Email Encryption allows users to communicate securely via email by converting sensitive data or information into code and protecting it from being intercepted by a third-party. This process typically involves using some form of algorithm (cipher) to perform the encryption and decryption by an authenticated body.
Different organizations require different methods of protecting and encrypting their data. In addition, your organization may be subject to federal or state data privacy compliance laws that can affect your obligation to encrypt information transmitted by email. Recent legislation, including the HITECH law contained in the Stimulus Bill, as well as encryption requirements in Massachusetts, Nevada, and California compel businesses to encrypt data containing personal information leaving their organization. In addition, many businesses have a legitimate need to encrypt other types of data that contain sensitive information: legal documents, intellectual property, financial statements, etc.
There are two types of encryption methods available to organizations that have encryption requirements. Each has specific uses and distinct limitations.
Most health-related organizations are aware of Federal HIPAA laws governing the transmission of Protected Health Information. In assuring compliance, PHI must be encrypted if it is transmitted to a 3rd party. In general, this standard has left some flexibility in deciding between policy-based and voluntary encryption, however it appears that the industry has tended to err on the side of caution and deploy policy based-encryption. Since the implementation of HI-TECH in the stimulus package, HIPAA requirements have been expanded and penalties for incidents increased. HIPAA covered entities are now responsible not only for their own compliance, but also their so-called "business associates." In addition, the penalties for breaches have become more severe, including criminal and civil penalties for both the employer and the employee, with maximum penalties now being capped at $50,000 per violation, and $1.5 million annually. Given the relatively low cost of deploying policy-based encryption, and the vulnerability of health organizations to such high penalties for breaches, policy-based encryption is often the preferred encryption solution to meet these compliance standards.
Financial Institutions and Financial Services organizations have multiple intersecting interests in the privacy of data transmitted by email, as well as multiple areas of federal and state regulatory compliance. Such institutions hold very valuable data about their customers, so it’s no surprise that laws such as Gramm-Leach Biley (GLB) and Sarbanes-Oxley (SOX) have specific provisions regarding the disclosure of personal financial information. In the case of SOX, protected data should be segregated from general access, and should not be transmitted to third-parties unencrypted, sometimes called the "internal controls". During a SOX audit, demonstrating a data security policy that proactively prevents data breaches is regarded as a "best practice" and a critical part of compliance. Similarly, the GLB Financial Privacy Rule and Safeguards Rule suggest a policy-based approach to ensure that inappropriate disclosure has not occurred. In most cases, the problem is not that security breaches are frequently occurring; it is that the organization wouldn’t have knowledge of a breach if it did occur. By enforcing an email security policy at the gateway that includes encryption, an organization can be reasonably sure that the information they desire or are required to protect is not leaving the organization undetected, and if it does leave it will be in an appropriate format. Equally important is the protection of customers from internal theft or sabotage, or the inappropriate use or disclosure of information not specifically covered by SOX or GLB. These types of breaches can be incredibly damaging to an organization’s reputation, and may expose the organization to other civil or criminal penalties not covered by SOX or GLB.
The PCI standard has multiple facets, however Requirement 4 relates specifically to data in motion. It states that “…sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit.” It goes on to specifically name “public” networks such as the internet as one of these networks. In order to be considered PCI compliant, businesses must demonstrate that sufficient policies are in place to protect protected data, including the detection and encryption of data should it be transmitted. Similar to SOX and GLB, the problem lies not in the fact that these types of breaches occur frequently, but that there aren’t sufficient mechanisms in place to determine to what extent they are occurring at all. Having a policy based email encryption solution allows an organization to reliably detect protected information and encrypt when necessary. In addition, it protects the organization from internal theft and fraud where desktop email encryption solutions alone fall short.
