How often is e-mail used to send documents and information that contains sensitive information? I’ve seen consultants share sensitive information about clients this way as well as staff members just “trying to be helpful”. I’m sure this happens all the time and it can be mitigated through training and providing staff the tools necessary to send information securely. While it is fair to say the majority of these incidents never make the news, the Commerce Department wasn’t quite so lucky:
The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed to a risk of identity theft following an inappropriate transfer of the personal information in mid-July, according to a letter sent to department employees last week.
An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form on July 13, according to the letter. The employee informed supervisors of the oversight almost immediately, and there is no indication thus far that information has been compromised, according to the letter.
“Federal Eye: Personal Data Mishandled at Commerce Dept.“. Ed O’Keefe. Washington Post, August 3, 2009
As another case in point, a friend of mine filled out an online appointment request for his physician. He included all types of PII including social security number, date of birth, as well as the reason for his visit. The online form was secure however, whatever program the office used was sending the “got your schedule request” e-mail with all of the information he had put in, including the PII. The steps the physician took to secure the request were thrown out the window because the same information was sent via e-mail in the clear. Oops!
I’m not sure how much more the concept of not sending PII over e-mail can be hammered home. Mistakes happen but when it’s done as part of a business practice then perhaps there needs to be some financial penalty involved to make the point.
Connect with me