I wasn't saying anything new. Last year, we forced file encryption on many projects that involved third parties handling our sensitive information. In fact, this same project manager was involved in one of those earlier projects, so he knows all about this. I'm disappointed that so little of my message got through the first time, but at least I don't have to spend a lot of time educating him this time around.

It's too late for this project, though. The contract has already been signed, and the implementation is ready to go live. After I got involved, we had a couple of discussions with the vendor, which seems to have no idea how to use encryption software.

Vendor Woes

The vendor's reps claim that it's processing unencrypted payroll data from other customers. I'd like to think that's a dubious claim, but I know better. In any case, I don't care what other customers are doing; I only care about protecting what's within my realm of responsibility.

So right now, we're struggling with getting the vendor up to speed on how our encryption will interface with its software.