Cavendish Online and data protection

shedlord

Hi,

I took Martin's advice and applied for life assurance through Cavendish Online. After 7-8 weeks with no response from anyone, I chased this up and received an email saying the original form we filled in had been replaced so we have to fill it in again. This email had the new form attached as well as a scan of my cheque. This was meant to be a scan of our original application apparently.

So, they were trying to send a scan of a life insurance application, containing lots of private health information and details very useful for identity fraud, as an unencrypted email attachment, but instead managed to send a scan of a cheque containing bank account details and my signature.

As part of my job I had to research the application of data protection law to the web and I'm pretty sure Cavendish drove a coach and horses through it there.

For anyone reading this thinking, so what's the problem? - email is about as secure as a postcard. Any Tom, !!!!!! or Harry with access to one of the many servers it passes through during its journey can read your email.

Darren J

Oscar_The_Grouch

Thanks for the post. I hope you kept the e-mail and contacted the FSA.

Cavendish

Hi Shedlord,
Thanks for the post and Cavendish would like to apologise for the oversight.
Although we do consider the risk to be comparatively low, and certainly not akin to "sending a postcard", our normal practice is to only send pdf documents which are password protected in these circumstances.
I apologise that this was not adhered to on this occasion.
Cavendish Online continues to take client information security very seriously.

shedlord

Thanks "Cavendish", but 3 things:

1. Unencrypted email being about as secure as a postcard is a widely accepted fact in the IT community.
eg. http://www.geekwisdom.com/dyn/node/116
It is simple for someone with access to a mail server to eavesdrop on the email passing through it.

2. The kind of people who hack into email servers aren't going to have a problem with password protected PDFs. Instructions on how to open these is not difficult to find on the web. It may defeat a layman but is no defence against the real baddies out there.

3. If you don't store and transmit certain kinds of personal information, including health details, in a secure way then you are not complying with the Data Protection Act.

Darren J

dunstonh

3. If you don't store and transmit certain kinds of personal information, including health details, in a secure way then you are not complying with the Data Protection Act.

You have to take reasonable steps to ensure security but that doesnt mean you have to go silly. Like most things like this its a risk assessment and the odds of an email being intercepted and the data used in that email to any advantage are statistically unlikely.

There is a far greater risk of data loss with computers held on the premises than there is in emails.

shedlord

The data in most emails isn't particularly revealing, but the data in one of these forms is pretty comprehensive and would be very useful for identity fraud. I'm not saying email is constantly being hacked all over the place - I've never seen any figures for how often it happens - just that it can be, and if there is a risk assessment to be made over whether my family's personal details are transmitted in this way then it should be down to us to take that decision.

After I complained and asked for the document to be sent by post, this was ignored and the .tif scan of my cheque emailed to me again.