It happened again, an employee at a New Hampshire based temp agency accidentally emailed hundreds of social security numbers to Internet recipients. The Boston Channel 5 aired a story about the incident this morning.

The exact details are a little sketchy, but it seems that a list of job candidate profiles containing social security numbers and personal email addresses was mistakenly sent as a broadcast message originally intended to inform about job opportunities.

“She hit a button and it sent out a broadcast e-mail, so it certainly was not intentional on her part, …”

I always feel bad for the employee that makes this type of mistake, since the ramifications can be significant – but to err is human.

Identity theft through impersonation via social security numbers is common place and companies must pro-actively protect the personal information of their employees and customers.

This raises a number of questions:

Why would anybody be permitted to extract lists of names, email addresses and social security numbers from a company database in the first place? Sensitive information should always be obfuscated and only be accessible on a need-to-know basis per individual record. In essence, that kind of data should never be stored in a portable document format.

Secondly, why does it always take the occurence of a serious incident before businesses take action? Companies should actively protect themselves and their employees from such mistakes. There are technology solutions available today that can help in preventing accidental and deliberate data leakage via email. The costs associated with one single error can easily outweigh the cost of a preventative solution.

Technorati Tags: , , , ,