The case for encryption in finance and retail

Email Encryption

The Case for Email Encryption

Why protecting your customers’ data is a top priority

ZixDirectory

The ZixDirectorySM includes:
  • Tens of millions of members and growing at an average of approximately 100,000 new recipients every week
  • The FFIEC federal banking regulators and the Securities and Exchange Commission
  • More than 20 state bank regulators
  • More than 1,300 U.S. financial institutions
  • Health insurers protecting data for more than 70 million people
  • Nearly 1 in 5, or 1,200, U.S. hospitals
  • More than 30 Blue Cross Blue Shield organizations
About Zix Corporation

Zix Corporation (ZixCorp) provides the only email encryption services designed with your most important relationships in mind. The most influential companies and government organizations use the proven ZixCorp® Email Encryption Services, including WellPoint, Humana, the SEC and more than 1,200 hospitals and 1,300 financial institutions. ZixCorp Email Encryption Services are powered by ZixDirectorySM, the largest email encryption community in the world. The tens of millions of ZixDirectory members can feel secure knowing their most important relationships are protected.

For more information about ZixCorp,

call toll-free 800-458-3348 or

email sales@getzixmail.com.

Try Now

Zix Corporation
2711 N. Haskell Ave.
Suite 2300, LB 36
Dallas, TX 75204

Phone 866 257 4949
www.zixcorp.com

You can’t escape the headlines — computer crime is on the rise. According to Javelin Strategy & Research, nearly 10 million Americans lost $48 billion in 2008, due to online identity theft,1 up from 8.1 million victims in 2007.2 Also that year, there were more than 35 million data breaches in the United States.3

Cyber-criminals take advantage of the fact that many companies don’t bother to report security breaches because they don’t want bad publicity, according to Shawn Henry, assistant director for the Federal Bureau of Investigation’s Cyber Division. “Of the thousands of cases that we’ve investigated, the public knows about a handful,” he is quoted by Reuters. “There are million-dollar cases that nobody knows about.” Henry notes that cyber-crime is mushrooming and that as the Internet grows as a commerce tool, companies and consumers are more comfortable sharing valuable data online and in email. “There are hundreds of billions of dollars that traverse the Internet,” he said.4

While this is sobering, the world is unreservedly embracing email as a method of exchanging information. The number of worldwide email users is projected to increase from more than 1.4 billion in 2009 to almost 1.9 billion by 2013. Global email is expected to soar to 507 billion messages per day.5

As a business tool, email is invaluable. It’s so vital that employees can’t leave it behind at the office. According to a September 2009 Osterman Research study, 82% of employees working in large companies regularly check email from home on weekdays, 78% log in on weekends and 61% while on vacation.6

The electronic exchange of information underscores the fact that email is the backbone and driver of business communications today.

Of course this begs the question – with such a large volume of data streaming through and with computer crime on a sharp upswing, is the information we send via email adequately protected?

Encryption becoming the law

This is a question that is increasingly asked by Washington and state governments. Legislative pressure is speeding the move to demand the encryption of sensitive information sent by email. New rules at both the federal and state levels will require organizations to deploy protective technologies such as encryption to achieve compliance.7

As concerns mount over data breaches, state governments8 and regulatory bodies9 are taking action. In October 2008, Nevada passed a law requiring all businesses, no matter their size or nature, to secure confidential customer information if it’s transmitted electronically.10 In Massachusetts, effective March 201011, companies must encrypt all personal information of state residents transmitted electronically or wirelessly.12 All states, except for a handful, have put in place data security breach notification laws13 — an indication that the protection of electronic information is fast becoming a priority.

Gartner, Inc. predicts the Nevada law will put pressure on organizations to encrypt electronic transmissions of personal data and encourage other states to follow suit with similar legislation. This will create a strong demand for embedded encryption and key management services. In due time, according to Gartner, legislation will make in-transit data encryption the new “standard of due care” in lawsuits.14

Stiff punishment is being meted out to healthcare organizations that run afoul of the strict new Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). It calls for the encryption of all protected health information (PHI) sent via email. Breaking the rules will cost you. Under the new legislation, organizations will be fined up to $1.5 million — up from $25,000 — for violating patients’ privacy.15 It also extends the effective reach of HIPAA coverage to business associates. Companies must re-evaluate their overall privacy compliance programs and implement more effective information security practices, including encryption wherever possible.

Not securing email is a dangerous game

Financial and health care institutions, as well as governments—in fact, any organization dealing with personal and confidential information—are increasingly concerned with protecting privacy and preventing data breaches. In a survey released in 2009, conducted by the American Institute of Certified Public Accountants (AICPA) on the most crucial technology initiatives facing businesses globally, information security management, privacy management and secure data file storage, transmission and exchange, topped the list.16

Despite this growing awareness, a 2009 report by Imperva and Ponemon Institute reveals that more than half of the 500 businesses they surveyed admitted they did not secure Social Security numbers, bank account details and other personal data.17 According to a recent survey of 347 banks conducted by Wolters Kluwer Financial Services, two-thirds of those polled rely on unencrypted delivery methods to send confidential data. One-third use regular email to send personal information to customers, service providers and partners, while another third rely on regular or overnight mail or are unsure of the method they employ.18 This is a dangerous game of electronic Russian roulette, as federal and state regulators are demanding tighter email security.

