This is in follow-up to a Guru Q&A on sending out loan documents over an unsecure and unencrypted internet connection. My interpretation is that this would be a violation of the GLBA safeguard rule. As such, it seems that the options are to use encryption or snail mail. We have a similar issue with employees sending out sensitive information via e-mail in either clear text or in an attachment. Management would like to use a detective control to identify violators. However, this would be after the e-mail has already left the building. It is my interpretation that we would be required to notify the customer and our primary regulator concerning the possible breach. My thought is that a detective control is good, but a preventative control like encryption would be better. Management believes encryption would not be customer friendly. With that said, my thought is that if we go with the detective control (coupled with current training that says don't do it), we would need to institute severe disciplinary measures for violators. Would this be sufficient or would we still subject ourselves to penalties for non-compliance with GLBA for not preventing the violation?
_________________________
Christine Todd
Chief Compliance Officer
North American Savings Bank (NASB)
12498 S. 71 Hwy, Grandview, MO 64030