Employees of Kinetic Concepts (KCI ) have suffered a data breach when an email containing the wrong attachment was sent to...them. There are certain things that e-mail encryption can do protect a company from data breaches. This particular case is not one of them. A better option might have been the use of encryption for the attachment.
The attachment contained names, addresses, dates of birth, SSNs, and salaries of approximately 4,000 KCI employees in the US. Employees were alerted to the mistake and instructed to delete the e-mail. An audit was performed by outside consultants to ensure that the directive was followed by all. As a result of the breach, credit monitoring and identity theft protection is being offered to all affected. It's a good, wise move; on the other hand, if one were to take an extremely negative view of the event, it would seem to insinuate that KCI's employees cannot trust each other, although I'm sure that's quite the erroneous conclusion.
The attachment contained names, addresses, dates of birth, SSNs, and salaries of approximately 4,000 KCI employees in the US. Employees were alerted to the mistake and instructed to delete the e-mail. An audit was performed by outside consultants to ensure that the directive was followed by all.
As a result of the breach, credit monitoring and identity theft protection is being offered to all affected. It's a good, wise move; on the other hand, if one were to take an extremely negative view of the event, it would seem to insinuate that KCI's employees cannot trust each other, although I'm sure that's quite the erroneous conclusion.
In some ways, it's hard to understand how this could've happened. I mean, sending an errant e-mail is quite commonplace. Sending it to all in your organization? I imagine I would have noticed that my "To:" field was severely populated. On the other hand, if it was addressed to a mailing list, which generally just covers one line, I guess I wouldn't have caught it. How could one protect himself from a data breach under the circumstances? In this case, e-mail encryption would probably not work because the e-mail is being sent internally. Generally, DLP (data loss prevention) programs are configured not to encrypt e-mails that are being passed around within a "secure perimeter," i.e., from one employee to another within the company, especially if they're within the same building. On the other hand, the use of file encryption software to protect the contents of the attachment would have worked splendidly. Under the same breach circumstances above, the unintended "3,999" other employees would have required the correct password to access the contents of the encrypted file. I'm assuming, of course, that the password would not have been included in the same e-mail....
In some ways, it's hard to understand how this could've happened. I mean, sending an errant e-mail is quite commonplace. Sending it to all in your organization? I imagine I would have noticed that my "To:" field was severely populated. On the other hand, if it was addressed to a mailing list, which generally just covers one line, I guess I wouldn't have caught it.
How could one protect himself from a data breach under the circumstances? In this case, e-mail encryption would probably not work because the e-mail is being sent internally. Generally, DLP (data loss prevention) programs are configured not to encrypt e-mails that are being passed around within a "secure perimeter," i.e., from one employee to another within the company, especially if they're within the same building.
On the other hand, the use of file encryption software to protect the contents of the attachment would have worked splendidly. Under the same breach circumstances above, the unintended "3,999" other employees would have required the correct password to access the contents of the encrypted file. I'm assuming, of course, that the password would not have been included in the same e-mail....
Related Articles and Sites:http://www.phiprivacy.net/?p=3581http://www.ama-assn.org/amednews/2010/08/30/bisf0903.htm