With recent news that a London council’s data protection efforts are under review after telling residents to email in their payment card details via a Word document, Dr Guy Bunker, SVP of Products at data security company, Clearswift, commented below highlighting issues behind this method and why it shows a lack of data security education.
Dr Guy Bunker, SVP of Products at Clearswift:
“When handling sensitive data, information security education and awareness among general employees is extremely important – this shows there is none or very little within Islington council. Understanding the risks and consequences of requests like this is essential. Good data security is about people, process and technology and in this particular case there is a failing on the people and process side of communicating with individuals. Had there been proper training, the suggestion to send details by email would never had been made. There should also have been a process in place to ensure that secure payments could be made through an authorised web based application.
“Technology should also be in place to enforce the processes and protect the people, in this case the secure payment application. However, people frequently send credit card information by email and organisations need technology to protect themselves when this occurs. It might be that the organisation cannot process credit card information or even store them on the network, in which case using Adaptive Redaction functionality can remove just the credit card number from the email before it gets to the network. This will make life easier for the IT department who may otherwise need to go through a secure deletion process to remove the data from the network.
“Similarly, even if the organisation can handle credit cards, then a reply to the email saying ‘thank-you’ which includes the original can still put them in breach of PCI DSS and GDPR. The same Adaptive Redaction technology, as part of an Adaptive Data Loss Prevention (A-DLP) solution, will remove the sensitive information, but leave the rest to continue to the individual – rather than a ‘stop and block’ approach of traditional DLP. Helping an organization maintain compliance and keep information safe.”