Human Risk
SCENARIO
An Employee Emails Confidential Information to the Wrong Person
THE SCENARIO
A member of your finance team is sending payslips to staff at the end of the month. Working quickly under time pressure, they begin typing a recipient's name and the email auto-complete fills in the wrong address. The payslip - containing salary, banking details and personal information - is sent to a former colleague who is now working at a competitor.
1
How This Typically Happens
Email auto-complete is one of the most common causes of accidental information disclosures. The risk is highest when staff are handling large volumes of similar communications, working under time pressure, or using systems that suggest email addresses from previous correspondence. A single mistyped character or a quick click on the wrong auto-suggested address is all it takes.
2
Why Businesses Often Miss the Warning Signs
These incidents often go unreported internally because the employee is afraid of the consequences. By the time management becomes aware - typically because the unintended recipient replies, complains, or forwards the email - the information has already been disclosed and the window for damage control has passed. In many cases, management never finds out at all.
Personal information shared with an unintended recipient
Potential POPIA notification obligation to the affected individual
Possible requirement to notify the Information Regulator depending on the severity
HR and legal costs associated with investigating and managing the incident
Loss of trust from the affected employee or client
4
Questions Management Should Ask
?
Do employees know exactly what to do if they send an email to the wrong person?
?
Is there a process for reporting accidental disclosures internally without fear of punishment?
?
How quickly would management be aware if a payslip or confidential document was sent to the wrong address?
?
Have you reviewed which employees have access to bulk personal information such as payroll files or client lists?
5
Practical Steps to Improve Visibility
1
Create a simple internal rule: any wrong-address email involving sensitive information must be reported to a named person within 24 hours
2
Where possible, disable or limit email auto-complete for external domains in your email platform settings
3
Limit access to bulk personal information - payroll, HR files, client lists - to only those who genuinely need it
4
Send a brief reminder to all staff: when sending sensitive information, confirm the recipient before clicking send
Could This Scenario Happen In Your Business?
ComplyBar helps businesses find and understand hidden information risks before something goes wrong.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness and audit evidence.
From R750 • Delivered online • No commitment required