how security drifts away

Initially:

Company has a policy that personal data cannot be accepted by e-mail.  It must be sent by hard copy or FAX.  Even if FAX is not always secure, it’s approved per privacy regulations.

 

1st Event:

HR requests that a document containing personal data be filled out and returned by e-mail.  Employees do not have encryption.

Complaint:  violates privacy policy.

Response:  Correct, policy was violated.  Rogue employee.  Issue corrected.

 

2nd Event:

Wording that “personal data cannot be accepted by e-mail” quietly drops from policy.

Complaint:  important privacy safeguard has been removed.

Response:  Employees are *encouraged* to send in personal data by secure means, but it is their choice if this is not followed.

 

3rd Event:

Requests for insecure transmission of personal data become routine and numerous.

Complaint:  encouraging insecure handling of data.

Response:  No policy is being violated.  There is no need to bring this up again.

 

4th Event:

More of the above.

Complaint:  I don’t like my data being requested this way.

Response:  Everybody is doing it.  What is the problem?

 

 

You can see how privacy goes away.  It gets to where e-mail is considered as secure as anything as far as privacy.  If this happens on the front end, you can imagine that back end data from one company to another is also handled this way, and it is happening among many companies.