On August 12, an employee of Wyoming’s Rocky Mountain Bank inadvertently sent an e-mail with confidential information on more than 1,300 customers to the wrong e-mail address. The missive, sent to an unidentified Google Mail user, included customer Social Security numbers, tax identification numbers and other private material. Rocky Mountain Bank sued Google to force them to turn over the recipient’s e-mail account information so that they could contact the recipient to ensure that the customer information isn’t misused.
I see two basic issues here:
- Why is confidential information being sent to a Google Mail address?
- Why is confidential information being sent outside of the bank without being encrypted?
A quick read of Google Mail’s privacy policy tells us that, “Google’s computers process the information in your messages for various purposes, including formatting and displaying the information to you, delivering advertisements and related links…and other purposes relating to offering you Google Mail” To me this means that if you send unencrypted confidential information from or to a Google mail address, that information is massaged by Google’s servers, and who knows where it will end up. I guess that if you send bank records through its servers you will get investment advice and if you send health records, you might get ads for erectile disfunction medications.
So here is a question for you. Does your organization have a written policy on sending confidential information outside of it? I am not even talking encryption here, just basic policy. Does your organization have any rules on sending confidential information outside, and if so, do you know what those rules are? Who is allowed to send confidential information and to whom are they allowed to send it? Do you have any way of knowing if confidential information is leaving your organization either by email or by walking out the door on a USB flash drive, an mp3 player or an iPhone?
Step number one: Formulate a policy on the use of confidential information including disclosure outside of the organization. Step number two: If data leakage (the formal name for confidential information going places that it shouldn’t) is important, evaluate whether or not you need a technical solution to enforce your policy. A web search for data leakage protection vendors will give you a handful of well-known vendors and hundreds of smaller vendors which can help you protect your corporate assets.
Let’s assume for a moment that you do have a confidential information policy and it covers sending confidential information outside of the organization. Does is mention that the information should be encrypted, how it should be encrypted, and how an employee should deliver the encryption key to the recipient? Should the information expire after a set period of time so that even the right key will not decrypt it? Adobe Livecycle RIghts Management can do just this and I am sure that there are similar products on the market from other vendors.
Here is a start on writing your own confidential information policy:
- Unless authorized, confidential information shall not be stored on any portable device such as a USB flash drive or mobile phone.
- Confidential information only shall be stored on portable devices which meet corporate encryption standards.
- Confidential information only shall be sent outside of the company by authorized employees.
- Confidential information never shall be sent to a ‘public’ email address such as Google, Yahoo, or Hotmail.
- Employees shall use an encryption algorithm and key which meet corporate encryption standards. The more valuable the information, the stronger the algorithm and the longer and more complex the key.
- The channel used to send the key to the recipient shall be different than the channel used to send the confidential information. For example, if you email the information, then call or use postal mail to send the key.
This is just the core of a policy. Your organization will need to build a technical addendum detailing the approved software, encryption algorithms, and key lengths which are acceptable for varying levels of confidentiality.
Lesson over – class dismissed.
