topic Re: Detecting email sent to personal email accounts in Governance, Risk, Compliance

Detecting email sent to personal email accounts

chogan — Fri, 04 Dec 2020 14:10:23 GMT

I am interested in hearing how other organizations are handling the issue of detecting if an employee is sending sensitive data to their personal email addresses. We of course have a policy against this, but have a challenge enforcing it.

We have DLP rules that will automatically send outbound email through our secure messaging platform if PII is detected. These are logged and reviewed. We are a bank, so sending documents with PII is common.

With a large percent of our team working from home, we have detected a few cases of employees emailing files to their personal email account with the intent to be able to print them on their home printer. This is against policy. We were able to detect these because their personal email addresses were obvious. If we see an email from Joe User going to juser@yahoo.com, it’s pretty each to catch. Our concern is the not so obvious email addresses. If Joe User emails a document to snowleopard23@yahoo.com, we have no way to know if that is a legitimate email to a client or if that his own personal email account. Any recommendations?

Part 2 of this is how to handle the violators. We are looking into a progressive penalty system, possibly starting with a suspension without pay and escalating to termination. Something with more teeth than a sit down with senior management since they already know it is prohibited. Any suggestions along those lines are appreciated as well.

NOTE: I just made up snowleopard23@yahoo.com on the fly. My apologies if this is someone’s actual email address.

Re: Detecting email sent to personal email accounts

tmekelburg1 — Fri, 04 Dec 2020 15:05:02 GMT

@chogan wrote:

With a large percent of our team working from home, we have detected a few cases of employees emailing files to their personal email account with the intent to be able to print them on their home printer. This is against policy.

I know you didn't ask for this advice but I'd initially start with why they are trying to print at home and if it's necessary or extremely helpful for their positions, I'd look into ways for printing securely. Or setting up the environment so everything can be done electronically. I see this as a communication failure between IT and Operations.

@chogan wrote:
I am interested in hearing how other organizations are handling the issue of detecting if an employee is sending sensitive data to their personal email addresses.

We have DLP rules that will automatically send outbound email through our secure messaging platform if PII is detected. These are logged and reviewed. We are a bank, so sending documents with PII is common.

We do the same thing as you but also DLP rules for PHI data as well. Does your messaging system have an encryption feature? You might be able to set it up to auto encrypt if it detects PII data. With ours we can either prevent the email flow or choose to encrypt the message. The receiver would then log into the encryption portal to retrieve the email. I know this doesn't fix the user's behavior but at least you would know it's encrypted.

For your part 2. Personally, our IT/Security department has enough to worry about. I'd recommend punting to HR for coming up with creative solutions for violators.

I'm definitely interested in how others in the Community handle these scenarios.

Re: Detecting email sent to personal email accounts

PuettK — Fri, 04 Dec 2020 15:08:07 GMT

Depending on the mail platform there a number of things that can be accomplished. DLP is only one of them. Preventing SMTP relay, mail flow rules, and constant reminders on the policy are just a few. Violations in the banking sector should be extreme for the employee. This is a potential violation of client confidentiality regardless of whether you are a commercial bank or credit union. Regulator agencies could fine the bank heavily if discovered in a risk assessment or regulatory audit.

Re: Detecting email sent to personal email accounts

Steve-Wilme — Fri, 04 Dec 2020 15:30:56 GMT

Part of this comes down to policy. Are staff allowed limited personal use for example. So staff they were to decide to use an employee assistance line, need to email an external pensions administrator or their doctor, what would the stance be?

If your looking to prevent staff leaking data then you also have to look at uploads to file sharing sites, locking down copy and paste, connectivity, removable media, banning smartphones etc. The worst email breaches I've encountered involved emailing the wrong recipient. Esp. problematic if your company lawyers do it!

Re: Detecting email sent to personal email accounts

tmekelburg1 — Fri, 04 Dec 2020 16:17:46 GMT

@Steve-Wilme wrote:

If your looking to prevent staff leaking data then you also have to look at uploads to file sharing sites, locking down copy and paste, connectivity, removable media, banning smartphones etc. The worst email breaches I've encountered involved emailing the wrong recipient. Esp. problematic if your company lawyers do it!

That's a good point. If he were to setup a full tunnel to a web filtering device, i.e. Cloud or on-prem, that would lock down access to file share sites and personal email on the work mobile device. I haven't looked but I'm sure there are some GPOs that would restrict access to installing or adding additional printers on the mobile devices.

