Last year Yahoo announced its intention to recycle old and unused email account addresses in an attempt to re-engage old users and introduce new ones. The commercial driver for Yahoo was that it would allow them to give users the opportunity to have simpler and more popular email addresses rather than ones containing lots of numbers or initials. On the back of this Yahoo introduced a watchlist which allows users, for a small fee, to keep track of email addresses as they became available.
The concern that critics of Yahoo's plans raised was that fraudsters would target the watchlist and try and obtain recycled email accounts to access information about, or pose as, the original user. Yahoo confirmed that the recycling process would be carried out subject to security measures designed to minimise the risk of fraud. However it has quickly transpired that new users, who have signed up to recycled email addresses, are receiving emails intended for the previous user. Given many individuals use emails for a range of every day purposes such as reordering prescriptions, ordering goods etc it is not surprising that some of the emails received have contained personal, and even sensitive, data. It appears the security measures Yahoo has put in place have teething problems, at the very least, as they allowed such data to slip through the net.
What does this mean for organisations that send and receive emails from Yahoo accounts? There will now be a question mark (particularly where time has elapsed since the email address was provided by the individual) as to whether the organisation can be certain it is sending the email to, or receiving the email from, the individual. The risk of fraud will need to be seriously considered in relation to Yahoo accounts and organisations will need to consider how and with what frequency they verify email addresses. The New Year is an ideal time to consider the following questions and whether your data security practices need updating:
How do you verify the identity of individuals who make subject access requests/complaints? Does this process need to differ when the request is received from a Yahoo address?
How do you communicate with individuals? If it is by email how often do you check email addresses are up to date?
Do you have any policy about what information can be included in emails? If it is all information, have you considered appropriate security measures?
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at January 2014. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.