In over 45 states, some form of Data Breach laws exist. Only five states remain without data breach notification laws: Alabama, Kentucky, Mississippi, New Mexico, and South Dakota. That may soon be a moot point, however, as Congress continues to consider enacting a variety of data security or breach notification laws that could pre-empt State law. Of course, each business must determine for itself, usually in consultation with an experienced data security firm and/or lawyer, the extent to which it must comply with Federal or State Guidelines. However, as pointed out in other areas, the complicating factor of data breach laws is the lack of visibility most organizations have into their email. Without policy flags to aid in identifying emails that might contain sensitive or protected information, the organization must either review every email for compliance, or trust the knowledge and goodwill of its employees to comply with company , state and federal standards. By the time an organization has become aware that a breach has occurred, the situation has been compounded by enough multiple breach events to draw outside attention. Not only is this damaging to the reputation of the organization, it may constitute negligence on the part of the organization. By deploying a policy-based email solution, businesses can be assured that they are compliant with applicable laws, and have the necessary visibility to monitor, detect, and prevent data security breaches. When encryption is added to this policy, an organization can even extend the security of the data to networks over which it has no control, safeguarding the organization from both civil and criminal liability.
California, Texas, Rhode Island, Massachusetts and Nevada Businesses: 201 CMR 17 (MA) and Nev. Rev. Stat. § 597.970 (NV)
Several states, including MA, NV, CA, TX, and RI have data security laws that require “reasonable security measures” to protect personal information in transit over open networks. In general, this applies across the board to all businesses, not just healthcare of financial businesses. However, both MA and NV have enacted strict data protection laws which require not only reasonable measures, but specifically encryption of data containing personal information. The Nevada encryption statute generally prohibits a business in Nevada from transferring “any personal information of a customer through an electronic transmission,” except via facsimile, “unless the business uses encryption to ensure the security of electronic transmission.” While there is some debate and litigation related to the scope and meaning of the law outside of Nevada, it is clear that businesses in Nevada should pay attention to this law and ensure compliance by deploying an email encryption solution. In MA, the laws goes even farther, and extends to businesses in any state the transmit information about a MA resident. In addition, MA has specific penalties associated with the unlawful transmission of personal information. In general, both states define personal information as a natural person's first name or first initial and last name in combination with any of the following: (a) social security number or employer identification number; (b) driver's license number or identification card number; or (c) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Without question, the MA mandate requires businesses to monitor and encrypt emails containing personal information. In addition, the MA law requires businesses to train their staff on protecting sensitive information and encrypting emails. For businesses located in CA, NV, TX, RI or MA it is highly recommended that a policy-based email encryption solution be deployed to maintain compliance with these new laws. As discussed before, a policy-based approach ensures that your organization is made aware of the breach before significant damage or exposure to liability and prosecution occurs.
Perhaps your business doesn’t fall into any of the other categories, and you’re not worried about a data breach because you really don’t have any sensitive of personal information about your customers or you have a limited exposure to statutory compliance. Chances are, you aren’t hosting your own email in-house, or you have out-sourced a portion of your email security. You’re more focused on growing your business than maintaining an email security policy. At a minimum, you should talk to your employees about data security and make sure they understand appropriate email use. Remind them that email is a business function, and they should protect whatever data they have about your customers as if it were their own. At the same time, consider this: one errant email could irreparably damage the reputation of your business, even if it was only in poor taste or a momentary lapse of judgment. When it comes from your domain, it carries your reputation with it. We’ve all sent an email that we wish we could pull back. If you have even a basic email security policy that includes profanity or racially charged terms in it, you can prevent your reputation from being damaged by a malicious or uninformed employee. We advise our customers to consider your most important customer and your least responsible employee. If you can imagine a situation in which the two could potentially email one another, even if it’s by accidentally hitting “Reply to All”, you should consider a policy-driven email security solution.
Discuss your current needs and available solutions with an email encryption specialist. Whether you need more information on specific laws in your area or want to compare other competitive email encryption solutions, our trained engineers can help deliver the answers you need.