Re: Detecting email sent to personal email accounts

ericgeater — Fri, 04 Dec 2020 17:52:43 GMT

Gotta say, @Steve-Wilme, I like what you said. If they're on a work computer, and they have access to non-work-related or personal resources (social media, dropbox, ANYTHING OTHER THAN BANKING OR FINANCE), then the machine may not be locked down enough. No Gmail, no Yahoo mail, no FB, life sucks, get a helmet, scroll on your phone.

Re: Detecting email sent to personal email accounts

chogan — Fri, 04 Dec 2020 17:52:48 GMT

Thank you all for the replies.

Printing at home is prohibited, and the very few exceptions have been issued printers and shredders.

Unauthorized file sharing sites and cloud drives are blocked on the web filter.

Our DLP rules are sending these files through our secure messaging platform. It is normal course of business to for users to send customers and/or third parties documents through this platform. Our issue is that the recipient could be anyone from the public at large who is doing business with us, so how can we identify employees personal email accounts vs. legitimate customer?

My answer so far has been that we can't, but, I am sure we are not the only ones needing to address this and wanted to see what others are doing.

HR, executive committee, and legal are working on formalizing the punitive aspect. I am looking for better detection methods.

Re: Detecting email sent to personal email accounts

chogan — Fri, 04 Dec 2020 18:06:11 GMT

@ericgeater wrote:
Gotta say, @Steve-Wilme, I like what you said. If they're on a work computer, and they have access to non-work-related or personal resources (social media, dropbox, ANYTHING OTHER THAN BANKING OR FINANCE), then the machine may not be locked down enough. No Gmail, no Yahoo mail, no FB, life sucks, get a helmet, scroll on your phone.

Those are blocked. My issue is NOT that that they are accessing their email from their work computer, it is they are able to send email to their personal email accounts from their work email. Yes, if it has PII it will go through our secure messaging system, but they will still receive it on their personal devices, just as any legitimate bank customer would.

(edited to correct omitted NOT)

Re: Detecting email sent to personal email accounts

chogan — Fri, 04 Dec 2020 18:05:04 GMT

Correction: My issue is NOT that that they are accessing their email from their work computer, it is

Re: Detecting email sent to personal email accounts

tmekelburg1 — Fri, 04 Dec 2020 18:36:28 GMT

Yeah, that's a tough issue. It's a combination of culture and technical capabilities of our systems. Like I said previously, I'd first try to find out the 'Why' and try to prevent it that way rather than beating them with the proverbial stick. Beat them with the stick later if it's not possible to come up with a secure printing solution or make everything electronic so it doesn't need to be printed. Hopefully, someone else in the Community that's in a regulated industry has figured this out.

Any way to restrict sending PII to only registered customers or business partners through the secure message center? All other emails that are not registered and have PII in them would fail sending.

Re: Detecting email sent to personal email accounts

denbesten — Thu, 17 Dec 2020 03:18:52 GMT

Effectively, you are asking to black list employee email addresses. The obvious first step is to ask employees for their addresses. Either that or white list your customers.

However, I think your approach is flawed. Solely playing technical whac-a-mole to defend confidential information is doomed to failure. To be successful, you need employees to become your advocates in protecting CI. The simple fact that you authorized them to see the CI in the first place means they can screenshot it, take a picture with their mobile phone, hand transcribe, memorize, etc. As you are discovering, enforcement of rules that make it hard for them to do their jobs fosters shadow-IT-like behavior and ultimately hurts your overall goal to protect CI.

Much more enlightened is to ask why they need to print, empathize with their concerns and to find that "middle ground" which all parties can accept. Most likely, you will find that they are trying to copy stuff from one document to another, or they are being asked to review documents on a screen which is much too small. Both of these scenarios can be solved by issuing second (or third) monitors. Or, maybe you buy everyone a shredder for Christmas and encourage its use in your CI training program.

You might also find that the documents being emailed/printed are those belonging to the employee. For example, I duplicate my own CI (performance review, employment contract, benefits notices, tax forms, etc) into a location not under employer control. In part, this is CYA, but mostly it is so that they remain accessible even beyond my employment.

Also, with respect to the juser@yahoo.com scenario, it is only necessary to read about Mark Donnelly (thanks, rlade for the link) to realize that false positives ought to be considered.

Re: Detecting email sent to personal email accounts

Steve-Wilme — Thu, 17 Dec 2020 11:55:02 GMT

How do you propose to identify PII definitively? If you examine the legal definitions of what constitutes personal information, then this is fiendishly difficult for unstructured information. For example, in the UK, the regulator includes information that is obviously about someone, although they may not be named or have an obvious unique id in the info, as personal data. For example, say I was to draft a linkedin recommendation for someone and email it to them. I may not mention them except by the first name, but everything else would fall under the 'definitely about them'. You could of course argue this is not PII that the organisation is data controller for.