About Jimmy

James 'Jimmy' Blake is the Chief Security Officer for Mimecast,  a leading cloud services company based in London.  James has overall responsibility for risk management for the organisation's internal IT infrastructure and service delivery platforms spread across four continents.  James also manages the security of platforms deployed within partners such as Cable & Wireless and Iron Mountain.

James is also one of the founders of eyeCompli, a company providing Software-as-a-Service standards-based risk assessment and security program management solutions.

He holds a PhD in Information Security Management and is a Certified Information Security Systems Professional. James has nearly two decades of commercial experience in information security, business continuity and storage.

James has a love of loud Harley Davidson motorcycles, real ale, role playing games and even louder heavy metal.  He lives in rural Kent with his partner, Sonia, and stepson, Rafael.

Follow Jimmy
Search

« Microsoft giving cloud computing resilience a bad name | Main | Ride-to-the-Wall tomorrow »
Tuesday
Oct132009

Cloud custodians don't own your data

DateTuesday, October 13, 2009 at 12:49PM
rmb-logo

Cloud service providers need to remember the relationships that they have with their customers, we're the custodians of our customer's data - not the owners.

Take the recent case of an employee at the Rocky Mountain Bank sending confidential personal information about 1,800 of its customers in error to a Google Mail account - a case of the wrong attachment sent to the wrong recipient.

A customer requested that his loan statements be sent to his Google Mail account, instead the bank employee attached a document containing the names, addresses, Social Security numbers and loan details of over 1,300 customers.....to the wrong Google Mail account.

After first attempting to recall the email, then contact the recipient, the bank then contacted Google and succeeded in getting them to delete the account.  Now this case raises three important questions:

Firstly,why did an employee even consider sending the original documents to the customer that requested them?  Email is a clear-text protocol and sending even the loan statements is far from best practice.  This is an example of how an ad-hoc procedure can go terribly terribly wrong.

Secondly, why did the bank not have a Data Leak Prevention capability in place to look for Personal Identifiable Information (PII) embedded in emails and enforce a policy preventing its transmission outside of authorised recipients - or at least to encrypt its transmission?

Thirdly, initially Google refused to provide any information on the account without a court order which Rocky Mountain Bank obtained a court order from a California judge to order to temporarily suspend the recipient's account.  This sets a terrible precedent - especially considering Google's operation of commercial accounts.  If you are the recipient of confidential information accidently sent to you - your account can be suspended.
AuthorJimmy Blake | CommentPost a Comment |
in , ,

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.