1

I am going to ask what I think is a dumb question, but I want to make sure I am not overreacting.

Without going into too many details, I work with a nonprofit that gets grant funding. Sometimes they have to send funders cleared checks to show they spent X dollars. Obviously a check has a bank account and routing number. It would be pretty dangerous to just send in regular email right? I’ve configured a DLP solution to block transmission of financial account numbers, but am getting some pushback from a particular user who needs to send this info to a funder.

Am I overreacting or being overly restrictive by blocking these emails unless they are sent via an encrypted email?

57 Spice ups
2

not over-reacting at all, generally this is a violation of several different compliance types and it is a best practice to do what you are doing.
what you CAN do is for that end user, force encryption of those messages in the processing rules. You did not indicate what DLP system you are using to manage it but they all likely have a rule set which allows you to, rather than block, force encrypt for a subset of the rules.
you can also look to using a secure file sharing system such as Sharefile, Egnyte, etc etc to allow that data to be shared securely.

19 Spice ups
3

Sometimes user’s don’t understand what you are trying to protect. Perhaps explain to your user that you are actually trying to protect the donor and ask how likely to donate they would be if they lost money due to your organization. You may want to show your user how to redact that information before sending.

7 Spice ups
4

Associating an account number, routing number and account holder should be protected. The routing number alone requires no protection and the financial institutions I work with post their routing numbers freely. Here are some examples:

5 Spice ups
5

That’s the right thing. I used to work at a non-profit that put accounting numbers on their site for bank to bank transfers. I voiced my concern but they seemed confident that the bank called them for unusual activity. I was still annoyed the information was readily available but nothing happened (I know of).

Anyways why does this person even need this information? Is there another option they can use to confirm the money was used? You’re not doing anything wrong and I feel like there is a break down in the process. This will need to be reexamined by the organization and you should be involved to give a yes/no if the plan can be done.

1 Spice up
6

Do you follow this person out to the parking lot and check that they’ve fastened their seat belt? Cut up their food so they don’t choke?

Your job is to prevent unintentional compromise of information. If someone purposefully publishes that information, your duty is to inform them of the risks. If they continue, they own all the risk - and the consequences.

Getting into a fight with this person isn’t beneficial to you. Instead, write to their supervisor and simply state that you’ve counseled this person on why this is a risk and that you’ve blocked the data. If the supervisor would like to overwrite your decision and open that up, you’ll be glad to comply.

17 Spice ups
7

A Bank Account number is non-public information and should be protected. What is your company’s policy regarding the transmission of non-public information?

I have found that many people mistakenly think that a normal email is secure. Normal emails are not guaranteed to be secure and may be intercepted by unauthorized third parties.

5 Spice ups
8

Guidance on the Protection of Personal Identifiable Information

Banker Resource Center Information Technology (IT) And Cybersecurity

Protecting Personal Information: A Guide for Business

in case you need any further information that all says the same thing DO NOT DO IT and remove the ID 10 T that can’t get it thru their head how dumb and idea it is. Tell them to go to facebook and tik tok and all other social media and put their personal account numbers and banking info on the screen for all to scam them if they are so confident it is a good idea.

9

It may have already been stated but sharing that info in a non-secure manner likely runs afoul of multiple federal regulations. Have a look at this presentation ==> https://www.squirepattonboggs.com/~/media/files/insights/events/2018/03/data-privacy-for-non-profits/data-privacy-for-nonprofitspptx.pdf

3 Spice ups
10

You say you’re sending proof that money was spent, so it sounds like your org’s account info is the info being sent potentially in plain text. The person doing so is probably a GM or higher, making it difficult to educate them. Your best bet is encrypted email, but then the clients complain because of the extra step to open the messages.

The bank may have some guidelines you can point to. However, my assumption based on your post is that these are physical checks. If those checks leave your possession, even in an envelope, the account info is compromised. I can read the account number through non-shielded envelopes without difficulty. But banks know that and do offer additional protections. Positive pay files sent from the payer to inform the bank of check numbers and amounts. Virtual account numbers hide real account numbers. Accounts can be restricted to prevent ACH or physical check withdrawals. Notifications of activity let you know when money is withdrawn (or deposited).

Account numbers are addresses, someplace to delivery to or from. The routing number is like a postal code. Again banks know this and provide actual security via other means, but there’s no point in making a bad guys job any easier than it has to be.

1 Spice up
11

I would definitely use DLP.

1 Spice up
12

Instead of blocking it, why not set DLP to auto-encrypt the emails?

2 Spice ups
13

This is a bad take. OP does not have to allow people to send things that are restricted, whether they’ve been warned or not. I know some people get a hard on over watching people suffer stupid consequences, but this is dumb.

4 Spice ups
14

We used DLP to encrypt outgoing financial emails. it worked for a while. We were then forced to use Dropbox to make it easier for both sides. The checks and other items were encrypted and never stayed long. It literally was a dropbox.

15

When I worked at a financial institution, we automatically encrypted email with our account numbers, both inflight and at rest. We would also automatically generate an email reminding the user to encrypt.

I remember being interviewed by FDIC auditors attesting to that.

As a non-profit you would not have the same requirements that my old company did, but what you are doing is not crazy.

1 Spice up
16

I work at a nonprofit and it happens. Various foundations differ how they clear things.
One was super spammy. The development staff person sent it to me because it was so weird. It was real, though. There were typos, formatting was off, and it asked for financial information. It was partially generated by one of the foundation’s automated system. That accounted for the issues. We even looked up the senders on LinkedIn

My angle was to confirm with a human being via phone. The development staff should have a rapport with the admins (paperwork people) and the grant officers (approve the grants). They may hesitate on asking too many questions on fear that it will be less likely to get grant funds. Grants = everyone’s salary in many places

Just frame it as being good stewards of funds and add a phone call to this process. Foundations like stability and security. We also added the phone call to any ACH changes as well. The rapport with foundation staff is key as anyone could also pick up a phone.

17

This is definitely PII that should never be sent unencrypted via email. It’s a violation of GLBA, the Privacy Act, and multiple federal regulations. I work at a credit union - if we were to send this information out without encrypting it, we would be written up by the NCUA (the government agency that regulates credit unions). Microsoft 365 has built-in email encryption that satisfies these requirements, plus there are a number of third-party options that are also compliant. Since you are a non-profit, many of these solutions (including M365) have a certain number of free licenses or offer a discount that you might qualify for.

18

This is 100% “Best Practices”. Sometimes that means having to get a little extra, but still…well-done!

60f972fa-3bfb-48df-a410-fc2987603c53-alldone.gif

19

Makes sense to me.

20

You nailed it 100%, sorry if I was not clear in the OP, but it is our org’s info being sent, not that of a donor. This was basically the argument this user was making, that the bank has other safeguards in place so it really shouldn’t matter.