Password Sharing = Data Breach

password sharingI saw the tweet below about password sharing from Nadine Dorries, currently a British MP and initially thought “That’s not a good idea. This person needs to receive some security awareness training.” I even have a commandment for it.Then I find out that British MPs actually receive quite a lot of support and training in IT security matters.

On further reflection, this is actually an extremely worrisome scenario. As an MP, Ms. Dorries would receive e-mail correspondence from her constituents on a daily basis. I wouldn’t expect all of them would be telling her she is doing a great job (though a small few might).

nadine dorries password sharing

Most people contact their government representatives when they have a problem or concern. These problems or concerns are usually in respect to some dealing that they have with a government department, which they are hoping their elected representative can sort out for them.

The fact that an intern has full access to the representatives email because of password sharing, is staggering. Because they have Ms. Dorries password, when they use her e-mail, THEY are Ms. Dorries (in a virtual sense). So let’s for argument just say, this intern is a neighbour of the person who has e-mailed Ms. Dorries about a problem they have in accessing mental health services with the Department of Health.

The person sending the e-mail, sent it to Ms. Dorries … not to their neighbour … they would be justifiably horrified that their neighbour now knows they have issues with mental health. That information is sensitive personal data and must be protected at all costs.

Nadine Dorries has a very real operational issue to handle. She receives a lot of e-mail which she cannot be expected to process all on her own. However, the information she receives should always be considered sensitive personal data, so this needs protection (always has needed it and most definitely will continue to need it under the GDPR).

There is a facility in e-mail, that allows somebody to “delegate” access to their mailbox to others. Ms. Dorries should use this facility to delegate access to her mailbox to her “trusted” assistants. These trusted assistants should have some level of clearance and received data privacy/protection training, so they can then determine whether

  1. they should pass the e-mail to Ms. Dorries for direct resolution on a most sensitive matter.
  2. handle the matter themselves, in confidence.
  3. or pass a minor, non-sensitive issue to an intern to handle.

The delegation function in e-mail will show an audit trail of what the delegate did with the e-mail, so there will be trace-ability if they do something naughty. By having the boss’ password, there can be no trace-ability.

Therefore, sharing your password where you handle sensitive personal data is a data breach, plain and simple. This is because others have unrestricted, unauthorised, untraceable access to this personal data, which means you’ve lost control of it. As summary punishment, you should be made to wear the underwear of this post’s featured image on the outside of your clothes while you await a judgement from the Data Protection Commissioner.

And may Helen Dixon have mercy on your password sharing soul. ?