The Case for Email Encryption
Why protecting your customers’ data is a top priority
- Tens of millions of members and growing at an average of approximately 100,000 new recipients every week
- The FFIEC federal banking regulators and the Securities and Exchange Commission
- More than 20 state bank regulators
- More than 1,300 U.S. financial institutions
- Health insurers protecting data for more than 70 million people
- Nearly 1 in 5, or 1,200, U.S. hospitals
- More than 30 Blue Cross Blue Shield organizations
Zix Corporation (ZixCorp) provides the only email encryption services designed with your most important relationships in mind. The most influential companies and government organizations use the proven ZixCorp® Email Encryption Services, including WellPoint, Humana, the SEC and more than 1,200 hospitals and 1,300 financial institutions. ZixCorp Email Encryption Services are powered by ZixDirectorySM, the largest email encryption community in the world. The tens of millions of ZixDirectory members can feel secure knowing their most important relationships are protected.
2711 N. Haskell Ave.
Suite 2300, LB 36
Dallas, TX 75204
Phone 866 257 4949
You can’t escape the headlines — computer crime is on the rise. According to Javelin Strategy & Research, nearly 10 million Americans lost $48 billion in 2008, due to online identity theft,1 up from 8.1 million victims in 2007.2 Also that year, there were more than 35 million data breaches in the United States.3
Cyber-criminals take advantage of the fact that many companies don’t bother to report security breaches because they don’t want bad publicity, according to Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “Of the thousands of cases that we’ve investigated, the public knows about a handful,” he is quoted by Reuters. “There are million-dollar cases that nobody knows about.” Henry notes that cyber-crime is mushrooming and that as the Internet grows as a commerce tool, companies and consumers are more comfortable sharing valuable data online and in email. “There are hundreds of billions of dollars that traverse the Internet,” he said.4
While this is sobering, the world is unreservedly embracing email as a method of exchanging information. The number of worldwide email users is projected to increase from more than 1.4 billion in 2009 to almost 1.9 billion by 2013. Global email is expected to soar to 507 billion messages per day.5
As a business tool, email is invaluable. It’s so vital that employees can’t leave it behind at the office. According to a September 2009 Osterman Research study, 82% of employees working in large companies regularly check email from home on weekdays, 78% log in on weekends and 61% while on vacation.6
The electronic exchange of information underscores the fact that email is the backbone and driver of business communications today.
Of course this begs the question – with such a large volume of data streaming through and with computer crime on a sharp upswing, is the information we send via email adequately protected?
Encryption becoming the law
This is a question that is increasingly asked by Washington and state governments. Legislative pressure is speeding the move to demand the encryption of sensitive information sent by email. New rules at both the federal and state levels will require organizations to deploy protective technologies such as encryption to achieve compliance.7
As concerns mount over data breaches, state governments8 and regulatory bodies9 are taking action. In October 2008, Nevada passed a law requiring all businesses, no matter their size or nature, to secure confidential customer information if it’s transmitted electronically.10 In Massachusetts, effective March 201011, companies must encrypt all personal information of state residents transmitted electronically or wirelessly.12 All states, except for a handful, have put in place data security breach notification laws13 — an indication that the protection of electronic information is fast becoming a priority.
Gartner, Inc. predicts the Nevada law will put pressure on organizations to encrypt electronic transmissions of personal data and encourage other states to follow suit with similar legislation. This will create a strong demand for embedded encryption and key management services. In due time, according to Gartner, legislation will make in-transit data encryption the new “standard of due care” in lawsuits.14
Stiff punishment is being meted out to healthcare organizations that run afoul of the strict new Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). It calls for the encryption of all protected health information (PHI) sent via email. Breaking the rules will cost you. Under the new legislation, organizations will be fined up to $1.5 million — up from $25,000 — for violating patients’ privacy.15 It also extends the effective reach of HIPAA coverage to business associates. Companies must re-evaluate their overall privacy compliance programs and implement more effective information security practices, including encryption wherever possible.
Not securing email is a dangerous game
Financial and health care institutions, as well as governments—in fact, any organization dealing with personal and confidential information—are increasingly concerned with protecting privacy and preventing data breaches. In a survey released in 2009, conducted by the American Institute of Certified Public Accountants (AICPA) on the most crucial technology initiatives facing businesses globally, information security management, privacy management and secure data file storage, transmission and exchange, topped the list.16
Despite this growing awareness, a 2009 report by Imperva and Ponemon Institute reveals that more than half of the 500 businesses they surveyed admitted they did not secure Social Security numbers, bank account details and other personal data.17 According to a recent survey of 347 banks conducted by Wolters Kluwer Financial Services, two-thirds of those polled rely on unencrypted delivery methods to send confidential data. One-third use regular email to send personal information to customers, service providers and partners, while another third rely on regular or overnight mail or are unsure of the method they employ.18 This is a dangerous game of electronic Russian roulette, as federal and state regulators are demanding tighter email security.
More security breaches expected in 2010
According to a recent Global Security Survey from Deloitte, financial institutions are bracing for an increased risk of security breaches in 2010, attributed to tight budgets and potential insider misconduct.19 “In this economic climate it is vital that firms become extra vigilant in protecting their data, and implement checks and measures to reduce the potential impact of human error,” said Mike Maddison, head of Deloitte’s security and privacy practice in an article published on iTnews.com.20
Savvy businesses are proactive about securing their customers’ personal information because they realize their reputations would be on the line with a data breach. According to Ponemon Institute, the average cost of a data breach for an organization is $6.6 million—more than $200 per compromised record.21 Forrester Research reports small and medium-size businesses (SMBs) are earmarking a significant portion of their 2009 IT budgets for data protection. “Data protection is the number one issue, and the availability of data follows that,” said Jonathan Penn, Forrester’s vice president of tech industry strategy – security, in an article on EWeek.com. “They are recognizing that protection of the data is a key part of their business. The last thing you need is to somehow erode that [customer] trust with a big data breach.”22
Penn says SMBs will be looking for ways to streamline IT management and stick to budgetary diets and that outsourcing security will be a popular choice. “Focusing on what’s important, the data, is exactly the right way to go,” Penn was quoted in the EWeek.com article. “SMBs have been ahead of enterprises in outsourcing, but both are looking for ways to offload some of the tactical expertise.”23