Skip to main content

Email privacy risks

Most of us rely heavily on email to communicate with our customers, partners and with each other in the workplace. But is email safe? Are there email privacy risks you should be aware of? This blog will outline some of the most common types of email data breaches and email privacy issues you should address before they cause problems for your company and your customers.

Common email data breaches

Email is such a familiar way to communicate that we may not think about whether it is really safe or not. In fact, email may be the biggest culprit when it comes to data breaches.

Q: True or False…

Most cyberattacks and data breaches begin with email.

A: True!

91% of cyber attacks begin with a phishing email, in which hackers attempt to gain access to an account or device using deception or malware.

Just one person’s poor choice to click on the wrong link in an email could infect your entire company’s computers with nefarious software or expose everyone’s emails and all the personal data in them to an attacker.

Email data breaches

In 2022, phishing, took the prize for the most expensive type of attack data breach, costing companies, an average of 4.91 million USD (~4.96 million EUR) for each breach, according to a study by IBM. Business email compromise took second place, with business email data breaches costing an average of 4.89 million USD (~4.95 million EUR) each.

Besides being expensive, email data breaches are also difficult to identify and contain.

The same study revealed that breaches caused by business email compromise had the second highest mean time to identify and contain, at 308 days.

Email privacy issues

Some of the factors that lead to email privacy issues and compliance problems are:

  • People often share personal and sensitive data with you by email, whether or not you asked for it. This makes it difficult to say how much personal data email has made its way into your inboxes.
  • A lot of us hold on to our emails for too long. Many of the emails we’ve received over the years contain people’s personal data. Keeping them too long may violate privacy laws and our own privacy policies, and it puts the data at risk.
  • We are so comfortable using email that we do not consider the risks. We may not see the need to check if our emails are properly protected, or think about whether it is even appropriate to send certain information in an email message.
  • Work emails are not private. Your boss and others authorized by them have access to monitor and read each person’s work email. This can expose people’s personal info to more eyes than is necessary.
  • It’s easy to send an email to the wrong person. Be careful when using the CC field, the BCC field and “Reply all”. A mistake here could send a private email, and/or your customers’ names and email addresses to thousands of people.
Email privacy issues

Email privacy solutions

There are a few things you can do to avoid email privacy risks, protect personal data, and comply with privacy regulations like the GDPR when using email. GDPR Article 5(f) says you must protect personal data “against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

Technical measures you take to protect personal data in emails may include:

  • Encryption for personal and sensitive data at rest and in transit
  • Auto-deletion for emails after a set retention period

Organizational measures may include:

  • Establishing internal policies for what email is and is not used for, and when emails should be deleted
  • Training for employees to recognize email privacy risks

Links and attachments from unknown accounts should never be clicked or downloaded. Employees should avoid multi-tasking and distractions when handling emails, and watch out for emails that appear to be from someone they trust but in other ways do not seem quite right.

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    Want an easy way to encrypt personal data you share and receive by email?

    Read about ShareSimple →

    Would you like to find out how much personal data is in your inboxes?

    Read about DataMapper →

    Sebastian Allerelli

    Governance, risk, and compliance specialist