Preventing emails that contain personal information such as name along with date of birth, address, account number, etc. from being sent to employees or outside of an organization in manners that would place the personal information and the organization at risk is a step that many organizations take to manage data breach risks and compliance costs.
In some organizations where the risk of identity theft is high due to the distribution and collection of personal information such as an address, steps can be taken to prevent customers and others from including personal information in emails especially if the emails are not encrypted. When such action is taken, organizations eliminate one source of personal information (emails) which must be protected and accounted for when managing Personally Identifiable Information (PII). This is a risk that not only can be easily managed but one that can also reduce compliance costs related to privacy and identity theft.
For example, some banks prevent their customers and others to send emails that contain personal information to company email addresses. In such cases, email systems are configured to detect and prevent the emails from reaching their desired destinations. Therefore, the emails containing personal information such as a customer address or social security number are rejected when they are sent and the senders receive a notice of delivery failure. Similarly, employees are also prevented from sending emails that contain personal information to external email servers without authorization.
One of the major reasons why companies take the technical steps to prevent emails that contain personal information to reach their destinations within the company or outside of the organization is that emails may not be encrypted and can be intercepted while in route, sent to the wrong person, or forwarded to another party without authorization which can create privacy compliance nightmare. Plus, when there is a security breach, companies must comb through a ton of files to locate any documents and emails containing personal information. When companies take the steps to prevent emails with sensitive data to reach their company systems, at least they know that they have less assessment following a data breach.
The same goes for employees sending sensitive emails to others especially outside parties and customers. Employees should not be able to include personal information in emails unless they are authorized for specific work and company has ascertained that such emails are encrypted and reach the rightful recipients.