How are you handling the emailing of customers' non-public information to attorneys, accountants, appraisers, title companies ? Is everyone encrypting all emails, even back to the customers when they request their own information ? Is this really what G-L-B requires ? Thanks for the input and I apologize if this has been handled in other threads.

I believe encryption is used very little. When you get a 314(a) request, it isn't encrypted. When your examiner wants info e-mailed to them, pre-exam as an example, is it encrypted? I believe it is either done by diskette or a blind eye is turned as while there is risk, it hasn't hit the front burner. It won't, until it hits the fan.

We encrypt our Internet Banking data and large files sent and received. When we send customer info in attachments we often password protect them. But like most locks, they just keep honest people honest.

But I believe few end users have the software or skillset for doing this. Some programs can be cumbersome and costly.

I think Andy's post hits it on the head, in so many ways. I always ask customers if they would like information e-mailed to them; if they're comfortable with that, so am I. If they do not want it e-mailed, we will fax it (not a secure form of delivery) or mail it (not a secure form of delivery). Risk is a continuum, not a fixed point.

E-mail can be very unsecure. We have processes set up with our regular vendors and service providers to encrypt/decrypt communications with sensitive customer data. We discourage customers from sending e-mails that contain things such as their SSN or password, and when they do send it we'll delete it when we reply. GLBA requires that you assess all the ways you handle sensitive customer information, evaluate the risks, and take appropriate measures to protect the info.

To further Jack’s point, GLBA requires your bank to have an ISP – Information Security Program of which your IT policies, standards and procedures are a subset. Hence, your Information Security Program should dictate what you can and can’t do. A solid Information Security Program details standards and procedures for classifying different types of information into different risk categories, then assigns rules to the handling of that information. The administrator of the ISP is the ISO (Information Security Officer) and that person alone can approve exceptions to the ISP. Live by the sword, do business by the sword.

Very basic example,

Category 1
Publicly available information
Low Risk
No stipulations for handling

Category 2
Non-public customer information
High Risk
These documents will be securely stored when not actively being prepared or used. Secure storage is in a locked container. These documents will receive limited viewing and are not for open public discussion. Cat 2 docs will not be emailed over the Internet unless in encrypted format.

Category 3
Technical and System Information
High Risk
These documents will be securely stored when not actively being prepared or used. Secure storage is in a locked isolated container not used for the storage of any other documents. These documents are for restricted viewing and discussion, and only by persons having a unique requirement for them and only with prior authorization of the ISO. Cat 3 docs will not be emailed over the Internet unless in encrypted format.

-George

Food for thought:
The following is from the OTS Thrift Activities Handbook, Technology Risk Controls, Section 341 page 11, found here.


Encryption
Encryption is the scrambling of data so that it cannot be read without the proper codes for unscrambling the data. Confidential or sensitive data should always be encrypted when being sent over the Internet and the sender and receiver of the data are not behind the same firewall. This includes email containing confidential and/or sensitive information as well as Internet Banking transactions.

Management should perform a risk assessment to identify types of sensitive data requiring protection and determine the type and strength of encryption to use for various protected communications. The assessment should include databases and password files.

I am at a smaller (2+ Billion) bank now and we do not encrypt but are very careful about what is emailed. However, at a former employer (very large bank), we actually had "codes" we used internally when emailing sensitive client data to get a deal done, never using their name or full account # until we had encrypted email installed. If we needed to make an inquiry of a co-worker in another country via email, we would call and let them know who the email was regarding in the event we were too cryptic.

Once installed, we used the encrypted email within the bank(s) and when corrresponding via email with our brokerage or other affiliates who were part of a client transaction. There was a flat-out prohibition against using the clients name, account number, address, etc. in email internally or externally.

If you watch your spam messages, you will realize just how insecure typical email really is. A "robot" that can harvest email addresses can also filter out messages with phrases like ssn, dob, visa, master card, and so forth.

There are numerous secure email systems - just google search for "secure email".

An example; http://www.swissmail.org/Swissmail/info/en/cost.htm
$25 annual fee, basic account.

There are sources to accomplish secure email messaging without special software. Try www.csiesafe.com. Hope this helps.

Perhaps it's just a risk management issue and please tell me if I'm going too far with my thinking but I'm wondering how to mitigate the risk to e-mail a customer or a third party about a customer at all.

The privacy rule has a definition of "personally identifiable financial information" that includes example (C) which states "The fact that an individual is or has been one of your customers or has obtained a financial product or service from you" is included. That means it is "non-public personal information" and I have a duty to protect and secure the fact that the customer is my customer. The info security guidelines say that I have to "protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer."

If I were to e-mail a customer, using as generic terms as possible to tell them that their statement is available online or that a transaction has been completed, or we have a message waiting for you in our online banking system, etc., that e-mail is unsecure. If it is intercepted, aren't I disclosing the fact that the customer is my customer? How can I keep the initial e-mail from being intercepted and put the customer's NPPI at risk that could cause my customer substantial harm or inconvenience?

"If it is intercepted"

You don't expect it to be intercepted any more than you expect a stranger to open a persons statement from their mailbox.

While I see your concern, I think you're reading into this with the expectation that email will be (not could be) read by a third party. That said, you don't include too much in your message. But just as when an envelope arrives from a bank, it doesn't mean I have an account there, but that is a pretty good bet.