Return to flip book view

Griessel Consulting 1

POPIA AND EMAILS A large proportion of an organisations IP typically resides in email Email is also the main mechanism for a host of cyber attacks including malware phishing and social engineering POPIA compliance and data protection in relation to the use of emails relate to technology as well as how the system is used On the one hand it is crucial to ensure email data security and data leak prevention solutions are put into place In addition users such as employees should be educated in terms of meeting POPIA requirements when they send forward or reply to emails and also how they react upon receiving them Developing a compliant email strategy requires an organisation to firstly identify and map the process of email data flow as well as the various components Then it needs to demonstrate that this data is protected and controlled and that the organisation is aware of all of the data touch points and storage points and who has access to it People Users People and especially employees should be aware of the risks of using emails and how how they may inadvertently disclose personal information Alert employees to new scams around phishing social engineering man in the middle attacks etc A regularly updated email policy is a useful tool in this regard Some pointers Use work related email accounts for work related purposes If processing personal information through work email accounts ensure that the files are encrypted Avoid using personal information in subject lines Ensure that emails are sent to the correct recipients particularly emails involving personal information Do not use the reply all button before you have considered if it is really necessary for all the recipients to see the content of your email and if they are authorised to do so Griessel Consulting 2

Be aware of long email strings threads that may be included in emails without having checked if all the information may be disclosed to the recipient of your email It often happens that confidential internal correspondence are inadvertently disclosed to third parties clients in this manner Do not disclose the email addresses of a group of recipients in a visible manner unless you have their explicit consent to do so Rather use BCC or undisclosed recipients Include as part of your email signature an appropriate warning to prohibit dissemination in the case of the message reaching the wrong recipient When sending invoices a warning disclaimer such as the following could be included Be aware of cyber fraud and cyber related crimes We will not accept any liability for any such fraud and the damages that may arise from acting on FRAUDULENT information especially if the information requires a direct payment to an account that differs from our invoice statement Technology Technology provides an essential enabler in meeting the security requirements of these various components Verify that your IT service provider has specialist knowledge in the compliance aspect of technology solutions It is essential to have controls in place to ensure these systems do not accidentally send confidential information to the wrong people Platforms should ideally be scalable to allow for future growth In addition it is essential for email solutions to be resilient to provide continuity in case one part of the system fails Once organisations have a platform in place to provide mail services they need to examine peripheral services around the email function including additional security such as data leak prevention The nature of the technology itself means that it incorporates metadata that can prove the chain of custody of information which is an essential component of POPIA compliance The email platform needs to incorporate security measures and provide information to prove that a full chain of custody is maintained Archiving solutions are available that provide an extra layer of security and that Griessel Consulting 3

also makes it easier to access the archived emails directly which is important when retention or destruction of the information has to be considered or when the chain of custody has to be proved Bolting these features and services on to a legacy email solution often results in a disjointed and fragmented environment so an integrated solution built from the ground up with these factors in mind is preferable Incorporating these various technologies into an integrated platform will ensure that all of the metadata is consolidated and stored with the email providing the required chain of custody information easily and on demand in case of a data breach or security compromise Griessel Consulting 4