Main Nav

Message from mclaugkl@ucmail.uc.edu

Hi Everyone:

 

I have been asked to see if other IHEs make use of email disclaimers.  If you require or strongly recommend the use of email disclaimers at your institution would you kick me an off-list email to let me know?   I will compile the results (redacted) and post a summary back to the list.

 

Thanks,

- Kevin

 

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Chief Information Security Officer (CISO) & Assistant Vice President

Administration & Finance

TEWG-Region 6 TLO

 

University of Cincinnati

513-556-9177

 

The University of Cincinnati is one of America's top public research institutions and one of the region's largest employers, with a student population of more than 42,700.

 

 

 

 

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected by state and federal privacy laws (including, but not limited to, the Health Insurance Portability and Accountability Act of 1996(“HIPAA”). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

 

Comments

Message from kohster@northwestern.edu

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon Mar 12 2012 08:18:02 Central Time, "Mclaughlin, Kevin (mclaugkl)" wrote: > > I have been asked to see if other IHEs make use of email disclaimers. If you require or strongly recommend the use of email disclaimers at your institution would you kick me an off-list email to let me know? I will compile the results (redacted) and post a summary back to the list. What if we think they're silly and useless? :) - -- Julian Y. Koh Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key: -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk9d+50ACgkQDlQHnMkeAWOIBQCdGOnu+g6f7icKuCcGuESzZiGT Ni4AnjMIhw5RZcpe4/QOO2Snb3/4kEBI =CTsp -----END PGP SIGNATURE-----
Message from mclaugkl@ucmail.uc.edu

That works as well. There is a definite mixed camp on this issue and the best I can tell is that a lot of companies use them, especially in the HIPAA realm, to basically have some liability coverage (i.e. screen banners are what I would somewhat see as a similar area). However, please don't send me a long list of reasons as to the whys and wherefores of the opinion - I value them - I truly do - but I have read literally thousands of differing opinions over the past 2 weeks and am a bit burned out on those. lol there seems to be about a 60-40 split with 60% being yes they are needed and 40% being no, they are not needed. That being said if you want to respond that they have no use that is a good data point for me to have and I will compile those responses into the feedback I provide the listserv. Please send responses directly to me if you don't mind. Warm Regards, - Kevin Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified Chief Information Security Officer (CISO) & Assistant Vice President Administration & Finance TEWG-Region 6 TLO University of Cincinnati 513-556-9177   The University of Cincinnati is one of America's top public research institutions and one of the region's largest employers, with a student population of more than 42,700. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected by state and federal privacy laws (including, but not limited to, the Health Insurance Portability and Accountability Act of 1996("HIPAA"). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
http://www.economist.com/node/18529895 


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu




On Mon, Mar 12, 2012 at 09:35, Julian Y Koh <kohster@northwestern.edu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon Mar 12 2012 08:18:02 Central Time, "Mclaughlin, Kevin (mclaugkl)" wrote:
>
> I have been asked to see if other IHEs make use of email disclaimers.  If you require or strongly recommend the use of email disclaimers at your institution would you kick me an off-list email to let me know?   I will compile the results (redacted) and post a summary back to the list.

What if we think they're silly and useless?  :)

- --
Julian Y. Koh                         <mailto:kohster@northwestern.edu>
Manager, Network Transport                         <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk9d+50ACgkQDlQHnMkeAWOIBQCdGOnu+g6f7icKuCcGuESzZiGT
Ni4AnjMIhw5RZcpe4/QOO2Snb3/4kEBI
=CTsp
-----END PGP SIGNATURE-----

