I remember when I heard that Jeb Bush was going to be proactive and release all of the emails from his gubernatorial years before he officially begins his presidential campaign. My first reaction was that this wasn’t going to turn out well. I totally understand why he decided to take this action, at least from a political standpoint, but from the security writer standpoint, I thought it was a big mistake. None of us is immune from having email with very personal or sensitive information in it. Any time any of us share something via email, we are taking a risk of something from that communication being compromised. After all, look at the fallout from the Sony hack and the personal emails that were uncovered.
Sure enough, Jeb Bush revealed personal and sensitive information of his friends, but more importantly, his constituents. According to The Verge, those who handled the release of the emails did not bother to redact personal information included in those emails, including Social Security numbers and health care-related information. In addition, Identity Finder CEO Todd Feinman told me this in an email message:
No one is talking about the fact a PowerPoint presentation contained 12,565 names, dates of birth and SSNs. That’s a huge amount. It goes to show that data can exist anywhere and proper solutions are needed to protect the data.
Yes, even in the political world, there is such a thing as too transparent.
For businesses, I believe we can see a couple of takeaway lessons from this huge error by the Bush team.
First: How much personally identifiable information (PII) about your customers, vendors and co-workers should be shared via email messages? People still give out their Social Security numbers, driver’s license numbers and insurance numbers too readily. If that is information your company needs about someone you are dealing with, discourage sharing of that information over an email message. But if that information is shared in an email message, do whatever possible to redact the data from digital storage as soon as legally or feasibly possible. In the Bush email situation, some of those emails were sincere attempts at help getting through some tangled governmental system, and not one of those correspondents expected that their personal stories and their PII were going to end up splashed across media sites.
Second: Do you really need to keep all that information on file forever? Just because storage is cheap and Big Data is all the rage, companies should be taking a hard look at how storing email forever can be a serious security risk. This observation by Phillip Britt in his eSecurity Planet article on email archiving said it best:
Information management can be an afterthought for many firms because it is not a revenue driver, nor does it prevent hacks. But it does minimize the return on investment for hackers, Usatine said. And hackers tend to go where they can get the greatest return for their efforts.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba