On November 7, 2014, the Australian Department of Immigration and Border Proteciton gave notice of a data breach that morning affecting the leaders of the G20. As described:
The personal information which has been breached is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (ie prime ministers, presidents and their equivalents) attending the G20 leaders summit.
Affected by this data breach were, among others, President Barack Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, and UK Prime Minister David Cameron. The cause of the data breach was the autocomplete feature of the “To:” field in Microsoft Outlook.
The autocomplete feature is a useful way to send an e-mail without having to look up an email address. Unfortunately, without careful attention, it is easy for any person within a government agency, nonprofit organization, or commercial enterprise to accidentally send a message to the wrong person.
As with the unfortunate Australian government employee, it is all too common for emails to contain personally identifying information and for such emails to be unencrypted. It is easy to imagine the same occurring with trade secrets, protected health information, or attorney-client privileged material.
Massachusetts businesses are required to protect personal information pursuant to G.L. c. 93H and the implementing regulations at 201 CMR 17.00. Business owners and managers should take care to review their e-mail policies regarding the transmission of unencrypted personal information and the use of the autocomplete feature as part of their written information security program. Employers should take care, further, to ensure that such a program does not conflict with the NLRB’s December 2014 decision in Purple Communications. In developing such a program, it is best to consult with experienced privacy attorneys.