Fresh on the heels of the massive email security breach at Epsilon, we’re seeing a renewed interest in email security solutions and email encryption. And that’s a good thing! It’s not just Epsilon that experiences email security breaches, just do a Google search on ‘email security breach news’ and see for yourself. One study – Email still the top source of data loss, by Help Net Security –revealed that more than 35 percent of companies surveyed had investigated a leak of confidential or proprietary information via email over a 12-month period. On average, respondents estimated that as many as one in five outbound email messages contain content that poses a legal, financial, or regulatory risk.
According to the Ponemon Institute’s annual U.S Cost of a Data Breach Study, non-compliance costs are 2.65 times higher for organizations than compliance costs. That means that companies with ongoing investments in compliance-related activities save money compared with organizations that fail to comply with government and industry mandates. In short, it pays to be compliant.
Email encryption is an essential component of regulations that are designed to protect the privacy and reliability of business and personal information.
Email Encryption Laws and Regulations
The following list includes just some of the requirements that are driving encryption adoption in the United States and around the world.
- HIPAA and HITECH Encryptionis now a primary aspect of HIPAA (Health Insurance Portability and Accountability Act) since the passing of HITECH (Health Information Technology for Economic and Clinical Health Act) regulations in 2009. HITECH requires healthcare providers to notify individuals when their protected health information (PHI) is breached.For example, if a hacker hijacks unencrypted PHI in transit from a physician’s office, the physician practice would have to inform the patients and the Department of Health and Human Services of the breach. However, if the electronic PHI is transmitted in encrypted form, notification is not necessary even if there is a security breach. Email encryption grants safe harbor because it can be assumed that the transmitted data is unreadable by unauthorized individuals.
- PCI DSS (Payment Card Industry Data Security Standards) is very clear. Requirement 4 mandates the encrypted transmission of cardholder data across open, public networks.
- EU Data Protection Directive (also known as Directive 95/46/EC) was designed to protect the privacy of all personal data collected for or about citizens of the EU. According to the Information Law Group’s Code or Clear? Encryption Requirements, encryption is becoming a mandatory checklist item to establish “reasonable” security for sensitive categories of data for the EU, and “… it would be difficult to defend an organization’s security measures for sensitive data as ‘reasonable’ without reference to such [email encryption] standards or industry practices.”
- SOX (Sarbanes-Oxley Act) governs the integrity of financial operations of publicly traded companies with the primary goal of protecting “investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws.” Although email encryption is not explicitly mandated as part of the internal controls, SOX implies the need for encryption to protect the integrity and confidentiality of financial information.
- GLBA (Gramm-Leach-Bliley Act) requires that all financial institutions maintain safeguards to protect customer information. Although GLBA does not expressly require email encryption, it does require that financial institutions implement the necessary technological controls to protect the privacy and security of customer financial information. The Federal Financial Institutions Examination Council (FFIEC) recommends that institutions employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. If a financial institution does not deploy encryption to the degree expected by the FFIEC, then the institution must demonstrate that it considered the use of encryption and justify why it chose not to deploy it. Financial institutions, therefore, must carefully evaluate the need to encrypt emails to protect against unauthorized access to sensitive information.
- California Security Breach Notification Act (SB 1386) requires a business, regardless of its location, that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized disclosure. If protected information is acquired by an unauthorized person, then the business must promptly give notice, but only if the data was not properly encrypted.
- Nevada Statute, passed in 2008, made Nevada the first among a growing number of states to specifically require email encryption for those that contains personal customer information. The statute states that, “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”
The consequences of violating these and other government and industry encryption requirements can include fines (for example, the HITECH Act allows for penalties of up to $1.5 million), incarceration, public embarrassment, loss of business privileges and customer/client/ patient/stakeholder trust. Once again, and in short, it pays to be compliant.