Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Something To Tell Your Personnel: Messaging Includes More Than Email | Main | Let Your Personnel Know Their Messaging Boundaries »

Sending Clear Text Customer Information Is Not Okay Just Because the Customer Says It's "Okay"

As a follow-up to my blog post from last Friday, here is the second part of the first article within the June issue of my "IT Compliance in Realtime" journal, "What to Tell Personnel: Messaging Security and Privacy"...

------------------------------------

Sending Customer Information Is Not Okay Just Because the Customer Says It's Okay

Over the years, I've asked personnel throughout many organizations, "Have you ever sent your customers their personal information within clear text email messages?" The most common answer I've received, dozens if not hundreds of times, is basically, "Yes, if the customer sends us their personal information in an email first, or if they say it is okay to send their personal information to them in an email, then we do it."

You need to be sure you tell your personnel that it is not okay to send [personally identifiabe information] PII to customers within clear text just because the customers say it is okay with them!

Your organization is ultimately responsible for the appropriate safeguarding of all PII you collect, process, store, and otherwise handle. Even if your customers tell your employees it is okay to send them clear-text PII in email, IMs, or even text messages, it is not okay if you have a policy that says it must not be done.

This is an area where years of customer service training, being taught that the customer is always right and that you must always do everything possible to make the customer happy, comes into conflict in the minds and actions of your personnel with information security and privacy policies -- not to mention regulatory and contractual compliance. Provide training to the personnel who communicate directly with customers that includes information covering the following:

  • How the personnel should respond to customer requests to receive PII within email, IMs, text messages, and any other type of clear-text electronic communication.
  • The ways in which privacy breaches can occur through messaging.
  • The policies that govern how to safeguard PII, particularly when using messaging systems.
  • The business impacts of privacy breaches that occur through sending clear-text PII within electronic messages.
  • The negative impacts to personnel that could occur as a result of them sending clear-text PII within electronic messages.

------------------------------------

Download the full PDF article, within the journal, here.

Keep in mind, even if your customers tell you it is "okay" to send them their PII in clear text messages, generally YOUR organization is ultimately responsible for anything bad that happens to that PII as a result of sending it in cleartext.

Discuss the possibilities, and potential impacts, with your legal counsel.

Tags:                      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on June 9, 2008 3:00 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/738

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.