Data centers

10:00 AM
Randy George
Randy George
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

E-Mail Encryption Goes Mainstream

Fess up, have you ever emailed your credit card number or Social Security number to a friend, family member, or even to a third party? I have, and yes, I was a bonehead for doing it. In the business world, you need to make sure your employees aren't doing it either. Why should you care? New state mandated data privacy regulations are changing the rules of the game when it comes to emailing Personally Identifiable Information (PII) in cyberspace. Simply stated, it's bad business, and it's becomin

Fess up, have you ever emailed your credit card number or Social Security number to a friend, family member, or even to a third party? I have, and yes, I was a bonehead for doing it. In the business world, you need to make sure your employees aren't doing it either. Why should you care? New state mandated data privacy regulations are changing the rules of the game when it comes to emailing Personally Identifiable Information (PII) in cyberspace. Simply stated, it's bad business, and it's becoming increasingly illegal.

If you work in Massachusetts, as I do, then you've probably been tied down for months strategizing on how you'll deal with the new state mandated Data Privacy Law. I'm not a lawyer, but I play one at work, so here's an attempt to summarize pages of Latin and legal jargon in a few sentences. Regardless of where you do business, if you collect or distribute the PII of a Massachusetts resident during the course of business, you are subject to the new MA Data Privacy Law. If you mishandle the PII of a Massachusetts resident through carelessness, you are subject to a maximum penalty of $5,000 per customer record lost.

Let's put that into perspective. Suppose that as a travel agent, you store the credit card info for your top 100 business customers for their billing convenience. Let's further suppose that the laptop on which you stored those credit card numbers fell into the wrong hands or was lost. Theoretically, you're exposed to possible fines of $500k. That's a crippling fine for a boutique travel agency, assuming that liability insurance doesn't cover you.Now let's assume you're a university, and you lose the PII of 25,000 students. See where we're going?  The potential penalties, and negative PR, amount to huge dollars lost.

The key takeaway is that strict data privacy legislation is coming to your state, if it hasn't arrived already. If you don't have any encryption capabilities in the datacenter now, start with what is probably the biggest threat vector for every organization: E-mail. If you have a data loss prevention (DLP) appliance, then you probably already know how common it is for PII to be emailed out to the world unencrypted. You might catch your HR department forwarding employee socials to benefit providers via unencrypted email. You might learn that the sales team has been taking credit card orders via e-mail from customers instead of using the secure channels. The amount of possible business processes that are broken, and that expose you to risk, are likely more numerous than you know.   

The technology solution? Consider shooting all of your outbound email through an easy-to-manage email encryption appliance, like McAfee's Secure Mail Gateway or Cisco's Ironport appliance. Let the built in appliance PII dictionaries make the decision as far as what to encrypt. Managing email encryption appliances are generally a pretty easy task, and for the cost, it gives your compliance initiative great bang for the buck.
 

Randy George has covered a wide range of network infrastructure and information security topics in his 4 years as a regular InformationWeek and Network Computing contributor. He has 13 years of experience in enterprise IT, and has spent the last 8 years working as a ... View Full Bio
Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed