I am interested in hearing how other organizations are handling the issue of detecting if an employee is sending sensitive data to their personal email addresses. We of course have a policy against this, but have a challenge enforcing it.
We have DLP rules that will automatically send outbound email through our secure messaging platform if PII is detected. These are logged and reviewed. We are a bank, so sending documents with PII is common.
With a large percent of our team working from home, we have detected a few cases of employees emailing files to their personal email account with the intent to be able to print them on their home printer. This is against policy. We were able to detect these because their personal email addresses were obvious. If we see an email from Joe User going to juser@yahoo.com, it’s pretty each to catch. Our concern is the not so obvious email addresses. If Joe User emails a document to snowleopard23@yahoo.com, we have no way to know if that is a legitimate email to a client or if that his own personal email account. Any recommendations?
Part 2 of this is how to handle the violators. We are looking into a progressive penalty system, possibly starting with a suspension without pay and escalating to termination. Something with more teeth than a sit down with senior management since they already know it is prohibited. Any suggestions along those lines are appreciated as well.
NOTE: I just made up snowleopard23@yahoo.com on the fly. My apologies if this is someone’s actual email address.
Effectively, you are asking to black list employee email addresses. The obvious first step is to ask employees for their addresses. Either that or white list your customers.
However, I think your approach is flawed. Solely playing technical whac-a-mole to defend confidential information is doomed to failure. To be successful, you need employees to become your advocates in protecting CI. The simple fact that you authorized them to see the CI in the first place means they can screenshot it, take a picture with their mobile phone, hand transcribe, memorize, etc. As you are discovering, enforcement of rules that make it hard for them to do their jobs fosters shadow-IT-like behavior and ultimately hurts your overall goal to protect CI.
Much more enlightened is to ask why they need to print, empathize with their concerns and to find that "middle ground" which all parties can accept. Most likely, you will find that they are trying to copy stuff from one document to another, or they are being asked to review documents on a screen which is much too small. Both of these scenarios can be solved by issuing second (or third) monitors. Or, maybe you buy everyone a shredder for Christmas and encourage its use in your CI training program.
You might also find that the documents being emailed/printed are those belonging to the employee. For example, I duplicate my own CI (performance review, employment contract, benefits notices, tax forms, etc) into a location not under employer control. In part, this is CYA, but mostly it is so that they remain accessible even beyond my employment.
Also, with respect to the juser@yahoo.com scenario, it is only necessary to read about Mark Donnelly (thanks, rlade for the link) to realize that false positives ought to be considered.
How do you propose to identify PII definitively? If you examine the legal definitions of what constitutes personal information, then this is fiendishly difficult for unstructured information. For example, in the UK, the regulator includes information that is obviously about someone, although they may not be named or have an obvious unique id in the info, as personal data. For example, say I was to draft a linkedin recommendation for someone and email it to them. I may not mention them except by the first name, but everything else would fall under the 'definitely about them'. You could of course argue this is not PII that the organisation is data controller for.