Dear Manager: ** Response is requir

Dear Manager:


** Response is required within 3 business days; after which follow up is performed with the next level management **

The AIG Email monitoring system identified the below user in your division sending information to an outside party potentially containing Tax Identification , Social Security, Credit Card, Bank Routing Numbers, and/or HIPAA data. The external communication of customer or employee confidential data to unclassified email address (Web email address like Yahoo, Hotmail, Gmail, AOL, etc.) is being monitored by AIG Information Security using Next Generation Data Loss Prevention (NDLP) tool.

Policy requires event review by the user’s direct manager to validate if there was any AIG sensitive data sent to external party inappropriately. Please take note that sending AIG sensitive data to employee’s personal email address is not allowed as per corporate standard. If this happens, employee must delete the email from personal mailbox immediately & inform APAC IT Security Operations team accordingly.

The Manager must advise AIG PC IT Security Operations Team accordingly by replying via email to APAC-SOC-DLP.propertycasualty@aig.com and communicating which category best aligns to the data transmission justification:

a. Legitimate business (the business authorized the users as part of their role and function) – Any compelling business need to send emails or attachments with SPI content to personal webmail addresses should have an approved Service Now Request Ticket.
b. Unauthorized (the business management did not authorize the users to send or store the company information or PII data using third party or external e-mails) . If the data transmission is not authorized, please follow up with the individual to provide us with an explanation or purpose of this transmission and the confirmation that the sensitive data was removed to the external, personal or third party e-mail.
c. Personal data (No AIG data involved). User must observe the acceptable use policy in using company assets for personal purpose.
d. False Positive (No AIG sensitive data or PII Data)- If user sent non-public company data, other than sensitive personal information, the manager must approve any sending of any confidential company data to personal or external party.

Below is / are the actual detail(s) of the incident: