E-Mail Security: There Is Enough Blame to Go Around

Ralph DeFrangesco

I found a very interesting article in Network World that I just had to share. A bank employee from Wyoming bank "accidentally" sent confidential information to the wrong Gmail account. The bank sent the recipient several e-mails explaining what happened, but the customer failed to acknowledge the e-mails. The bank then sued Google, requesting that it surrender the recipient's contact information. Google has a policy that it first tries to contact the customer to give them the opportunity to fight the court disclosure of their identity. The court is considering the bank's request.

 

Let's look at this problem from four angles: the business, the technology, the security, and the legal. We have to ask the question, is it good business policy to send confidential information to a customer's public e-mail account? It's a rhetorical question. Will the bank pay for a credit check for the customer in the future? From a security perspective, maybe it would have been more prudent to have a bank e-mail account if a customer opts to have information sent to them electronically.

 

From a technology angle, the bank might have considered a VPN for its customers. From a security perspective, how did confidential information get past the firewall? I would have to assume that the bank is not using any type of outgoing data filtering software. From a legal perspective, is it Google's responsibility to turn over the recipient's contact information? The recipient did nothing wrong and Google did nothing wrong. So who is to blame?

 

First, we need more information about the employee who sent the e-mail and the details of the event. Second, I think the policy of sending confidential information through e-mail has to change, if in fact that was an activity sanctioned by policy. Third, I would be very disappointed if the courts forced Google to give up that customer's personal contact information. If the customer does nothing with the information, then they have not broken any laws.

 

This is a very important case because it could happen to any business.


 

For a more in-depth legal analysis, I am going to ask IT Business Edge legal contributor Lora Bentley to weigh in with her perspective.



Add Comment      Leave a comment on this blog post
Sep 29, 2009 2:28 AM Mike Wood Mike Wood  says:

There certainly are many complex layers to this issue, all stemming from a mistake potentially as small as a typo.

To weigh in on the technology side though, this is the sort of mishap that data leakage protection targets, ensuring e-mails conform to content policies before it is sent externally.

That being said, there's still the issue of the policy itself to be dealt with...

Mike Wood

Threat Researcher

Sophos Inc.

Reply
Oct 1, 2009 2:54 AM Hiren Soni Hiren Soni  says:

I feel the data sent was sensitive and should have been password protected, and instead of blaming google their EDP department should specify right policies to the user and moniter outgoing data.

Reply
Oct 1, 2009 8:59 AM Ralph DeFrangesco Ralph DeFrangesco  says: in response to Hiren Soni

Hiren,

I'm with you. I definitely feel that bank is at fault. Thank you for your comment.

-Ralph

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.