On Wed, Nov 3, 2010 at 11:39 AM, Hassan Schroeder < hassan.schroeder at gmail.com> wrote: > On Tue, Nov 2, 2010 at 8:06 PM, Joel D Canfield <joel at bizba6.com> wrote: > > On Tue, Nov 2, 2010 at 8:22 PM, Todd Richards <todd at promisingsites.com > >wrote: > > > >> Am I missing something, or am I being too cautious? After answering > them > >> tonight, I thought I'd get someone else's take on it. > >> > >> we used GPG (open source version of PGP) to encrypt data being emailed. > > since we were sending apps for health insurance, including everything, I > was > > told (but did not verify) that it met some fairly rigid standards for > > security. > > The problem I see with this is that, once decrypted on the recipient's > end, the data is exposed to being easily compromised -- accidentally > or intentionally forwarded in plain text, for instance. We didn't decrypt the emails themselves; nothing was left in email form other than the encrypted data. Once it's offline, it's no more or less vulnerable than anything else, methinks.