The Case for Email Encryption
Why protecting your customers’ data is a top priority

The shaky financial situation across the globe, marked by uncertainty for what the economic future holds, has had an ominous side effect—computer crime is on the rise.  According to Javelin Strategy & Research, nearly 10 million Americans lost $48 billion in 2008, due to online identity theft. Also that year, more than 35 million data records were breached in the United States.  

The situation has merited the attention of President Barack Obama, who, in his first few days in office directed National and Homeland Security advisors to conduct an immediate cyber security review.  “The national security and economic health of the United States depend on the security, stability and integrity of our nation’s cyberspace, both in the public and private sectors,” said John Brennan, assistant to the president for counterterrorism and security, in a White House news release.

Financial and health care institutions, as well as governments—in fact, any organization dealing with personal and confidential information—are increasingly concerned with protecting privacy and preventing data breaches.  Securing personal data is seen as a key priority.  In a recent survey conducted by the American Institute of Certified Public Accountants (AICPA) on the most crucial technology initiatives facing businesses globally, information security management, privacy management and secure data file storage, transmission and exchange, topped the list.  

Not securing email is a dangerous game

But despite this growing awareness, a distressing number of financial institutions do not encrypt emails containing confidential information.   According to a recent survey of 347 banks conducted by Wolters Kluwer Financial Services, two-thirds of those polled rely on unencrypted delivery methods to send confidential data.  One-third use regular email to send personal information to customers, service providers and partners, while another third rely on regular or overnight mail, or are unsure of the method they employ.   This is a dangerous game of electronic Russian roulette, as federal and state regulators are demanding tighter email security.  Case in point—in 2004, St. Louis-based Southern Commercial Bank was investigated by state regulators for compromising the privacy of more than 40,000 customers when it emailed unsecured personal information, including addresses, bank account and Social Security numbers to an independent computer programmer.  

More security breaches expected in 2009

According to the latest annual Global Security Survey from Deloitte, financial institutions are bracing for an increased risk of security breaches in 2009, attributed to tight budgets and potential insider misconduct. "In this economic climate it is vital that firms become extra vigilant in protecting their data, and implement checks and measures to reduce the potential impact of human error," said Mike Maddison, head of Deloitte's security and privacy practice in an article published on iTnews.com.    Occidental Petroleum Corporation learned firsthand about employee misconduct when a former worker was caught with a spreadsheet of employees’ names, addresses, birthdates and Social Security numbers, as well as other confidential information.  He had sent the data to a personal email account.   Savvy businesses are proactive about securing their customers’ personal information because they realize their reputations would be on the line with a data breach.  According to the Ponemon Institute, a Tucson-based research firm, the average cost of a data breach for an organization is $6.6 million—more than $200 per compromised record.    Forrester Research, the eminent technology and market research company, reports small and medium-size businesses (SMBs) are earmarking a significant portion of their 2009 IT budgets for data protection. “Data protection is the number one issue, and the availability of data follows that,” said Jonathan Penn, Forrester’s vice president of tech industry strategy – security, in an article on EWeek.com. “They are recognizing that protection of the data is a key part of their business. The last thing you need is to somehow erode that [customer] trust with a big data breach.”

Penn says SMBs will be looking for ways to streamline IT management and stick to budgetary diets, and that outsourcing security will be a popular choice.  “Focusing on what’s important, the data, is exactly the right way to go,” Penn was quoted in the EWeek.com article. “SMBs have been ahead of enterprises in outsourcing, but both are looking for ways to offload some of the tactical expertise.”  

Encryption is—or soon will be—the law

Legislative pressure will speed the move to email encryption of sensitive information.  As concerns mount over data breaches, state governments and regulatory bodies are taking action. In October 2008, Nevada passed a law requiring all businesses, no matter their size or nature, to secure confidential customer information if it’s transmitted electronically.   In Massachusetts, effective January 1, 2010, companies are required to encrypt all personal information of state residents transmitted electronically or wirelessly.   The safeguarding of private data, especially in regard to the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA), has become a major concern.

Gartner, Inc., a world-leading information technology research and advisory company, predicts the Nevada law will put pressure on organizations to encrypt electronic transmissions of personal data and encourage other states to follow suit with similar legislation.  Compliance means businesses, including healthcare providers, hospitality companies, insurance companies and credit bureaus, to name only a few, will have to accept only encrypted transmissions of sensitive personal or financial data from their partners.  This will create a strong demand for embedded encryption and key management services.  In due time, according to Gartner, legislation will make in-transit data encryption the new “standard of due care” in any law suits.