Skip to content

Password Protected Email Sufficient Under GLBA?

Answered by: 

Question: 
Our organization uses a vendor to service our mortgage loans. The vendor emails trial balance data, (loan numbers, names, balances, etc.) to us. The emails are password protected. Is this sufficient under GLBA or must the emails be encrypted?
Answer: 

Encryption of e-mail with customer identifiable data is not a specific requirement, but is suggested as one of several controls that need to be considered and implemented as appropriate.

Your organization should have undertaken a risk assessment of information security that identified ways in which customer information security could be breached. Certainly one of those ways in your case would seem to be by someone inadvertently or deliberately intercepting e-mails and finding a way to access the information. In analyzing the risks associated with this, and the likelihood and impact of such a breach, you should also have come up with identification of existing controls to mitigate this risk. To the extent the risk exists, the GLB Information Security Guidelines give several controls that ought to be considered for implementation. One of these is encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.

In my personal opinion, password protection of this data is not sufficient to mitigage the risk to this data being transmitted in this manner.

First published on BankersOnline.com 08/15/05

First published on 08/15/2005

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics