Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Security Software Must be Secure: 25 Questions To Ask Security Vendors | Main | Data Storage Must Be Secured to Protect Privacy »

Obscure Email Security Issue: 5 Lessons About Re-using Email Addresses

Does your organization ever re-use email addresses whenever someone leaves the company? Do you know that some of your customers’ and personnel’s email service providers re-use email addresses when their subscribers leave? Probably more than you realize.

A friend of mine recently told me about receiving some very interesting messages containing a large amount of confidential information to a new email account he had created. He created a fairly nondescript email address, let’s say it was something like C.SMITH@PopularISP.com. He started receiving email to his new address from an ecommerce business. The messages were basically purchase invoice statements and included a woman’s full name, full address, phone number, credit card number, account number, and purchase history. He called the woman to let her know this sensitive information was being sent to him. She said the she HAD used that email address, but that she had cancelled it a few months earlier. Apparently she did not notify the businesses with whom she communicated with, or purchased products, through that address. It was a good thing my friend, who also happens to be a CISO, is a good guy and not some crook that would have used the information fraudulently.

This incident points provides several lessons for information assurance professionals, just a few of which include:

· Do not send clear text confidential and personally identifiable information (PII) in email messages, particularly to mail domains outside your organization. It is very possible it could be received by someone else who is now using the email address that used to be used by someone else.

· Do not rely upon email communications to send important information or updates to your customers; they may no longer be using that address, and in fact someone else may be using it. Yes, it is ultimately their responsibility to let you know when their email changes, but most people use so many different email addresses that chances are many customers will not notify your organization when they stop using one of them.

· Periodically validate your customer email addresses; make sure your customers are still actually using them. For example, put a notice in their postal mailed statements telling them what you have on file for their email address and ask them to contact your organization if a different email should be used.

· Do not rely upon email as your primary means of breach notification; some, or even many, of your customers may no longer be using the email address you have on file for them. Even if some state breach notica laws allow email notices as the primary means of notification it is a bad idea. I've blogged about this several times, such as here

· Do not re-use individual employee email addresses within your own organization, particularly if your customers or other outside folks communicated regularly with a specific person. Doing this could also result in many internal messages being sent to new people with some former employee's email address, potentially getting information that they really should not be seeing. I've seen this happen several times...to the chagrin of those involved!

Tags:                        
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on April 12, 2007 12:30 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/378

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.