Transfer of confidential information by email

Apply for SearchInform DLP TRY NOW

Sending files with corporate e-mail to a personal mailbox can lead to negative consequences. Russian legislation is on the employer's side. Therefore, an employee who violates the confidentiality regime will face dismissal or even criminal prosecution. You can send confidential information only through secure communication channels.

What is confidential data?

Information that requires protection from reading, forgery or distribution by third parties is called confidential data.

Data protection laws apply to:

  • personal data (according to Federal Law No. 152-FZ of 27.07.2006);
  • commercial secret (Federal Law No. 98 of July 29, 2004);
  • state secret (Law No. 5485-1 of 21.07.1993).

In addition, data falling under the definition of medical, official, professional and banking secrets are protected. All of the listed types of information cannot be sent to personal email. This is due to the fact that letters from a personal mailbox are not protected from third parties.

What are the ways to protect emails?

Article 63 of Federal Law No. 126-FZ of 07.08.2003 "On Communications" provides for the liability of telecom operators for violation of data security. Simply put, the security of the communication channels rests with the email service provider. But this will not help in the event that the mail server is hacked.

There are several ways to intercept emails:

  • malware (viruses);
  • provider's server attack;
  • substitution of a mailbox.

You can help protect email from these threats:

1. Using a mail client - special software for controlling mail. The functionality of this software allows you to configure message signature, encryption, and other protection methods.
2. Sending password protected archives. The password is provided to the recipient in person or through other communication channels.
3. Installation of anti-virus programs on all PCs of the enterprise.
4. The use of DLP systems that control the movement of data and block their sending outside the security perimeter.

In addition, there are other options for protecting important files. They are more effective than standard techniques.

The most effective ways to protect

There are three reliable techniques:

  • encryption;
  • setting up a secure communication channel;
  • automatic protection of attachments on the mail server.

Encryption is recommended by the FSB. The recommended programs are called cryptographic protection tools. However, their reliability is relative. The recipient of the files, after entering the key, keeps them unprotected. Therefore, encryption is marginally more reliable than sending password-protected archives.

Configuring a secure communication channel has a similar disadvantage. Files are protected only from being stolen in transit. And on the recipient's computer, the documentation is stored in an unprotected form.

Automatic attachment protection is a fast, convenient, free way to keep your trade secret. It is enough to install the software module on the mail server. Its advantage is that it is prohibited to view files on an unauthorized computer. This means that third parties will not see the transferred data. In addition, the sender is provided with statistics on the use of attachments.

How to organize confidentiality in an enterprise?

To avoid the disclosure of commercial secrets, you must:

1. Determine what information is valuable (can be used by competitors).
2. Create an instruction for handling important data and a system for monitoring compliance with this instruction.
3. Make a list of officials admitted to work with commercial information.
4. Determine how data will be exchanged within the enterprise and outside the security perimeter.
5. Mark all important files with the heading "Trade secret".
6. Provide employees from the list of approved confidentiality notices against their signature (with a list of documents for official use and penalties for their transfer to third parties).

Compliance with this procedure is necessary. It complies with Article 183 of the Criminal Code of the Russian Federation. If the formalities are not followed, it will not work to attract an employee for violating the confidentiality regime.

Penalties for violation of the confidentiality regime

The Russian legislation provides for employee liability for violation of the confidentiality regime:

  • The Labor Code (Article 81, clause "c" - disciplinary sanctions);
  • The Civil Code (article 151 - compensation for losses);
  • The Code of Administrative Violations (Articles 13.6, 13.12, 13.14, 13.15 - fines and other administrative penalties);
  • The Criminal Code (Article 272 - fines, imprisonment, correctional or forced labor).

The employer independently determines what punishment to assign to the employee. The wrongly imposed punishment is contested in court.

Arbitrage practice

In Russia, the courts of all instances are on the side of employers who comply with the procedure for introducing the confidentiality regime. Examples of this are:

  • Appeal ruling dated 6.02.2017 in case No. 33-4610 / 2017, issued by the Moscow City Court. The court ruled that the punishment applied by the head of the organization in the form of dismissal was lawful. The employee violated the terms of the confidentiality notice signed by him by sending the documentation from the corporate mailbox to his personal one;
  • Decision of appeal dated 01.07.2014 No. 22-1200 / 2014, issued by the Vologda Regional Court. The court ruled to prosecute the employee for sending quotations from the employer's suppliers to third parties.
  • Appeal ruling dated January 19, 2017 in case No. 33-478 / 2017, issued by the Voronezh Regional Court. The court ruled that the punishment applied by the head of the organization in the form of dismissal was lawful. The fact that the transfer of files to third parties was not proven did not become a reason for recognizing the dismissal as illegal.
  • An exception is made when the employee proves the absence of damage and malice. For example, the Constitutional Court published a decree of October 26, 2017 No. 25-P, according to which the distribution of work information to personal mailboxes to other employees of the enterprise is not a violation of the confidentiality regime.

To keep confidential information transmitted over the Internet securely, you must use strong security methods. This is especially true for the preservation of trade secrets. If someone violates the established regime of secrecy, he can be brought to administrative or criminal liability.