Background (taken from Wired)

In August a customer of the Rocky Mountain Bank asked a bank employee to send certain loan statements to a representative of the customer. The employee, however, inadvertently sent the e-mail to the wrong Gmail address. Additionally, the employee had attached a sensitive file to the e-mail that should not have been sent at all.  The attachment contained confidential information on 1,325 individual and business customers that included their names, addresses, tax identification or Social Security numbers and loan information.

After realizing what he’d done, the employee “tried to recall the e-mail without success.”  When that didn’t work, the employee sent a second e-mail to the recipient instructing the person to delete the e-mail and attachment “in its entirety” without opening or reviewing it. The employee also asked the recipient to contact the employee to “discuss his or her actions.”

Weeks later after having heard nothing from the recipient, RMB sued Google to get the recipient’s identity.  RMB then took the extraordinary step to ask the Court to seal the record so that the existence of the lawsuit would not be made publicly available arguing that if the court filings were not sealed, all of its customers may learn of the inadvertant disclosure.  The Court denied the request.

Lesson #1:  Access Controls and Secure Data Transfer.

Should this employee have access to the data in the file?

In this scenario, the employee obviously had access to an individual customer record database which was unwalled from batch records of customers.  The first question is whether this employee, other than for the purpose of transferring records to customers, had the need to have access to the customer record.  It’s possible this particular employee had no need to see the data.  Therefore, it would have been reasonable to provide this employee access to the file, but not provide access to the data in the file.

Should this employee have had access to aggregate data?

Even if this employee had the need to access the data within the file that he thought he was sending (individual account information), was it necessary to allow this person access to aggregated customer data.  Isn’t the purpose of such aggregated data management or marketing related only?  On a need-to-access basis, doesn’t it make more sense to restrict such aggregated data access (and the risks associated with it) to those in the functional areas that need to use the data in such a way?

Could aggregate data be anonymized?

Even management and marketing may not have a need to have the data both aggregated and identifiable.  Data which is aggregated can, and where appropriate, should be anonymized.

Was the data stored and transferred in an encrypted format?

The file should be encrypted both in its native environment, but more importantly, it is essential to encrypt the file when it is transferred.  When communicating personal or confidentially with a customer or client, whether in the text of an email itself or by use of including attachments, it may be reasonable to insist on a secure email communication system (not a public one like AOL or Google) such as Cleo, SafetySend or MyMail.

In summary, the data should not have been accessible, aggregated, un-anonymized, unencrypted, or sent over public mail.

Lesson #2: Breach Response.

Evidently, Rocky Mountain Bank had no breach response policy or plan.  Priority number one should be to develop of plan of action in advance of a breach so that the “wait and hope for the best” approach is not the default breach response.  The plan must be proactive and include member from all of the disciplines that impact the response and must include a breach response team comprised of members of legal, IT, senior management and marketing/public relations.  The substance of the plan should include an outline of responsibilities including checklists for immediate, short-range and long-range action.

Lesson #3: Public Relations.

Rocky Mountain Bank chose to hide the breach from its customers.  In spite of its claims of security, integrity and customer service, Rocky Mountain chose a path of secrecy and subterfuge.  As digital complexities multiply, breaches will as well.  All reasonable consumers understand that technical and human errors occur and are generally forgiven.  As many-a-politician has discovered, the danger to the business is in the cover-up, not in the crime (and here, the innocent mistake).  Confess the error, apologize, institute safeguards and respect the customer’s intelligence and capacity for compassion.

Your organization will be rewarded even in the face of fault.  The opposite response, however, will result in a doubling-down of the bad publicity.

Lesson #4: Post-press Disclosure and Transparency.

I visited the Rocky Mountain Bank website to see what they had to say in response to the breach, the cover-up and the subsequent losing efforts in Federal Court.  Nothing.  Not a single mention.  Where is the transparency?  How can they be trusted?

In fact, even in light of the exposure, Rocky Mountain Bank is touting its “Fraud Plus Protection” with a link that says “You’re just one click away from protecting Your Identity.” In truth, this claim could only be true if the link is to the Federal Trade Commission.

Good luck Rocky Mountain Bank.

Popularity: 3% [?]

Related posts:

1. MI: Flagstar Bank vendor laptop stolen GRAND RAPIDS, Mich. (WOOD) – There is the possibility of a security...
2. NY: Romanian gets prison for Citizens Bank ATM fraud Tiberiu Szebeni, 30, of Romania, who was convicted of bank fraud on...
3. Data breach by Anglo Irish Bank affects UK clients The Belfast office of Anglo Irish Bank is at the centre of...
4. Netflix Spilled Your Brokeback Mountain Secret, Lawsuit Claims An in-the-closet lesbian mother is suing Netflix for privacy invasion, alleging the...
5. NH: HSBC exposed sensitive bankruptcy data HSBC Bank says a bug in its imaging software inadvertently exposed sensitive...
6. BC: Second staffer fired over data breach The B.C. government has fired a second employee, and announced another investigation,...