Message from pete@shadows.uottawa.ca

Does anyone know if there has ever been a court case... in any country in the world.... where the email disclaimer made a difference? On Mon, Mar 12, 2012 at 01:35:26PM +0000, Julian Y Koh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon Mar 12 2012 08:18:02 Central Time, "Mclaughlin, Kevin (mclaugkl)" wrote: > > > > I have been asked to see if other IHEs make use of email disclaimers. If you require or strongly recommend the use of email disclaimers at your institution would you kick me an off-list email to let me know? I will compile the results (redacted) and post a summary back to the list. > > What if we think they're silly and useless? :) > > - -- > Julian Y. Koh > Manager, Network Transport > Telecommunications and Network Services Northwestern University > PGP Public Key: > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iEYEARECAAYFAk9d+50ACgkQDlQHnMkeAWOIBQCdGOnu+g6f7icKuCcGuESzZiGT > Ni4AnjMIhw5RZcpe4/QOO2Snb3/4kEBI > =CTsp > -----END PGP SIGNATURE----- -- Pete Hickey The University of Ottawa This sig was created using only pure, Ottawa, Ontario all natural zeroes and ones Canada for clean and healthy digitization.
Kevin, OGC here at UMass has said that adding a blanket disclaimer to everything diminishes the efficacy of the disclaimer. If instead users append the disclaimer where it is needed, the value of the disclaimer increases. Perhaps adding this on a per-OU or per-department basis would be better than having it be appended for all. Of course YMMV, and opinions abound. /d
Kevin
 
Put us down on the not useful, do not use side.
 
personally as annoying as the "keep up the good work" signature.
 
 
 


 
 
Louis Aponte
Weber State University
 
On 3/12/2012 at 7:18 AM, in message <10739475F49E2C4796AA92C5C6E9C3BD58F746D67B@UCMAILBE1.ad.uc.edu>, "Mclaughlin, Kevin (mclaugkl)" <mclaugkl@UCMAIL.UC.EDU> wrote:

Hi Everyone:

 

I have been asked to see if other IHEs make use of email disclaimers.  If you require or strongly recommend the use of email disclaimers at your institution would you kick me an off-list email to let me know?   I will compile the results (redacted) and post a summary back to the list.

 

Thanks,

- Kevin

 

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Chief Information Security Officer (CISO) & Assistant Vice President

Administration & Finance

TEWG-Region 6 TLO

 

University of Cincinnati

513-556-9177

 

The University of Cincinnati is one of America's top public research institutions and one of the region's largest employers, with a student population of more than 42,700.

 

 

 

 

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected by state and federal privacy laws (including, but not limited to, the Health Insurance Portability and Accountability Act of 1996(“HIPAA”). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

 

Message from chickernell@clarion.edu

Thank you for that article David, it nicely explained exactly what I was about to say.  If I receive an email from you, then you have provided that email and its contents freely without any contractual agreement from me regarding its use.  I never understood why people used them.  It is like showing me an adult website and then afterwards displaying a disclaimer regarding its contents.  TOO LATE!

 

Christopher Hickernell, CCNA, MCSE

Network Support Specialist, ResNet Manager

Clarion University of Pennsylvania

Center for Computing Services

G-13 Still Hall, Clarion, PA 16214

chickernell@clarion.edu | 814.393.2218

 

“To be a long-term success, you have to have failures.  People who are working near their limit make mistakes and take risk.”

~Gerry McCartney, Purdue University

 

 

 

Message from valdis.kletnieks@vt.edu

On Mon, 12 Mar 2012 09:51:03 EDT, Pete Hickey said: > Does anyone know if there has ever been a court case... in any > country in the world.... where the email disclaimer made a difference? I remember one case (cite is unfortunately eluding me) where the judge was of the opinion that blindly sticking the disclaimer about sensitive and confidential info on everything, including postings to public mailing lists, was uncomfortably close to overwarning. Unfortunately, the judge's comment was basically an aside during trial, and the case was resolved on other grounds, so it didn't create any case law. I've seen a number of opinions that blindly sticking the exact same disclaimer on all mail could be *dangerous*, because it could be used to show that you stuck the disclaimer on there because you don't have any *real* control or tracking of the messages that *do* contain info covered by the disclaimer. After all, if you *knew* which messages had sensitive info, you could have just stuck the disclaimer on those, right? My personal favorite? A disclaimer doesn't do any good unless it creates a contractual obligation. Now if it *does* do so, how much of a liability have you just created for yourself by using the phrase "please delete all copies"? Hint - you *did* want that done in a forensically secure manner, so copies can't be dredged off the disk, right? Including the big RAID filesystems on our main mail hubs, and the backup tapes, and the.... (What, you didn't think we were going to do that secure deletion for *free*, did you?)
Message from spedersen75@gmail.com

The best disclaimer ever:

***** IMPORTANT INFORMATION/DISCLAIMER *****
By sending an email to ANY of my addresses you are agreeing that:
   1. I am by definition, "the intended recipient"
   2. All information in the email is mine to do with as I see fit and
make such financial profit, political mileage, or good joke as it lends
itself to. In particular, I may quote it on usenet.
   3. I may take the contents as representing the views of your company.
   4. This overrides any disclaimer or statement of confidentiality that
may be included on your message.


