Community
Showing results for 
Search instead for 
Do you mean 

Email Security Violation

Status: Available in ACT! 2010
by ABM on ‎07-02-2009 03:16 PM

I just encountered a very serious email privacy violation that was facilitated by having Act and Outlook integrated. Consider the scenario where all Act Users have access to the entire database of contacts. This setup is both necessary and preferred because our salespersons share many of the same contacts, selling them different products. Sharing contact information (activities, histories, proposals and sales) promotes greater awareness for our salespersons and a better experience for the customer. Now consider the following 3 company employees, an HR Manager, a Sales Manager (MGR), and a Salesperson (SP). The manager and the salesperson are both Act users whereas the HR person is not an Act user. SP is not performing well and MGR exchanges emails with HR discussing termination of SP. Meanwhile SP suspects that he may be getting terminated so he adds HR into the Contact database under a false name and company but with HR's actual email address.

MGR continues to exchange emails with HR, never suspecting that HR's email address would ever be in the Contact database so he does not bother to mark his email as Private. In fact he regards sending emails to fellow employees as being totally unrelated to the Act database because there is absolutely no need to store non-sales related employees in the Act database. Now the 'sneaky' (but clever) salesperson has access to the email exchange between HR and MGR because it is recorded in Act History!

Can this 'flaw' be fixed in Act? I had hoped that I could impose a validation on field 'E-mail' in the database, e.g. "does not contain @MyDomain.com" where MyDomain.com is the suffix on all our employees email addresses. I could not find a way to do this under the edit option of "Define Fields" afforded by Act. The downside to this proposed solution is that it would mean that field "E-mail" could not be populated on any User records and therefore would not be available for use in shared templates.

Another solution I suggested to Act Support was the availability of a domain name option when setting up email configuration in Act. This could be a domain name that would suppress recording emails in Act History if the "to" and "from" email address domain names were the same, i.e. inter-office emails amongst fellow employees. This of course would be optional but in my case, would suffice as a solution to combat the confidentiality breach described earlier.

I am sure there are cleverer ways to avoid the problem I have articulated but the "Mark as Private" or "do not record in history" are most certainly not viable solutions for my company. I need something that can be setup at the administrator level and is not dependant upon users having to remember to check privacy boxes, especially when they are in Outlook and communicating with a fellow employee who is not even an Act user. So how can 'devious' salespersons as described earlier be thwarted from abusing the Act-Outlook integration?

Somebody help me please because the owner of the company is threatening to throw out Act because of this confidentiality breach.

 

Comments
by Silver Elite Contributor
on ‎07-03-2009 08:35 AM

This is a constant and ongoing issue which needs to be addressed, and I made a similar request in another post. Usually, however, the problem is confidential emails "accidentally" appearing in ACT! This is the first case I've heard of someone actually manipulating the system.

 

Quite ingenious actually!

 

Hope Sage come up with something soon. In the meantime Mike Lazarus has developed a utility thet might help.

 

Mike's post

Jeff

by
on ‎07-22-2009 03:28 PM
Wow that's pretty sneaky.  OK, I see the feature requests on this in our system - I think we have a couple of options on how we could address this out of box.  There are some utilities already available that might work for this specific situation.  Thanks for the post - very interesting experience and a use case we'll need to add around E-mail integration.
by
on ‎07-30-2009 12:07 PM

This is an Access Control issue that should be addresses in the overall  Access Contol List (ACL) design. Allied to this problem is that of User records (My Records) History, Notes and Activities being open to view by anybody. This limits ACT! as a viable application, for instance in the franchise business model where Users are likely to be from different francisees within the one database and some confidentiality is required as users are from different business operations.

 

The problem is not easily solved as it needs to consider retrospective data from versions of ACT! upgraded form less granular ACL or even no ACL properties other than Private.. Sync databases also offer a challenge. 

 

In my view there needs to be the notion of Private Teams. Right now Privacy in ACT! is strictly to the individual which is not very helpful.

by vineet.singla@sage.com
on ‎08-21-2009 12:33 PM

Very sneaky.  I have another work around for this.  You should turn off auto-attach email in ACT Tools->Preferences to avoid any email leaks.  Then set up Outlook Rules to attach emails to ACT!.  Outlook Rules give you lot more flexibility to setup how you want your emails to be attached.  The downside is that you would have to depend on Outlook to be your main email client.

 

 

by
‎08-21-2009 12:48 PM - edited ‎08-21-2009 12:50 PM

If anyone is actually interested... we have a Plugin for ACT! 10.02 and later that fixes this...

 

It marks  sub-items between ACT! user records as Private (leaves them Public if the sub-item also attached to a non-User contact)

 

Yes, it works for Email (even from Outlook, which is was a pain to figure out)... and even if the user edits the item and marks it Public, the Plug will set it as Private as soon as it's saved.

 

It was done for a specific user. We didn't produce a commercial version as we didn't see enough demand, but happy to consider site license deals for anyone interested. If so, have your reseller contact me via http://www.glcomputing.com.au/contact.php

 

Regards,

Mike Lazarus

Message Edited by GLComputing on 22-08-2009 05:50 AM
by
on ‎08-20-2012 12:00 PM
Status changed to: Available in ACT! 2010
 
Labels