I recently came across an email thread between a top management person and our parent company, where they shared a file containing a lot of unencrypted Social Security Numbers (SSNs). I'm unsure if I should bring this up with my boss or escalate the issue given that we don't have any sensitivity labels in place. What are the best practices here?
3 Answers
Sharing unencrypted SSNs is a big no-no and could lead to serious compliance issues with regulations like HIPAA or GDPR. If that email gets forwarded or falls into the wrong hands, it could turn into a reportable data breach. If things go south and it's found out you stayed quiet, it won't look good for you. I’d recommend saying something like, 'Hey, I noticed an email thread with unencrypted SSNs shared between [name] and [parent company]. Should we flag this for the appropriate team?'
Definitely bring it up to your management or HR right away! It's important to inform them about the risk of unencrypted SSNs being shared. You might even suggest possible solutions, but the responsibility to fix this lies with them, not you.
I need a bit more context. How did you come across the email? Were you cc'd, bcc'd, or did someone point it out to you? It's crucial to know if there are any policies about accessing such information. Either way, you should at least discuss this with your boss to see if it needs addressing. How does your upper management view cybersecurity? Having a solid policy in place can make it much clearer what steps to take.
Yeah, it's a nightmare for companies to have linked PII like that out in the open. Definitely a conversation worth having.