Commentary - What would be the cost to your business if email with sensitive client information, such as credit card numbers or health records, got into the wrong hands?
In 2010, more than 107 trillion emails (Pingdom) were sent. Email has become such second nature that we don’t think twice before sending our most personal information through this easy communication channel.
Most good email providers go to great lengths to protect your email in datacenters, and many companies have put good security practices into place to protect email access. But, as email travels across the Internet, it is vulnerable to data breaches, data leaks, and hackers. Rogue employees also pose risks for distributing information inappropriately.
Businesses can face litigation, fines, and loss of reputation if any personal information about their customers is exposed via email or other means. For instance, the Federal government’s HIPAA act mandates that healthcare providers secure email communication with encryption technology. Financial services firms also face regulation under the Sarbanes-Oxley act. Several states, including California and Massachusetts, have passed their own legislation requiring email encryption.
Yet, even now, many businesses have no email encryption technology in place. One data breach can jeopardize the trusted relationship you have with your customers. Unfortunately, many businesses are unaware that the problem can be solved with simple controls over the communications coming and going from their company – anything from bad language to confidential information.
Potential costs of unsecured email data breach
The average cost of a data breach incident for U.S. organizations in 2009 was $6.75 million, or $204 per compromised record. No matter the size of your business, your company may be held financially responsible in the event of a data loss. Many companies look to do the bare minimum to protect themselves, but this leaves the business and all of its data vulnerable. Encryption adds an additional layer of protection on top of your regular email security that any business dealing with personal and confidential information needs to have. By encrypting your email, it makes the information virtually unreadable as it travels across the Internet, thus protecting private information about you and your customers.
Savings are not just accrued in avoiding penalties and fines. A recent study from Thomson Reuters found that 71 percent of global compliance professionals foresaw that an increase in time and resources would be required to work with regulators and exchanges to ensure they would be ready and prepared to meet rising compliance requirements. Up-front investment in encryption will assure safety and can save small businesses from having to put personnel resources toward fixing the problem once it occurs.
Private information overload
It’s important to note that emails do not often end at the original destination. If you forward information about an employee’s medical condition to your HR manager, he or she may need to forward that on to your corporate lawyer and your health insurance provider. Now information that was originally traded internally has moved outside your network and can continue to move without your knowledge. Yet, your company is still responsible for controlling the dissemination of that information.
Not only can email encryption protect against poaching of confidential information, but IT managers can also set in place rules to automatically flag and review all outbound emails before they leave the internal network. This prevents sensitive information or even email with profanity from leaving your company.
Questions and actions
Now that you have the background, you still might be asking yourself, how do I know if my business really needs encryption? A good rule of thumb is to consider an encryption solution if you answer yes to one or both of these questions:
• Do you share confidential information about your business or customers over email – such as account numbers, dates of birth, or highly sensitive internal strategy documents?
• Do you operate in a regulated industry or geography? Here are some examples of current legislation in place:
• Health Insurance Portability and Accountability Act (HIPAA)
• California Security Breach Notification Act (SB 1386)
• Massachusetts Encryption Law (201 CMR17.00)
• Sarbanes-Oxley Act (SOX)
• Gramm-Leach-Bliley Act (GLBA)
If you answered yes to either of these questions, it is time to start the encryption discussion with your email provider. By taking this step now, you could be saving a lot of time and money later.
There’s a lot at stake for businesses that are not compliant with federal and industry regulations regarding email encryption, including litigation, fines, and loss of reputation in the event of a data breach. While many states and industries have passed laws holding businesses financially responsible in the case of a leak, email encryption still remains an afterthought. Businesses need control of the communications that are coming and going from their company, from foul language to confidential material. SMBs should consider the potential costs they could face and the security their email services have to offer. Talk to your email provider about its email encryption today.
biography Jonathan McCormick is COO of Intermedia.