While the primary aim for most companies is to ensure that sensitive or confidential information is not sent out via email, for some industries the sharing of sensitive information is a business necessity. The medical, finance, and insurance industries all need to be able to exchange private or confidential information with customers. The trick is to share the information in a secure manner that protects it from unauthorized view.
Once upon a time, a medical benefits processing company I was working with needed to confirm some contract details with me via email. They had a gateway solution in place to prevent sending out sensitive information. Instead, the solution stored the message securely on a local server, then sent me an email with a link to access it over an encrypted HTTP connection. Fair enough. Except the part where they included the password necessary to access the encrypted data with the email containing the link. Oops.
Fast forward a year or two. I recently switched banks and I needed to change the automatic payment info with my life insurance company. Apparently my life insurance has a similar solution in place for protecting sensitive data, because what I received was a more or less blank email with an HTML attachment of some sort. I clicked the attachment and it asked for a password–a password I had never created and had no idea what it might be. I just typed in a random password I sometimes use, which it accepted and then took me to an initial login screen requiring me to change/create my password. So, they had enough sense to try and safeguard my private information from unauthorized access, but sent it as an email attachment requiring a password that you get to make up as you go? Well, that’s secure.
Companies like these need to have ways to protect sensitive data, and also must meet data protection compliance requirements such as HIPAA / HITECH, and PCI DSS. I question, though, just how secure my data really was in either instance. Obviously, there are some serious flaws in both solutions. Companies need tools that can identify and filter sensitive information, and deliver data securely when warranted.