think of malicious hackers tunnelling their way into systems to steal or access data.  However for many companies the most likely Data Breach is the simple tool we use every day, Email.

Email is obviously a great tool for fast communication that is instantly accessible and easy to use, essentially everyone gets it.  However Email also allows us to attach any document and click send, without checks on whether sensitive data is being sent along with the email.

We frequently see this with PDF or Word Documents that contain an individual’s details and address, or lists of contacts with individual data being collected in a Spreadsheet and sent via email internally or externally.

The risk here is that any attachment is duplicated when we send in an email – so a copy of the Document resides in our Sent Items + in the Inbox of anyone receiving the email, and we naturally have no control what happens to the data once it is outside our system.  This means that personal or sensitive data can easily be distributed by email, and this constitutes a data breach as we are no longer managing or auditing access to this data.

IT Experts have been warning about the risks of data leakage via email for some time – however the incoming GDPR legislation places stiff new tests on our ability to identify and respond to a Data Breach, to the point where we should consider whether email attachments should be used at all in the future.

A useful analogy of this is to think of the data existing in our systems as residing within our ‘security envelope’, where we manage the level of protection available to avoid data breaches.  Any data we send via Email is essentially being thrust outside of this security envelope, and so any protections we have in place are rendered null and void.

However if we store and distribute this data, then we are responsible under GDPR and so should take precautions to avoid this type of data breach.

How to avoid Email Data Breaches..

  • Stop using Email Attachments - The inherent copying of data in an email attachment moves data out of our well managed audited systems.  Instead we can use systems that allow us to send Documents via a Secure Link – such systems will typically audit each user’s access to the document or file, and so produce an audit trail of access to the potentially personal or sensitive data. 

Obviously we cannot stop someone downloading the file and then emailing out themselves, but if this happens then we can identify the data breach to who has misused their access to the information.

There are various ways to implement secure links – SharePoint and Office 365 providing excellent tools for sharing via link rather than attachment.  For CRM and Dynamics, we use our in-house DocMan App to track both incoming and outgoing Email Attachments securely in CRM to then only share via secure link to avoid accidental data breaches - 

  • Online Portal – We can also avoid accidentally distributing data outside of our security envelope by using an Online Portal that our Clients or Suppliers can log into to access data, documents or files we need to share with them.  This has a great advantage of logging access as Users log-in or log out of the Portal, and essentially invites them into our security envelope in controlled conditions rather than sending the information outside our envelope.  This effectively enforces the same level of protection as a secure link, as the data never leaves our security envelope.

Data Breaches in GDPR

GDPR has originated from several high profile data breaches where large companies were found to be storing data in a less than secure way that left them open to significant breaches.

As such the regulation takes Data Breaches by organisations holding personal or sensitive data very seriously.

You should have procedures in place to detect, report and investigate a potential data breach.

If the breach is the result of data sent via an email, this can be very difficult to comply, as we simply have no way of knowing what a recipient has done with that attachment – whereas any audited access to data can be reported back so the impact of the data breach is identified and minimised.

For more information on GDPR and it’s implications on CRM and Document Management, the following two articles may be useful:


Implementing GDPR with Dynamics CRM

Further Reading

ICO. Information Commissioner’s Office on Personal Data Breaches

Barracuda Explanation of DLP 

Everything you need to know about GDPR Compliance and Email Security

Share this Article

Search Articles

Filter Articles

CRM Tech DocMan

Recent Articles

Release Wave 2 New Feature: The Columns Button HOW TO: Search a date field in Microsoft Dynamics The Relevance Search COMING SOON to Power Apps Portals HOW TO: Manage Your Dynamics 365 Database Size (Video Included) Dynamics 365 Marketing vs ClickDimensions It’s time to pause, reflect and acknowledge a new era of inclusivity and collaboration. Part 2 - How to get the most from a Technology Expert – Asset Management Hub Property & Asset Management Hub Part 1 – Balancing CRM and Asset Management Scopes - Asset Management Hub Creating a Multi-Lingual PowerApps Portal How to Set Up a Microsoft Teams Site Using DocDrive365 Microsoft Teams - Adding a Microsoft Teams URL to a Dynamics Appointment Dynamics 365 Marketing – Customer Voice Survey Not Appearing In Emails? Using SQL Management Studio to connect to the Dynamics DB Calling a Power Platform AI Builder Model via oData How to use DocDrive365 to integrate permissions between Business Units in Dynamics with Sites in SharePoint Getting started with the Power Platform AI Builder. Power Apps Portal Information Hub DocDrive365 Security: Day One - Getting Started with Dynamics to SharePoint Permissions Part 5 - Power Apps Portals: How To Connect Azure B2C With Linked-In Part 4 – Power Apps Portals: Styling Azure B2C for Power Apps Portals The 3 Phases for Using Multi-Select Option Sets in Flow with Microsoft Forms Part 3 – PowerApps Portals: Azure B2C and Power Apps Portals – User Flow for Signup and Signin Part 2 - Power Apps Portals: New Application Registration in Azure B2C for our Power Apps Portal Part 1 – Power Apps Portals: Creating a New Azure AD B2C Tenant
Contact Us

Want expert advice or a demo?

Get in touch now and see how we can help your business grow.

  • Name
  • Email Address
  • Phone Number

Understanding Your Challenges

Our strong understanding of CRM and emerging technologies within the Microsoft environment means we deliver the right solutions for you.

Proven Real-World Solutions

As a leader in the field of Dynamics solutions, our pedigree developing and delivering real-world solutions is unsurpassed.

Long Term Support

We provide support beyond our design, implementation and 'go-live' delivery using Sprints and continual updates to our AppSource apps.

CRMCS | Design by Thinktank Marketing | Citrus-Lime Limited

To improve your experience today and in the future, this site uses cookies. Read our full Privacy Policy & Cookie information here I Understand