Fidelity sends breach notification out to Yahoo! employees

The Breach Blog is reporting that Fidelity sent out a breach notification in compliance with New Hampshire's breach notification law. Someone at Fidelity mistakenly sent out personal information (first and last name, SSN, and Yahoo! ID number) to two stock plan administrators at a different Fidelity client. The notice does not say how many people had their personal information exposed.

Like Evan Francen says in his post, this was simply a human error. The Fidelity employee either attached the wrong data to an email meant for that company, or they put the wrong email addresses on an email meant for Yahoo! It really just comes down to that. And really, how do you put technology in place to guard against this? There are plenty of products that stop data leakage, but technically this was a legit event. Without getting crazy complicated and taking the chance of getting lost in the weeds, you really cannot do a lot to keep people from sending the wrong information to an authorized email address.

A couple of other things bother me about this breach notification. One is the same issue that Evan brings up, which is whether or not the transmission was encrypted in the first place. The other company likely has the same keys as Yahoo! does since they are a client of Fidelity, and whether or not the transmission was encrypted is really immaterial to the breach. However, it would have been a good idea to state that the email was encrypted. Of course, if they had said it was, I would probably be saying they are trying to make the situation look better than it is by putting in useless information. These people just can't win with me...

The second thing that bothers me is that this excerpt:

The inadvertent recipients have deleted the e-mail and have confirmed that the file has been deleted and that the information has not been copied, printed, or downloaded. Both plan administrators signed and delivered to Fidelity SPS a statement, confirming the facts described above and promising to maintain the confidentiality of any information that may have been viewed.

Oh, that is fine and dandy. Don't have to worry about a thing now! Oh, but wait. The breach happened on Nov 12 and was reported Nov 14. So AT LEAST one day of backups occured in that period (assuming the company has a good DR plan). Have the tapes or disks or whatever system they use been purged? Have those "inadvertent recipients" gone to IT to see if their company has an email archival policy that would prohibit this from occuring? Have they checked their email security appliance or outsourcing company to see if they have purged it? There are a lot more steps here than just having the "inadvertent recipients" delete the email and sign some piece of paper. Honestly, I wouldn't sign crap until I went through all of those steps.