Encryption of e-mail with customer identifiable data is not a specific requirement, but is suggested as one of several controls that need to be considered and implemented as appropriate.
Your organization should have undertaken a risk assessment of information security that identified ways in which customer information security could be breached. Certainly one of those ways in your case would seem to be by someone inadvertently or deliberately intercepting e-mails and finding a way to access the information. In analyzing the risks associated with this, and the likelihood and impact of such a breach, you should also have come up with identification of existing controls to mitigate this risk. To the extent the risk exists, the GLB Information Security Guidelines give several controls that ought to be considered for implementation. One of these is encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.
In my personal opinion, password protection of this data is not sufficient to mitigage the risk to this data being transmitted in this manner.
First published on BankersOnline.com 08/15/05
Password Protected Email Sufficient Under GLBA?
Answered by:
Question:
Our organization uses a vendor to service our mortgage loans. The vendor emails trial balance data, (loan numbers, names, balances, etc.) to us. The emails are password protected. Is this sufficient under GLBA or must the emails be encrypted?
Answer: