As a follow-up to my blog post from last Friday, here is the second part of the first article within the June issue of my “IT Compliance in Realtime” journal, “What to Tell Personnel: Messaging Security and Privacy“…
————————————
Sending Customer Information Is Not Okay Just Because the Customer Says It’s Okay
Over the years, I’ve asked personnel throughout many organizations, “Have you ever sent your customers their personal information within clear text email messages?” The most common answer I’ve received, dozens if not hundreds of times, is basically, “Yes, if the customer sends us their personal information in an email first, or if they say it is okay to send their personal information to them in an email, then we do it.”
You need to be sure you tell your personnel that it is not okay to send [personally identifiabe information] PII to customers within clear text just because the customers say it is okay with them!
Your organization is ultimately responsible for the appropriate safeguarding of all PII you collect, process, store, and otherwise handle. Even if your customers tell your employees it is okay to send them clear-text PII in email, IMs, or even text messages, it is not okay if you have a policy that says it must not be done.
This is an area where years of customer service training, being taught that the customer is always right and that you must always do everything possible to make the customer happy, comes into conflict in the minds and actions of your personnel with information security and privacy policies — not to mention regulatory and contractual compliance. Provide training to the personnel who communicate directly with customers that includes information covering the following:
- How the personnel should respond to customer requests to receive PII within email, IMs, text messages, and any other type of clear-text electronic communication.
- The ways in which privacy breaches can occur through messaging.
- The policies that govern how to safeguard PII, particularly when using messaging systems.
- The business impacts of privacy breaches that occur through sending clear-text PII within electronic messages.
- The negative impacts to personnel that could occur as a result of them sending clear-text PII within electronic messages.
————————————
Download the full PDF article, within the journal, here.
Keep in mind, even if your customers tell you it is “okay” to send them their PII in clear text messages, generally YOUR organization is ultimately responsible for anything bad that happens to that PII as a result of sending it in cleartext.
Discuss the possibilities, and potential impacts, with your legal counsel.
Tags: awareness and training, Information Security, IT compliance, messaging privacy, messaging security, policies and procedures, privacy, privacy training, risk management, security awareness, security training