E-Mail Encryption Goes Mainstream

Posted by Randy George
February 04, 2010

Fess up, have you ever emailed your credit card number or Social Security number to a friend, family member, or even to a third party? I have, and yes, I was a bonehead for doing it. In the business world, you need to make sure your employees aren't doing it either. Why should you care? New state mandated data privacy regulations are changing the rules of the game when it comes to emailing Personally Identifiable Information (PII) in cyberspace. Simply stated, it's bad business, and it's becoming increasingly illegal.

If you work in Massachusetts, as I do, then you've probably been tied down for months strategizing on how you'll deal with the new state mandated Data Privacy Law. I'm not a lawyer, but I play one at work, so here's an attempt to summarize pages of Latin and legal jargon in a few sentences. Regardless of where you do business, if you collect or distribute the PII of a Massachusetts resident during the course of business, you are subject to the new MA Data Privacy Law. If you mishandle the PII of a Massachusetts resident through carelessness, you are subject to a maximum penalty of $5,000 per customer record lost.

Let's put that into perspective. Suppose that as a travel agent, you store the credit card info for your top 100 business customers for their billing convenience. Let's further suppose that the laptop on which you stored those credit card numbers fell into the wrong hands or was lost. Theoretically, you're exposed to possible fines of $500k. That's a crippling fine for a boutique travel agency, assuming that liability insurance doesn't cover you.Now let's assume you're a university, and you lose the PII of 25,000 students. See where we're going?  The potential penalties, and negative PR, amount to huge dollars lost.

The key takeaway is that strict data privacy legislation is coming to your state, if it hasn't arrived already. If you don't have any encryption capabilities in the datacenter now, start with what is probably the biggest threat vector for every organization: E-mail. If you have a data loss prevention (DLP) appliance, then you probably already know how common it is for PII to be emailed out to the world unencrypted. You might catch your HR department forwarding employee socials to benefit providers via unencrypted email. You might learn that the sales team has been taking credit card orders via e-mail from customers instead of using the secure channels. The amount of possible business processes that are broken, and that expose you to risk, are likely more numerous than you know.   

The technology solution? Consider shooting all of your outbound email through an easy-to-manage email encryption appliance, like McAfee's Secure Mail Gateway or Cisco's Ironport appliance. Let the built in appliance PII dictionaries make the decision as far as what to encrypt. Managing email encryption appliances are generally a pretty easy task, and for the cost, it gives your compliance initiative great bang for the buck.
 

Related Reading

More Insights