Although I fall on the "silly and useless" side of the debate, many here have begun to append these messages to email. The fact that we have published standards stating that encryption is required for any confidential information that is transmitted or stored outside of our local area network does not seem to have been considered by these individuals.
 
Perhaps the real question should be; Could appending a disclaimer do harm?  Possibly. We have published standards that forbid this activity. In the event that a legal review were conducted, the university's published standards would likely out weight the personal disclaimer and would provide clear evidence that the information was sent intentionally.
 
Obviously I am not a lawyer and this is a question I would need to put to our GC.
 
Regards,
 
 
Hugh Burley
Thompson Rivers University
ITS - Senior Technology Coordinator
Information Security Officer
CISSP, CIPP/C, CISA
Security, Privacy, Audit
BCCOL - 222D
250-852-6351

>>> "Mclaughlin, Kevin (mclaugkl)" <mclaugkl@UCMAIL.UC.EDU> 3/12/12 6:18 am >>>

Hi Everyone:

 

I have been asked to see if other IHEs make use of email disclaimers.  If you require or strongly recommend the use of email disclaimers at your institution would you kick me an off-list email to let me know?   I will compile the results (redacted) and post a summary back to the list.

 

Thanks,

- Kevin

 

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Chief Information Security Officer (CISO) & Assistant Vice President

Administration & Finance

TEWG-Region 6 TLO

 

University of Cincinnati

513-556-9177

 

The University of Cincinnati is one of America's top public research institutions and one of the region's largest employers, with a student population of more than 42,700.

 

 

 

 

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information protected by state and federal privacy laws (including, but not limited to, the Health Insurance Portability and Accountability Act of 1996(“HIPAA”). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

 

  To me, these disclaimers always sound like:
 
  We're afraid we might have a problem safeguarding the information entrusted to us.
We hope this mass of lawyerspeak will scare you into taking responsibility for fixing our
problem, so we don't have to.
 
David Gillett, CISSP

It also – almost all the time – opens the door for me to throw away the email in case I am not the intended recipient.  At least that’s what I tell those that are trying to give me work.

 

Hi Kevin,

 

We do not officially require or recommend the use of e-mail disclaimers.  However, some of our Departments, Facilities & individual users have chosen to implement their own.

We also do not discourage the practice.   

 

Personally I think they offer very little if any value, provide a false sense of security and may be a contributing factor in the unauthorized disclosure of confidential information

 

“I thought it was ok… After all I did have the disclaimer at the bottom…”

 

 

 

Dennis N. Tracz, CISSP-ISSMP, CISM, CGEIT

Director, Information Security & Compliance

University of Calgary

Office: (403) 220-4010

Cell: (403) 305-4010

 

 

 

 

Message from amesbury@oitsec.umn.edu

Eh, I'm late to this party, but I'd say those disclaimers are only somewhat less useless than putting a similar disclaimer into your SMTP banner. For example: % dig mx example.edu ;example.edu. IN MX example.edu. 18000 IN MX 10 mail.example.edu. % nc mail.example.edu 25 220 mail.example.edu ESMTP By connecting to this server you agree that you will only send e-mail to authorized recipients. Sending your e-mail to unauthorized recipients, whether deliberate or accidental, will result in you being billed for cleanup time incurred in trying to eradicate all copies of the e-mail. This work is billed in one hour increments at $350/hour, with a ten hour minimum. QUIT 221 2.0.0 Bye In theory this would prevent e-mail from being sent to unauthorized recipients, with the option to bill for cleanup in cases where unauthorized recipients receive the e-mail and it has to be cleaned up. That said, if you believe this would be effective in preventing people from sending unauthorized e-mails to the system above, I would very much like to be your consultant in implementing said system. -- Alan Amesbury OIT Security and Assurance University of Minnesota