Skip to content
BOL Conferences
Thread Options
#66870 - 03/11/03 09:19 PM email encryption
Pale Rider Offline
10K Club
Pale Rider
Joined: Aug 2002
Posts: 34,318
under the Lone Star
How are you handling the emailing of customers' non-public information to attorneys, accountants, appraisers, title companies ? Is everyone encrypting all emails, even back to the customers when they request their own information ? Is this really what G-L-B requires ? Thanks for the input and I apologize if this has been handled in other threads.
_________________________
Societies that do not find work in and of itself "pleasing to God and requisite to Man," tend to be highly corrupt.


Return to Top
eBanking / Technology
#66871 - 03/11/03 10:15 PM Re: email encryption
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
I believe encryption is used very little. When you get a 314(a) request, it isn't encrypted. When your examiner wants info e-mailed to them, pre-exam as an example, is it encrypted? I believe it is either done by diskette or a blind eye is turned as while there is risk, it hasn't hit the front burner. It won't, until it hits the fan.

We encrypt our Internet Banking data and large files sent and received. When we send customer info in attachments we often password protect them. But like most locks, they just keep honest people honest.

But I believe few end users have the software or skillset for doing this. Some programs can be cumbersome and costly.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#66872 - 03/11/03 10:26 PM Re: email encryption
Sinatra Fan Offline
Power Poster
Sinatra Fan
Joined: Jul 2002
Posts: 5,568
New Jersey
I think Andy's post hits it on the head, in so many ways. I always ask customers if they would like information e-mailed to them; if they're comfortable with that, so am I. If they do not want it e-mailed, we will fax it (not a secure form of delivery) or mail it (not a secure form of delivery). Risk is a continuum, not a fixed point.
_________________________
Management is doing things right; leadership is doing the right things. Peter Drucker

Return to Top
#66873 - 03/11/03 10:32 PM Re: email encryption
jack Offline
100 Club
jack
Joined: May 2002
Posts: 165
USA
E-mail can be very unsecure. We have processes set up with our regular vendors and service providers to encrypt/decrypt communications with sensitive customer data. We discourage customers from sending e-mails that contain things such as their SSN or password, and when they do send it we'll delete it when we reply. GLBA requires that you assess all the ways you handle sensitive customer information, evaluate the risks, and take appropriate measures to protect the info.

Return to Top
#66874 - 03/11/03 10:50 PM Re: email encryption
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
Quote:

Risk is a continuum, not a fixed point.



Good one. Can I use that?

While times are changing, my wife knows her dad's SSAN better than her own. Why? Because in the military the service members SSAN was their service number. And it was used for everything from pay to play. You got paid, it was there. You checked out a towel at the gym, you wrote it on a list. What was on the list, the SSANs of all the other folks who checked out towels. I have my Army issue gloves still from basic training. Guess what is sewn inside them. The same tags with my name and SSAN that were sewn inside my boots, caps and other issued clothing. My SSAN was stenciled outside my duffel bad as well.

Again, things are changing, but the degree of risk accepted varies from person to person. That said, we don't like to send that data either and will prefer to call or be called. This is for identification as much as privacy along the way.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#66875 - 03/12/03 03:45 PM Re: email encryption
Sinatra Fan Offline
Power Poster
Sinatra Fan
Joined: Jul 2002
Posts: 5,568
New Jersey
Quote:

Quote:

Risk is a continuum, not a fixed point.



Good one. Can I use that?






Go right ahead. I use it all the time (unfortunately, with little effect [sigh]).
_________________________
Management is doing things right; leadership is doing the right things. Peter Drucker

Return to Top
#66876 - 03/12/03 03:48 PM Re: email encryption
gpawlak Offline
New Poster
gpawlak
Joined: Feb 2003
Posts: 9
To further Jack’s point, GLBA requires your bank to have an ISP – Information Security Program of which your IT policies, standards and procedures are a subset. Hence, your Information Security Program should dictate what you can and can’t do. A solid Information Security Program details standards and procedures for classifying different types of information into different risk categories, then assigns rules to the handling of that information. The administrator of the ISP is the ISO (Information Security Officer) and that person alone can approve exceptions to the ISP. Live by the sword, do business by the sword.

Very basic example,

Category 1
Publicly available information
Low Risk
No stipulations for handling

Category 2
Non-public customer information
High Risk
These documents will be securely stored when not actively being prepared or used. Secure storage is in a locked container. These documents will receive limited viewing and are not for open public discussion. Cat 2 docs will not be emailed over the Internet unless in encrypted format.

