A staffer at Wilmer Hale, one of the world’s largest and most prestigious law firms, sent client confidential SEC-Whistleblower strategies of PepsiCo, their client, to the Wall Street Journal by accident. How could this happen? Human error, they claim.
In this situation, the staffer was sending the internal client secret memo to other staffers and accidentally added a person at the Wall Street Journal (WSJ) as one of the recipients. It appears the “auto-complete” feature in their email program — the one that pops up names/email addresses as you start to type them in the “To” field — populated the WSJ journalist’s address and the sender did not notice.
Have you ever received an email sent to you in error – a business email?
This caused a serious data breach, only to be made worse when the WSJ elected to publish the information in an article even after being advised the information was confidential and privileged client correspondence sent to them in error.
Let’s look at this issue from two perspectives:
- That disclaimer you see at the bottom of lawyers’ and others’ email that asks you to destroy the email if you received it in error really is meaningless.
Here is a sample that most have seen: “The information in this communication is strictly confidential and may be privileged. It is intended solely for the individual or entity to whom it is intended to be sent. If the reader of this communication is not the intended recipient, or the employee or agent of the intended recipient, any dissemination, copying, or use of this communication is strictly prohibited. If you have received this communication in error, please do not read the message or any attachments. Please notify the sender immediately and then delete this communication from all data storage devices and destroy all hard copies. Thank you.”
In this case, not only was there a disclaimer, the law firm contacted the WSJ pointing out the error and asking for the WSJ to destroy the electronic message. Well, the WSJ destroyed the electronic message, they claim, but not before printing it out and saving the hard copy!
- Encryption may be the answer. If the message had been sent encrypted — using for example common TLS transmission security — Internet eavesdroppers would not have been able to see the message, but certainly the WSJ (the addressed recipient) would have received and seen the message.
Those dealing in sensitive information — what Tech Essentials calls “strategic secrets” — should consider different email encryption options depending on the type of content one is sending.
For example, if you are sending information that you want to protect from Internet eavesdroppers for business privacy compliance, you should have options to make it as simple as possible for the recipient, yet secure enough to protect from these threats.
If you are sending information that has high stakes if disclosed (strategic secrets), you should consider encryption settings that wrap the message in an encrypted casing and ensure that the message remains encrypted through the recipients’ IT department, mail service provider, and remains encrypted while sitting in the recipient’s inbox and/or email archive. To further ensure privacy, you might want to share the decryption password by telephone.
This may all sound complicated — and we all know, the more complicated, the less used — but RMail makes it easy to toggle with one click from “simplest” secure user experience to what RMail calls RPX encryption to “secure even inside the recipient inbox” for heightened privacy protection to safeguard strategic information.
Had Wilmer Hale been using RMail, and had they trained staff as to when to use RMail RPX encryption mode, the WSJ journalist would not have been able to see any email content.
Human error is challenging to prevent as it takes a combination of training and tools. But if the tools are simple to use, and the training sufficient, the tools will be used and human error risk will be mitigated.
Don’t send your client sensitive information to the WSJ. Try RMail’s RPX email encryption mode.