What is Email Encryption?
Learn the Basics, business requirements and solutions for Email Encryption

Email Encryption Overview:

What is Email Encryption?

Email Encryption allows users to communicate securely via email by converting sensitive data or information into code and protecting it from being intercepted by a third-party. This process typically involves using some form of algorithm (cipher) to perform the encryption and decryption by an authenticated body.

The Need for Email Encryption

Different organizations require different methods of protecting and encrypting their data. In addition, your organization may be subject to federal or state data privacy compliance laws that can affect your obligation to encrypt information transmitted by email. Recent legislation, including the HITECH law contained in the Stimulus Bill, as well as encryption requirements in Massachusetts, Nevada, and California compel businesses to encrypt data containing personal information leaving their organization. In addition, many businesses have a legitimate need to encrypt other types of data that contain sensitive information: legal documents, intellectual property, financial statements, etc.

Want to talk to a Specialist? Call us Toll Free 888-785-4408 or fill out our contact form, click here!

Two Ways to Encrypt: Voluntary vs. Policy Based

There are two types of encryption methods available to organizations that have encryption requirements. Each has specific uses and distinct limitations.

1. Voluntary desktop email encryption solutions such as ZixMail provide encryption capability on a per-use basis. The sender knows the message they intend to send needs to be encrypted and voluntarily chooses to encrypt the message. This type of encryption can be deployed with a standalone desktop application or a plug-in to the mail program such as Outlook. For very low mail volume organizations, or organizations that have only a few users, voluntary solutions provide a simple, low cost and easy-to-use method of encrypting email. However, this type of encryption depends entirely on the end-user’s knowledge of which emails need to be encrypted. Thus, the burden is on the organization to ensure that users are capable of determining when to encrypt emails. While it is possible to simply encrypt every email that is sent, in general this is an aggravation to end –users and an unnecessary burden placed on email recipients for routine emails.


2. Policy-Based email encryption addresses the shortcomings of voluntary email encryption by scanning all outgoing messages for protected content. Since this scanning is done at the email gateway, it is usually compatible with any email client or server. In addition, it requires no knowledge or action on the part of the sender, and perhaps more importantly it prevents users from deliberately sending protected information without encryption. In most cases, including the ZixVPM solution, this is achieved through the use of detailed, pre-populated lexicons containing thousands of words, phrases, and number strings (credit cards, SSNs, etc) against which the content of the message is compared. For HIPAA, SOX, GLB, and HI-TECH, these lexicons meet compliance requirements and guidelines for disclosure of protected information, and remove the burden placed on the sender of knowing which messages should be encrypted. In addition, custom lexicons can be created for organization-specific content. Using a policy based solution also addresses Breach standards by allowing the organization to monitor and detect data breaches in compliance with State and Federal laws which have become a near-universal requirement.

Are you Compliant?

Businesses in Health Related Fields, or Businesses that process information for Health Related Organizations - HIPAA and HI-TECH

Most health-related organizations are aware of Federal HIPAA laws governing the transmission of Protected Health Information. In assuring compliance, PHI must be encrypted if it is transmitted to a 3rd party. In general, this standard has left some flexibility in deciding between policy-based and voluntary encryption, however it appears that the industry has tended to err on the side of caution and deploy policy based-encryption. Since the implementation of HI-TECH in the stimulus package, HIPAA requirements have been expanded and penalties for incidents increased. HIPAA covered entities are now responsible not only for their own compliance, but also their so-called "business associates." In addition, the penalties for breaches have become more severe, including criminal and civil penalties for both the employer and the employee, with maximum penalties now being capped at $50,000 per violation, and $1.5 million annually. Given the relatively low cost of deploying policy-based encryption, and the vulnerability of health organizations to such high penalties for breaches, policy-based encryption is often the preferred encryption solution to meet these compliance standards.

HIPAA Changes: http://www.cdt.org/healthprivacy/20090324_ARRAPrivacy.pdf
HIPAA: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf

Finance, Banking, and Finance Related Industries: Gramm-Leach Biley and Sarbanes-Oxley

Financial Institutions and Financial Services organizations have multiple intersecting interests in the privacy of data transmitted by email, as well as multiple areas of federal and state regulatory compliance. Such institutions hold very valuable data about their customers, so it’s no surprise that laws such as Gramm-Leach Biley (GLB) and Sarbanes-Oxley (SOX) have specific provisions regarding the disclosure of personal financial information. In the case of SOX, protected data should be segregated from general access, and should not be transmitted to third-parties unencrypted, sometimes called the "internal controls". During a SOX audit, demonstrating a data security policy that proactively prevents data breaches is regarded as a "best practice" and a critical part of compliance. Similarly, the GLB Financial Privacy Rule and Safeguards Rule suggest a policy-based approach to ensure that inappropriate disclosure has not occurred. In most cases, the problem is not that security breaches are frequently occurring; it is that the organization wouldn’t have knowledge of a breach if it did occur. By enforcing an email security policy at the gateway that includes encryption, an organization can be reasonably sure that the information they desire or are required to protect is not leaving the organization undetected, and if it does leave it will be in an appropriate format. Equally important is the protection of customers from internal theft or sabotage, or the inappropriate use or disclosure of information not specifically covered by SOX or GLB. These types of breaches can be incredibly damaging to an organization’s reputation, and may expose the organization to other civil or criminal penalties not covered by SOX or GLB.

