Our client “Olympia Publishing, Inc” recently decided to outsource their website, and to save time and paper, Suzanne from HR, asked if they could accept job applications online. Their web developer would collect all of the application data and email it to Olympia’s HR department. Everything sounds good so far, right? Well, Olympia was collecting the applicant’s social security numbers in the digital form and transmitting the information through email. That’s a big no-no. When we caught wind of this misstep, we called Suzanne and explained to her the security risks, as well as the potential legal ramifications of mishandling the applicant’s personal information. She didn’t see what all the fuss was about and asked us how this was any different from when they had an employee fax the paper applications over to the main office. This was another “uh-oh” moment for us, and we soon found out that the faxes being received by the HR department were actually coming from a fax-to-email service. It turned out that every “fax” sent to and from Olympia Publishing was unprotected, and thus highly susceptible to being read by prying eyes.
Why Isn’t Email a Secure Form of Communication?
Quite simply, email is not a secure form of communication because it was never meant to be. Email was first developed when the internet was still young, and people were looking for a simple, standardized way to store-and-forward messages between different kinds of computers. Email messages were transferred completely in the open, and could be read by anyone with access to network traffic. You might be amazed to learn that this wide-open method is still how email works to this day, making emailed information extremely vulnerable.
Here is a short list of some of the ways your emails and emailed faxes can become vulnerable:
- Since emails are not encrypted, they can be easily sniffed while in transit.
- Because emails are recorded on the physical disks of all the servers involved in transmission (sender’s email server, recipient’s email server, etc.) they can be read once the server is decommissioned, or through backup tapes. Heck, they could be read by anyone with access to the server, be it a bored intern or a malicious identity thief.
- There are a number of viruses which inspect the emails received by infected machines, looking for valuable information such as credit card info or social security numbers.
In reality, the entire email system is just relying on the honor system, and it’s amazing it still works as well as it does!
Why Is This so Important for Your Business?
It isn’t just irresponsible to send sensitive information through fax and email, it can also land you in some pretty serious legal trouble as well. In the state of Texas, there are a number of laws against sending personal information through insecure channels. In fact, fines can range anywhere between $2,000 and $50,000 per incident. Again, that is a per incident fine, meaning that if the personal information of ten different people is compromised, a company could be charged with ten separate offenses. If your business has a history of sending sensitive information through fax or email, these fines can add up quickly.
Using our story as an example, let’s imagine that Olympia Publishing sent the job application forms for 100 prospective employees through unsecured email or fax to Susan in their HR office. Assuming that state attorneys determine that each infraction carries with it the minimum fine of $2,000, Olympia Publishing could be charged with 100 violations with a total cost of $200,000. And should the State decide to charge them with the maximum fine of $50,000, Olympia would have to pay a grand total of $5,000,000!
Should You Keep Using Email and Fax in Your Business?
The correct answer here is both yes and no, depending on the situation. You have a legal obligation to both your clients and employees to protect their private information. If a major part of what you are sending or receiving via fax and email is sensitive personal information, then you should absolutely not be using these channels. Fax and email are fine for basic communication, but when you are dealing with credit card information, social security numbers, copyrighted information, etc, you need to use a service that does not transmit data over the internet.
Offering a Better Solution
The story of Olympia Publishing should highlight the importance of working with experts who understand network security inside and out. After all, if we hadn’t stepped in to inform them of the legal consequences of sending sensitive information through unsecured channels, Olympia could have landed in some really hot water.
—This material is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.