This doesn't sound right - 3rd-Party "Deduction Management Firm"
-
So, apparently we hired some "deduction management firm" to go through and try to find issues with over payments, charge backs and invalid deductions from our wholesale customers and EDI.
They said they needed me to do something with email and then when I asked for documentation, they sent me this-
"*This should help.
Email Correspondence
Harvest Revenue Group reviews all information that would also be available to the retailer’s auditors. To do this effectively, with maximum benefit to your company, HRG needs to review all correspondence between the company and your retail customer(s).
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* " -
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
So, apparently we hired some "deduction management firm" to go through and try to find issues with over payments, charge backs and invalid deductions from our wholesale customers and EDI.
They said they needed me to do something with email and then when I asked for documentation, they sent me this-
"*This should help.
Email Correspondence
Harvest Revenue Group reviews all information that would also be available to the retailer’s auditors. To do this effectively, with maximum benefit to your company, HRG needs to review all correspondence between the company and your retail customer(s).
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "First thought is : wtf???
Why would someone need to harvest emails at the firewall to see all correspondence between company and retail customers??
-
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
-
Also maybe in violation of data security and privacy concerns.
Google Harvest Revenue Group.... it's weird to say the least that the website concentrates on the President having a Bachelor's degree and multiple master's degrees related to theology..... and no formal education listed with regards to business, finance or litigation..... Does he pray the bills away?
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "
Bwahahaha... they want a wireshark dump of encrypted data? WTF. Give them that as some enormous file that they can't even download. That will be hilarious.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
-
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "
Bwahahaha... they want a wireshark dump of encrypted data? WTF. Give them that as some enormous file that they can't even download. That will be hilarious.
Lol
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "
Bwahahaha... they want a wireshark dump of encrypted data? WTF. Give them that as some enormous file that they can't even download. That will be hilarious.
Lol
Things like this bring out the BOFH in all of us...
For anyone that isn't familiar with the term: https://en.wikipedia.org/wiki/Bastard_Operator_From_Hell
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
This is best achieved by capturing all inbound and outbound email at a firewall and providing relevant content to Harvest via a periodic download.* "
Bwahahaha... they want a wireshark dump of encrypted data? WTF. Give them that as some enormous file that they can't even download. That will be hilarious.
Lol
For real, that's what they requested. Give them exactly what they asked for then if they complain ask why they were so specific if they didn't want exactly what they requested, and why they would presume to tell you how best to collect emails if they don't know how email works.
-
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
Well obviously, but that seems to solidly fall under "whoever hired them's" problem.
-
This sounds like a really sketchy firm. Sharing client data with them would worry me, at least a little. If they don't know how a firewall works, and they are asking you to expose customer data, you've got big things to worry about. Because their security understanding is about to become your problem.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
Their lack of knowledge is not your problem :angry_face_with_horns:
-
@notverypunny said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
Their lack of knowledge is not your problem :angry_face_with_horns:
Exactly. They made a VERY specific technical request. Not your place to question that since it isn't a security concern since they will get the binary dump only.
-
@notverypunny said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
Their lack of knowledge is not your problem :angry_face_with_horns:
Wasn't there a movie that said :
"you can't fix stupid, no matter how big a hammer you use."Seems fitting.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.
-
@Dashrender said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.
Right, and those people present a security concern.
And capturing "all email" is almost guaranteed to be a crime in California. Capturing it for archiving or backup, sure. Capturing to allow unintended recipients read it, almost certainly not okay. Capturing it to hand it over to an insecure, very questionable third party with no credentials.... whoa baby would I be concerned.
-
If you are going to do this, I would make sure that every employee and customer clearly understands that their private communications will be turned over to a third party. California has allowed employers to read employee emails when properly notified before hand. But that's way different than sharing with a third party, you'll need a really good employee handbook signed off by everyone before doing this.
-
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@Dashrender said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.
Right, and those people present a security concern.
And capturing "all email" is almost guaranteed to be a crime in California. Capturing it for archiving or backup, sure. Capturing to allow unintended recipients read it, almost certainly not okay. Capturing it to hand it over to an insecure, very questionable third party with no credentials.... whoa baby would I be concerned.
Do you have anything to reference for the legal issue? I mean, I am not a lawyer and don't want to be, but if I know it isn't legal, I will certainly not do it and explain why.
-
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@Dashrender said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@scottalanmiller said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
@wrx7m said in This doesn't sound right - 3rd-Party "Deduction Management Firm":
Yeah, they are saying that they want all the email communications between us and our customers in order to audit the info to find any discrepancies that we could challenge. First off, that sounds like they would have access to way too much sensitive information. Second, this sounds like a PITA.
No, they want the TRAFFIC of it at the firewall, which should be encrypted, so they won't be able to see anything.
Literally, they are saying that. But, they don't know how anything works, so they are just using firewall because they don't know that it's different from email archiving.
exactly - like management who see ads in airports and come back and demand that you install some cisco BS or other.
Right, and those people present a security concern.
And capturing "all email" is almost guaranteed to be a crime in California. Capturing it for archiving or backup, sure. Capturing to allow unintended recipients read it, almost certainly not okay. Capturing it to hand it over to an insecure, very questionable third party with no credentials.... whoa baby would I be concerned.
Do you have anything to reference for the legal issue? I mean, I am not a lawyer and don't want to be, but if I know it isn't legal, I will certainly not do it and explain why.
Not directly because this is so dangerous and so risky that it would never come up. But basically this third party is requesting access normally limited to requiring a court order.
https://www.employees-lawyer.com/can-my-boss-read-my-e-mail/
Unfortunately, the law on e-mail surveillance is not well-settled. The federal Electronic Communications Privacy Act of 1986 (ECPA) prohibits the unauthorized access to electronic communications.[7] The phrase “electronic communication” includes the transfer of any writing or data, but it does not include oral communications.[8] Several courts have found that the ECPA covers e-mail messages.[9] People that violate the ECPA could be subject to fines or prison time.[10]
The problem for employees, however, is the definition of “without authorization” under the ECPA. If an employee checks their e-mail from a work computer, have they authorized their employer to access it as well? The phrase “without authorization” is not clearly defined.
There is, however, at least some argument that an employer is not authorized to access employees’ personal e-mail accounts. So, even if the employee accesses their personal e-mail from a work computer, this would not seem to create an implied authorization for the employer to snoop in their e-mail further.
This argument is significantly diminished by the use of employer-issued e-mail accounts. Because the ultimate ownership of the domain and the e-mail account itself remains with the employer, it is likely that the employer can authorize itself to access the e-mail account.