General Retail Businesses: PCI

The PCI standard has multiple facets, however Requirement 4 relates specifically to data in motion. It states that “…sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit.” It goes on to specifically name “public” networks such as the internet as one of these networks. In order to be considered PCI compliant, businesses must demonstrate that sufficient policies are in place to protect protected data, including the detection and encryption of data should it be transmitted. Similar to SOX and GLB, the problem lies not in the fact that these types of breaches occur frequently, but that there aren’t sufficient mechanisms in place to determine to what extent they are occurring at all. Having a policy based email encryption solution allows an organization to reliably detect protected information and encrypt when necessary. In addition, it protects the organization from internal theft and fraud where desktop email encryption solutions alone fall short.

PCI DSS: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Other, Non-Specific Businesses: Data Breach Laws and Best Practices

In over 45 states, some form of Data Breach laws exist. Only five states remain without data breach notification laws: Alabama, Kentucky, Mississippi, New Mexico, and South Dakota. That may soon be a moot point, however, as Congress continues to consider enacting a variety of data security or breach notification laws that could pre-empt State law. Of course, each business must determine for itself, usually in consultation with an experienced data security firm and/or lawyer, the extent to which it must comply with Federal or State Guidelines. However, as pointed out in other areas, the complicating factor of data breach laws is the lack of visibility most organizations have into their email. Without policy flags to aid in identifying emails that might contain sensitive or protected information, the organization must either review every email for compliance, or trust the knowledge and goodwill of its employees to comply with company , state and federal standards. By the time an organization has become aware that a breach has occurred, the situation has been compounded by enough multiple breach events to draw outside attention. Not only is this damaging to the reputation of the organization, it may constitute negligence on the part of the organization. By deploying a policy-based email solution, businesses can be assured that they are compliant with applicable laws, and have the necessary visibility to monitor, detect, and prevent data security breaches. When encryption is added to this policy, an organization can even extend the security of the data to networks over which it has no control, safeguarding the organization from both civil and criminal liability.

California, Texas, Rhode Island, Massachusetts and Nevada Businesses: 201 CMR 17 (MA) and Nev. Rev. Stat. § 597.970 (NV)

Several states, including MA, NV, CA, TX, and RI have data security laws that require “reasonable security measures” to protect personal information in transit over open networks. In general, this applies across the board to all businesses, not just healthcare of financial businesses. However, both MA and NV have enacted strict data protection laws which require not only reasonable measures, but specifically encryption of data containing personal information. The Nevada encryption statute generally prohibits a business in Nevada from transferring “any personal information of a customer through an electronic transmission,” except via facsimile, “unless the business uses encryption to ensure the security of electronic transmission.” While there is some debate and litigation related to the scope and meaning of the law outside of Nevada, it is clear that businesses in Nevada should pay attention to this law and ensure compliance by deploying an email encryption solution. In MA, the laws goes even farther, and extends to businesses in any state the transmit information about a MA resident. In addition, MA has specific penalties associated with the unlawful transmission of personal information. In general, both states define personal information as a natural person's first name or first initial and last name in combination with any of the following: (a) social security number or employer identification number; (b) driver's license number or identification card number; or (c) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Without question, the MA mandate requires businesses to monitor and encrypt emails containing personal information. In addition, the MA law requires businesses to train their staff on protecting sensitive information and encrypting emails. For businesses located in CA, NV, TX, RI or MA it is highly recommended that a policy-based email encryption solution be deployed to maintain compliance with these new laws. As discussed before, a policy-based approach ensures that your organization is made aware of the breach before significant damage or exposure to liability and prosecution occurs.

Small Businesses: General Email Security

Perhaps your business doesn’t fall into any of the other categories, and you’re not worried about a data breach because you really don’t have any sensitive of personal information about your customers or you have a limited exposure to statutory compliance. Chances are, you aren’t hosting your own email in-house, or you have out-sourced a portion of your email security. You’re more focused on growing your business than maintaining an email security policy. At a minimum, you should talk to your employees about data security and make sure they understand appropriate email use. Remind them that email is a business function, and they should protect whatever data they have about your customers as if it were their own. At the same time, consider this: one errant email could irreparably damage the reputation of your business, even if it was only in poor taste or a momentary lapse of judgment. When it comes from your domain, it carries your reputation with it. We’ve all sent an email that we wish we could pull back. If you have even a basic email security policy that includes profanity or racially charged terms in it, you can prevent your reputation from being damaged by a malicious or uninformed employee. We advise our customers to consider your most important customer and your least responsible employee. If you can imagine a situation in which the two could potentially email one another, even if it’s by accidentally hitting “Reply to All”, you should consider a policy-driven email security solution.

 

Want to learn more? Contact our specialists Toll Free 888-785-4408!

Discuss your current needs and available solutions with an email encryption specialist. Whether you need more information on specific laws in your area or want to compare other competitive email encryption solutions, our trained engineers can help deliver the answers you need.