Newsletters Welcome, Guest Log In | Register
Blogs:

Ralph DeFrangesco

Data Security

Securing your data and network, inside and outside the perimeter

About this Blogger RSS

< Previous | Next >

Subscribe

Sign up now and get the best business technology insights direct to your inbox.

  • Daily Edge
  • CTO Edge Update
  • Business Tools & Templates
  • Aligning IT & Business Goals
  • Maximizing IT Investments

3

E-Mail Security: There Is Enough Blame to Go Around

Posted by Ralph DeFrangesco Sep 28, 2009 9:11:17 AM

I found a very interesting article in Network World that I just had to share. A bank employee from Wyoming bank "accidentally" sent confidential information to the wrong Gmail account. The bank sent the recipient several e-mails explaining what happened, but the customer failed to acknowledge the e-mails. The bank then sued Google, requesting that it surrender the recipient's contact information. Google has a policy that it first tries to contact the customer to give them the opportunity to fight the court disclosure of their identity. The court is considering the bank's request.

 

Let's look at this problem from four angles: the business, the technology, the security, and the legal. We have to ask the question, is it good business policy to send confidential information to a customer's public e-mail account? It's a rhetorical question. Will the bank pay for a credit check for the customer in the future? From a security perspective, maybe it would have been more prudent to have a bank e-mail account if a customer opts to have information sent to them electronically.

 

From a technology angle, the bank might have considered a VPN for its customers. From a security perspective, how did confidential information get past the firewall? I would have to assume that the bank is not using any type of outgoing data filtering software. From a legal perspective, is it Google's responsibility to turn over the recipient's contact information? The recipient did nothing wrong and Google did nothing wrong. So who is to blame?

 

First, we need more information about the employee who sent the e-mail and the details of the event. Second, I think the policy of sending confidential information through e-mail has to change, if in fact that was an activity sanctioned by policy. Third, I would be very disappointed if the courts forced Google to give up that customer's personal contact information. If the customer does nothing with the information, then they have not broken any laws.

 

This is a very important case because it could happen to any business.

 

For a more in-depth legal analysis, I am going to ask IT Business Edge legal contributor Lora Bentley to weigh in with her perspective.

Related Content

Add a comment Leave a comment on this blog post.
Sep 29, 2009 2:28 PM Guest Mike Wood  says:

There certainly are many complex layers to this issue, all stemming from a mistake potentially as small as a typo.

 

To weigh in on the technology side though, this is the sort of mishap that data leakage protection targets, ensuring e-mails conform to content policies before it is sent externally.

 

That being said, there's still the issue of the policy itself to be dealt with...

 

Mike Wood

Threat Researcher

Sophos Inc.
Reply
Oct 1, 2009 2:54 AM Guest Hiren Soni  says:

I feel the data sent was sensitive and should have been password protected, and instead of blaming google their EDP department should specify right policies to the user and moniter outgoing data.
Reply
Oct 1, 2009 8:59 AM Ralph DeFrangesco Ralph DeFrangesco    says in response to Hiren Soni:

Hiren,

 

I'm with you. I definitely feel that bank is at fault. Thank you for your comment.

 

-Ralph
Reply

Related Content

Browse

Topic: E-mail Security

E-mail can carry direct infections or use social-engineering tricks get users to do something dangerous

Blog: Phishing Attacks Underscore Importance of Protecting E-mail Passwords

Article: Combat Theft by Thinking Like a Phisher

White Paper: Bullet-Proofing Instant Messaging

Related Topics

E-mail and E-mail Management, Google, Internal Threat, Security Breaches, Security Policy

Featured White Papers

Browse

Should You Install Messaging Security Software on Your Exchange Server?

This white paper discusses the detailed results of an Osterman Research survey on messaging security software and conclusions about administrators' attitudes regarding installing third-party software on the Exchange server.

Resource Centers

Browse

Security SaaS Solutions

Hosted security solutions that not only protect your data, but reduce your security management TCO, as well.

Featured Whitepapers

Why Security SaaS Makes Sense Today

Greening IT with Server Consolidation

Learn how virtualization reduces the TCO of managing your date, while contributing towards your sustainability efforts.

Featured Whitepapers

Faster, Cheaper and Easier to Maintain: Can You Afford Not to Upgrade Your Servers to Today's Advanced, Energy-Efficient Technologies?

Tape Storage

Disaster recovery and business continuation that includes encryption, all at a manageable TCO.

Featured Whitepapers

The Truth about Tape - Nine Myths to Reconsider

Data Warehousing for Business Intelligence

Comprehensive storage solutions for better data access and retrieval, leading to better-informed business decisions.

Featured Whitepapers

Maximizing Operational Efficiency with Oracle Business Intelligence (BI) Applications

Premium Tools

Browse

ITIL V3 Foundation - Complete Certification Kit

Enhance your IT career by getting your ITIL Foundation Certificate. It's fast and easy with this complete resource. The 186-page eBook and companion online training course is guaranteed to help you pass the ITIL exam.

Learn more >

The IT Service Catalog Management Toolkit

Bridge the it-business gap once and for all! A well documented IT services catalog is the conduit for IT services to the rest of the company.

Learn more >