Category 3
Technical and System Information
High Risk
These documents will be securely stored when not actively being prepared or used. Secure storage is in a locked isolated container not used for the storage of any other documents. These documents are for restricted viewing and discussion, and only by persons having a unique requirement for them and only with prior authorization of the ISO. Cat 3 docs will not be emailed over the Internet unless in encrypted format.

-George

Return to Top
#66877 - 03/12/03 05:41 PM Re: email encryption
1111 Offline
Platinum Poster
1111
Joined: Jan 2003
Posts: 580
Quote:

When we send customer info in attachments we often password protect them. But like most locks, they just keep honest people honest.




Andy's response seems to provide a reasonable method, send private data via an attachment that is password protected, but, of course, telephone or other contact is necessary to provide the password.

Return to Top
#66878 - 03/12/03 09:58 PM Re: email encryption
jack Offline
100 Club
jack
Joined: May 2002
Posts: 165
USA
Food for thought:
The following is from the OTS Thrift Activities Handbook, Technology Risk Controls, Section 341 page 11, found here.


Encryption
Encryption is the scrambling of data so that it cannot be read without the proper codes for unscrambling the data. Confidential or sensitive data should always be encrypted when being sent over the Internet and the sender and receiver of the data are not behind the same firewall. This includes email containing confidential and/or sensitive information as well as Internet Banking transactions.

Management should perform a risk assessment to identify types of sensitive data requiring protection and determine the type and strength of encryption to use for various protected communications. The assessment should include databases and password files.

Return to Top
#66879 - 03/12/03 11:12 PM Re: email encryption
Kathleen O. Blanchard Offline

10K Club
Kathleen O. Blanchard
Joined: Dec 2000
Posts: 21,293
I am at a smaller (2+ Billion) bank now and we do not encrypt but are very careful about what is emailed. However, at a former employer (very large bank), we actually had "codes" we used internally when emailing sensitive client data to get a deal done, never using their name or full account # until we had encrypted email installed. If we needed to make an inquiry of a co-worker in another country via email, we would call and let them know who the email was regarding in the event we were too cryptic.

Once installed, we used the encrypted email within the bank(s) and when corrresponding via email with our brokerage or other affiliates who were part of a client transaction. There was a flat-out prohibition against using the clients name, account number, address, etc. in email internally or externally.

_________________________
Kathleen O. Blanchard, CRCM "Kaybee"
HMDA/CRA Training/Consulting/Mapping
The HMDA Academy
www.kaybeescomplianceinsights.com

Return to Top
#66880 - 03/15/03 12:14 AM Re: email encryption
CarlD Offline
100 Club
CarlD
Joined: Apr 2002
Posts: 215
If you watch your spam messages, you will realize just how insecure typical email really is. A "robot" that can harvest email addresses can also filter out messages with phrases like ssn, dob, visa, master card, and so forth.

There are numerous secure email systems - just google search for "secure email".

An example; http://www.swissmail.org/Swissmail/info/en/cost.htm
$25 annual fee, basic account.
_________________________
Regards, CarlD

Return to Top
#66881 - 04/08/03 10:07 PM Re: email encryption
Anonymous
Unregistered

There are sources to accomplish secure email messaging without special software. Try www.csiesafe.com. Hope this helps.

Return to Top
#66882 - 11/02/06 03:41 PM Re: email encryption
Brad B Offline
100 Club
Brad B
Joined: Apr 2002
Posts: 213
KS
Perhaps it's just a risk management issue and please tell me if I'm going too far with my thinking but I'm wondering how to mitigate the risk to e-mail a customer or a third party about a customer at all.

The privacy rule has a definition of "personally identifiable financial information" that includes example (C) which states "The fact that an individual is or has been one of your customers or has obtained a financial product or service from you" is included. That means it is "non-public personal information" and I have a duty to protect and secure the fact that the customer is my customer. The info security guidelines say that I have to "protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer."

If I were to e-mail a customer, using as generic terms as possible to tell them that their statement is available online or that a transaction has been completed, or we have a message waiting for you in our online banking system, etc., that e-mail is unsecure. If it is intercepted, aren't I disclosing the fact that the customer is my customer? How can I keep the initial e-mail from being intercepted and put the customer's NPPI at risk that could cause my customer substantial harm or inconvenience?
_________________________
"Sarchasm" is the gulf between the author of sarcastic wit and the person who doesn't get it

Return to Top
#66883 - 11/07/06 01:09 PM Re: email encryption
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
"If it is intercepted"

You don't expect it to be intercepted any more than you expect a stranger to open a persons statement from their mailbox.

While I see your concern, I think you're reading into this with the expectation that email will be (not could be) read by a third party. That said, you don't include too much in your message. But just as when an envelope arrives from a bank, it doesn't mean I have an account there, but that is a pretty good bet.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top

Moderator:  Andy_Z