You're faxing my what, where?

There are better ways to send sensitive information

Businesses can avoid potential public relations and legal nightmares by developing privacy policies, authentication processes and using cutting-edge technology. The Canadian Imperial Bank of Commerce learned this the hard way last week when U.S. scrapyard operator Wade Peer went public with his story about how one of Canada's largest banks was flooding his fax machine with highly confidential information about its clients for the past three years.

The faxes, he said, contained social insurance numbers, bank accounts and client signatures, and despite repeated calls from him they just kept piling up. Finally he sued CIBC to make them stop. The problem appears to stem from the fact Mr. Peer's toll-free number for his autoparts business, which he was forced to close, is similar to that of one of the bank's processing centres.

After the story appeared in the press, the bank issued a cease-and-desist order to employees across the country, prohibiting them from sending internal faxes containing client information. Instead, they were advised to use the internal courier system or pick up a phone and engage in an old-fashioned conversation. In a statement CIBC said for the long-term "we are exploring other potential secure technological alternatives for the timely transmission of confidential information between branches and processing centres."

Legislators and governments at the provincial and federal level have identified this problem and passed a range of laws requiring companies to take better care of sensitive employee and client information in their possession.

Claudiu Popa, president of Informatica, a Toronto-based information security firm, says in addition to financial penalties and lawsuits for damages, "your name is going to get dragged in the news. Embarrassment is one of the biggest fears of companies today."

In addition to faxes, misdirected voice mails, improperly addressed e-mails and improperly accessed documents all pose a problem when it comes to protecting confidential data. While it's virtually impossible to eliminate the problem, there are steps companies can take to reduce it, security experts say.

The key is developing a solid set of privacy policies and authentication processes coupled with cutting-edge technologies, says John Weigelt, chief security advisor at Microsoft Canada. "They [businesses] have to establish principles to secure their environment." That includes restricting access to information and examining "each layer of defence."

FAX FIXES When it comes to faxing large volumes of information, Alan Gahtan, an information technology lawyer in Toronto, says "I think there are some policies and procedures a company can enact to reduce this kind of [risk]." First, he says, "you want to reduce the amount of information." Don't send social insurance numbers, for example. Instead, deposit a master file with the office you are sending the information to and link to that list through the use of names. If a business has a large volume of faxes going one place, the most obvious solution is using speed dial. That eliminates user error as long as the number is correctly imput the first time and it you check regularly to ensure it has not been changed.

But why even send faxes in an era of digital information? asks Informatica's Mr. Popa. "Faxes are outdated. Faxes are not secure. Most organizations should preserve documents digitally."

If a business has a lot of data flowing to a single place, it could implement a virtual private network, a secure direct pipeline. In the case of computer networks, a scanner can be used to digitize information programmed to be sent to another printer's Internet Protocol address. By digitizing the information, it can be subject to encryption and the use of digital certificates, which prohibit unauthorized users from accessing or reading a confidential document, he says.

Faxing documents that require a signature can be eliminated with the use of electronic signatures and basic encryption functions such as s/mime (secure/multipurpose Internet mail extensions), which lets the recipient verify who the information is from and access it only if they have the correct digital certificate on their computer.

VOICE MAIL PROBLEMS If a caller phones the wrong number and leaves a message, there is little that can be done to retrieve it, Mr. Gahtan says. A policy should be in place preventing staff from leaving confidential information on a voice mail. Also, voice mail requires a PIN number to access messages, which opens doors to hackers. The redial function on some phones recalls the last numbers dialled, including a PIN. Mr. Gahtan says he makes it a practice of calling another number after accessing his voice mail to ensure his number is bounced from the redial list.

ENDING E-MAIL ERRORS Besides the possibility of typing in the wrong address or name in the directory, users should avoid the user-group function, Mr. Gahtan says, because often the sender is not sure whose names are in the group.

"Secure messaging and rights management becomes important" when e-mails and computer networks are involved, Mr. Weigelt says. Technologies can be deployed to control and monitor access to documents within an organization. When sending documents outside, encryption is the key to ensuring unwelcome eyes don't view them.

Ben Sapiro, an independent IT security consultant in Toronto, says monitoring and controlling access to documents online is critical. Firms need to use server audit tools better to control who is accessing which documents. Proxy servers can inspect traffic going across the network and monitor it. Alerts can be set to advise appropriate managers if someone is trying to access documents that they are not entitled to see.

LOCKING DOWN EXTERNAL RELATIONS Businesses also need to be aware of the pitfalls in sending confidential data to third parties. Mr. Weigelt suggests putting agreements in place to ensure information is safeguarded.

Mr. Gahtan says: "You want your supplier to agree to conform to some minimum security practices." Those practices should also apply to subcontractors. As well, prohibit information from going offshore, where privacy standards may be lax. Also, include indemnity provisions so if something bad happens and your business faces a financial penalty or hardship, then the party that caused the problem reimburses you.