Make no bones about it — email encryption is good for everyone, both for professional and individual use. It’s a dangerous world out there, as hackers grow savvier and more bountiful, data mining blurs the lines between private and public, and surveillance programs lobby for back doors to your email.
But for some professions, email encryption isn’t just a good idea. Either it’s mandatory, as with many types of HIPAA and CJIS compliant email communications, or it’s strongly advised. Organizations that deal with compliance protocols and auditing, as well as businesses that transfer personal or confidential information via email, need to use email encryption to protect themselves and clients against the growing threat of data theft.
While email encryption is a privacy and security best practice for any profession, it’s absolutely indispensable for these five fields:
Most people are aware of the Health Insurance Portability and Accountability Act (HIPAA), from signing release forms at your primary care physician’s office to hearing news reports about violations like the AHMC Healthcare data breach, which exposed the data of 729,000 patients. And with hackers taking aim at the healthcare industry, not to mention the proliferation of electronic protected health information (ePHI) through electronic health records (EHRs) and health information exchanges (HIEs), HIPAA compliance is more complicated than ever.
All these technological changes have impacted the way HIPAA compliant businesses, also known as covered entities, have to think about email. That goes for healthcare professionals including doctors, nurses, therapists and pharmacies, as well as health insurance businesses and healthcare clearinghouses. A HIPAA violation could be as simple as sending an unencrypted email to the wrong recipient, just a typo in the address field.Email encryption is a big part of what makes healthcare communications HIPAA compliant. By making data unreadable to anyone who doesn’t have the encryption key, email encryption solutions play a large role in protecting sensitive patient data from the prying eyes of unauthorized viewers.
What happens when healthcare professionals violate HIPAA? Every non-compliant email you send could run you a fine of up to $50,000, and those violations can stack up fast. Before the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009, the annual maximum penalty for violating HIPAA was $250,000, in post-HITECH America, doctors and other covered entities are looking at maximum annual penalties of up to $1.5 million.
With the stakes so high, email encryption is a no-brainer in the medical field, which is why many providers already use HIPAA compliant webmail portal solutions to encrypt their email. The drawback to these solutions, however, is that they’re clunky and frustrating to use, requiring an extra login and password to remember. Virtru provides an alternative to portal-based email encryption solutions, working seamlessly with popular email clients like Gmail, while supporting HIPAA and HITECH compliance.
Another powerful incentive to encrypt is the HIPAA Breach Notification Rule, which requires covered entities to “to provide for notification in the case of breaches of unsecured protected health information” to affected patients, the US Department of Health and Human Services (HHS) and local media within 60 days of discovering the breach.
For the purposes of the Breach Notification Rule, “unsecured” PHI refers to protected health data that is “not secured through the use of a technology or methodology specified by the Secretary in guidance.” One of the specified technologies is, of course, data encryption — so email encryption also provides cover in the event of a medical data breach.
2. Criminal Justice
While the leak of HIPAA data, from blood work to prescriptions, constitutes a violation of patient privacy, the leak of criminal justice information (CJI) could mean the loss of an important crime lead, or even a dangerous scenario for potential crime victims. Nobody wants law enforcement professionals to have a hard time catching criminals (besides, well, the criminals themselves), so access to Criminal Justice Information Services (CJIS) databases is tightly locked down with mandatory security protocol.The largest division of the FBI, CJIS comprises several departments, including the National Instant Criminal Background Check System (NICS), the Integrated Automated Fingerprint Identification System (IAFIS) and the National Crime Information Center (NCIS).
Law enforcement agencies and contractors on the local, state and national levels rely on CJIS databases to deliver the intelligence they need to investigate criminal cases and perform background checks. A loss of CJIS compliance stymies their ability to protect citizens and catch crooks.Much has changed since 1992, when the CJIS was established, and the ubiquity of the Internet, connected mobile devices and cloud storage pose additional challenges to the protection of CJI. As such, CJIS has updated its security policies to accommodate the realities of a world prone to hacking and wanton data leaks. These policies include weekly audit reviews, event logging for various login activities and the CJIS Advanced Authentication Requirement, which mandates the use of multi-factor authentication to verify identity before accessing CJI.
