There is no doubt that email has become a basic and essential communication and management tool in the day-to-day life of most companies, as it provides great advantages in terms of accessibility, speed and availability of information among other.
It is true, on the other hand, that it has become one of the most common sources of cyber-attacks; Therefore, it is very important that, at the organizational and internal level of the entities, in addition to establishing a policy regarding their use, those who use email accounts to send and receive information, that is, employee, are make aware.
Organizations such as the Internet Security Office (OSI) or the National Cybersecurity Institute (INCIBE) frequently produce useful material on cybersecurity. In relation to the use of email, for example (see here), the following should be highlight as good practices:
– Do not open emails from unknown senders with attached documents and be careful when clicking on links included in such emails.
– Install anti-malware applications and activate anti-spam filters.
– Always use passwords that are secure.
– Avoid using email from public places.
– Encrypt email when sending confidential or sensitive information.
– Do not publish email addresses on the company website or on its social networks.
– Never respond to junk mail (spam).
– Disable HTML in critical email accounts.
Use blind copy or carbon copy (BCC or CCO) when sending addresses to multiple recipients.
And it is this last practice on which we are going to focus the content of this publication on the occasion of one of the latest resolutions (PS/00322/2020) of the Spanish Agency for Data Protection (AEPD) based on the claim filed by an interested party. , upon receiving an email from a law firm without a blind copy in which the addresses of dozens of recipients appeared, informing them of the blocked status of their bank accounts, including theirs.
As we have already discuss on other occasions (see publication), an email address is consider personal data as long as it directly identifies the person who owns the account, or else the latter can be easily identify without involving a disproportionate effort in in the event that, for example, the address appears together with other data that allows identification or due to the content of the message, etc. and in which case the applicable regulations must be respected:
- Law 34/2002, on services of the information society and electronic commerce (LSSI) insofar as commercial communications by email are a service of the information society and the law establishes that they must be identify as such. Prohibiting its sending by email or other equivalent electronic means of communication, without the prior consent of the recipient.
- The European General Data Protection Regulation (RGPD) and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD). It is not the first time that the AEPD has sanctioned an entity for sending emails to various recipients without using blind copies, nor is it the first time that the AEPD has sanctioned a law firm for this reason. Thus, for example, we can see how in Resolution PS/00320/2019, a fine of 5,000 euros was file against another office.
In the case at hand, the AEPD has sanction the office with a fine amounting to 10,000 euros. Which later, as we will see below, has been reduce to 6,000 euros for voluntary payment.
But what does the AEPD take into account when sanctioning?
A sanctioning procedure is initiate by our control authority. When the complainant considers that there has been an attack on his privacy. Because his email address is visible together with that of the rest of the recipients. In addition, on this last occasion, first, the office was require to send information to the AEPD within a month on the response give to the person affect by the report events. The causes that led to the incident, as well as the measures that they had been adopt. However, the respondent entity did not reply within the period indicated.
On the other hand, by virtue of article 32 of the RGPD “Security of treatment”, it should be note that:
The individual in control and the individual responsible for the treatment should apply the proper specialized. Hierarchical measures to ensure a degree of safety suitable to the gamble. Continuously considering the best in class, the expenses of utilization, and the nature, extension, setting and the reasons for the treatment. As well as dangers of changing likelihood and seriousness for the privileges and opportunities of normal people; and that incorporates among others:
• Pseudonymization and encryption of individual information;
•The ability to ensure the long-lasting secrecy, trustworthiness, accessibility and strength of treatment frameworks and administrations;
•Capacity to reestablish the accessibility and admittance to individual information rapidly in case of a physical or specialized occurrence;
•A confirmation cycle (not review), customary assessment and evaluation of the viability of the specialized. Hierarchical measures to ensure the security of the treatment.
While assessing the sufficiency of the security level, the dangers introduce by the information handling should be consider, specifically as a result of the unintentional or unlawful obliteration, misfortune or modification of individual information sent, moderated or generally handled, or unapproved correspondence or admittance to said information that could cause physical, material or insignificant harms.