More security breaches expected in 2010

According to a recent Global Security Survey from Deloitte, financial institutions are bracing for an increased risk of security breaches in 2010, attributed to tight budgets and potential insider misconduct.19 “In this economic climate it is vital that firms become extra vigilant in protecting their data, and implement checks and measures to reduce the potential impact of human error,” said Mike Maddison, head of Deloitte’s security and privacy practice in an article published on iTnews.com.20

Savvy businesses are proactive about securing their customers’ personal information because they realize their reputations would be on the line with a data breach. According to Ponemon Institute, the average cost of a data breach for an organization is $6.6 million—more than $200 per compromised record.21 Forrester Research reports small and medium-size businesses (SMBs) are earmarking a significant portion of their 2009 IT budgets for data protection. “Data protection is the number one issue, and the availability of data follows that,” said Jonathan Penn, Forrester’s vice president of tech industry strategy – security, in an article on EWeek.com. “They are recognizing that protection of the data is a key part of their business. The last thing you need is to somehow erode that [customer] trust with a big data breach.”22

Penn says SMBs will be looking for ways to streamline IT management and stick to budgetary diets and that outsourcing security will be a popular choice. “Focusing on what’s important, the data, is exactly the right way to go,” Penn was quoted in the EWeek.com article. “SMBs have been ahead of enterprises in outsourcing, but both are looking for ways to offload some of the tactical expertise.”23

  1. Reuters, January 9, 2009 – Identity theft has become more prevalent, with nearly 10 million American victims losing $48 billion in 2008:

    http://uk.reuters.com/article/marketsNewsUS/idUKN0646389320090209

  2. Network World, January 20, 2010 — IC3 includes identity theft in statistics:

    http://www.networkworld.com/newsletters/sec/2010/011810sec2.html?hpg1=bn

  3. IT World, January 7, 2009 – Data Breaches Rose Sharply in 2008, says study:

    http://www.itworld.com/security/60271/data-breaches-rose-sharply-2008-says-study

  4. Reuters, November 24, 2009 – Cyber Breaches are a closely kept secrets:

    http://www.reuters.com/article/idUSTRE5AN4YH20091124

  5. The Radicati Group, May 6, 2009 — Email Statistics Report, 2009-2013:

    http://www.radicati.com/?p=3237

  6. An Osterman Survey Research Report – Results of an End User Survey on the Use of Communications Tools, September 2009:

    http://www.messagingnews.com/michael-osterman

  7. The Industry Stanadard, December 15, 2009 – New Laws Complicate Security Efforts in 2010:

    http://www.thestandard.com/news/2009/12/15/new-laws-complicate-security-efforts-2010?page=0%2C0

  8. Virginia Information Technologies Agency – Sensitive data should not be transmitted electronically unless encryption is utilized:

    http://www.accessmylibrary.com/coms2/summary_0286-6156087_ITM

  9. FDIC Law, Regulations, Related Acts — c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access:

    http://www.fdic.gov/regulations/laws/rules/2000-8660.html

  10. Wall Street Journal, October 16, 2008: New Data Privacy Law Set for Firms:

    http://online.wsj.com/article/SB122411532152538495.html

  11. 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH:

    http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

  12. Ibid.
  13. Security Law Blog, August 5, 2009 – Data Security Breach Notification Law Update:

    http://www.huntonprivacyblog.com/2009/08/articles/information-security/data-security-breach-notification-law-update

  1. Gartner Inc., October 6, 2008 – Expect Other States to Follow Nevada’s Lead in Encryption Law:

    http://www.gartner.com/DisplayDocument?id=771514

  2. Healthcare IT News, November 2, 2009 — HIPAA violators could face fines of up to $1.5M:

    http://www.healthcareitnews.com/news/hipaa-violators-could-face-fines-15m

  3. CXO Today, January 19, 2009 – Data Protection Top Priority Say Pros:
    http://www.cxotoday.com/Events/Storage/India/CXOToday_Storage/
    Data_Protection_Top_Priority_Say_Pros/551-97914- 491.html
  4. cnet news, September 24, 2009 — Survey: Half of businesses don’t secure personal data:

    http://news.cnet.com/8301-1009_3-10360639-83.html

  5. SC Magazine (for IT Security Professionals), January 23, 2009 – Banks Not Encrypting Confidential Data:

    http://www.securecomputing.net.au/News/135154,banks-not-encrypting-confidential-datasurvey.aspx

  6. Deloitte, 2008 – Protecting What Matters, The Sixth Annual Global Security Survey

    http://www.deloitte-ftp.fr/Publications/Mar_09/globalsecuritysurvey_2009.pdf

  7. iTnews, February 5, 2009 — Financial institutions brace for rise in security breaches

    http://www.itnews.com.au/News/95619,financial-institutionsgb-brace-for-rise-insecurity-breaches.aspx

  8. Ponemon Institute, February 8, 2009 – Data breach cost an average of $6.6 million

    http://blog.fulldisclosure.org/data_breach_cost/20090208-18558-Data-Breach-Cost-an-Average-of-66-Million

  9. EWeek.com, January 7, 2009 — SMBs to Increase Security Spending in 2009

    http://www.eweek.com/c/a/Midmarket/SMBs-to-Increase-Security-Spending-in-2009

  10. Ibid.