Another CJIS compliance requirement is the use of strong encryption, utilizing a cipher with a minimum length of 128 bits. Of course, encrypting email is a different animal than encrypting data sitting in storage, and a great deal of CJI is exchanged via email communication. It is essential that law enforcement agents use email encryption to protect CJI. Losing access to CJIS databases not only cripples a department’s ability to do its job, but also jeopardizes public safety.
3. Financial institutions
When you think of a “data breach,” what’s the first place your mind goes? Probably to identity theft — and to a loss of data that could jeopardize your financial well-being and credit standing. That’s why financial institutions need to worry about Gramm-Leach-Bliley Act (GLBA) compliance.
Established in 1999, the GLBA holds organizations that deal in loans, financial advice, real estate settlement or debt collecting (including mortgage banks to car dealers) accountable for ensuring the privacy of their customers’ financial data. This includes a mandate that financial institutions send privacy notices each year to inform customers about their sharing and security policies. It also includes safeguards for those sharing and security policies. These include password standards, rules about how and where financial data is stored and background checks on all employees handling data.
Data encryption, both for storage and for email, is one safeguard against the leak of financial data. As with HIPAA, GLBA requires financial institutions to notify customers and anyone else affected by a data breach “in a timely manner.” By using data encryption, a financial institution can also assure those customers that their data is still unreadable to unauthorized recipients.
What happens when a financial institution violates GLBA? The institution itself could face fines of up to $100,000 for each violation — that is, each customer whose data was exposed. And when you think of how many people a single bank or car dealership can serve in a year, those customers can add up fast. Additionally, executives and directors can face fines of up to $10,000 for each violation, as well as prison time. Email encryption is just one way to protect your business (and yourself) from costly violations.
How important is encryption to lawyers, paralegals and other law professions? Important enough that the American Bar Association has a whole page on their website devoted to encryption and client confidentiality.
The ABA recommends not only system encryption, which protects all data on a computer, laptop or other device from unauthorized access, but also encrypted backup storage and email solutions.For a lawyer, a data leak isn’t just a privacy concern, but a violation of attorney-client privilege — and, potentially, the difference between winning and losing a case. Beyond that, however, the data an attorney has access to can be incredibly personal, from detailed personal accounts to hospital records.
More and more, those records are leaving their former occupancies in thick manila folders and taking up room on servers. Criminals no longer have to break into a building to access sensitive documents. They can simply hack their way in.
Email is another vulnerable vector of attack for data thieves, but it’s also susceptible to simple user error. Again, all you have to do is send the right evidence to the wrong recipient, and when your client list includes four different Jeffs it’s an easy mistake to make. Email encryption is an important measure to enable open communication between attorneys and clients while protecting sensitive, sometimes case-deciding data.
5. Educators & Administrators
This is the one that tends to catch people by surprise. After all, don’t teachers have enough to worry about between lesson planning, differentiating instruction, test preparation and grading? And what’s the worst that can happen if someone finds out that Maggie earned a B+ on her vocabulary quiz?
As it so happens, a school stands to lose its federal funding if it violates the Family Educational Rights and Privacy Act (FERPA). Established in 1974, FERPA grants parents and students a number of protections when it comes to student data, including the right to challenge, review, and consent to the disclosure of educational records. If a parent or student discovers a FERPA violation, they can notify the Family Policy Compliance Office (FPCO) of the Department of Education, who then gives the school a set time period to make the corrections necessary to restore compliance.
More and more, teachers, professors and other educators, as well as school administrators, are using email to communicate with their students. As online education picks up steam both at the post-secondary and high school levels, more and more student data will find itself in inboxes, where it can easily fall into the wrong hands.
By using client-side email encryption, education professionals can help bolster the confidence of students and their guardians — and help maintain FERPA compliance — by ensuring that confidential student data can only be read by verified recipients.
While healthcare professionals, law enforcement agencies, mortgage bankers, attorneys and teachers are all under pressure to use email encryption, protecting your email messages from unauthorized views is just good practice for anyone. As Sony’s recent fiasco shows, an email hack can take a sizable chunk out of any company’s reputation, as well as their bottom line.
Virtru’s client-side email encryption solution can help you arm your business against costly compliance violations, data breaches and intellectual property theft. Unlike other email encryption solutions, Virtru works with the email client you’re already using, and doesn’t require the email recipient to log into a portal or use the same email service. To learn more about how email encryption can help protect your business’ most sensitive data, contact Virtru today.