Email Encryption Basics

New to Email Encryption? Learn the fundamentals from our collection of articles for beginners.

Email Compliance

No matter what industry you’re in, keeping data safe from hackers is a legal (and ethical) obligation. From customer credit card numbers to medical records to trade secrets, businesses are facing increasing enforcement of data security laws — and the consequences of failure are costly. To control risks, it’s crucial to protect the communication tool your workers depend on: email. Encryption is either required or recommended for email compliance in all major regulatory regimes that touch on data security.

Email Compliance and Encryption
Compliance regimes might word things slightly differently, or they might have different requirements, but the basic security practices required for regulatory compliance are surprisingly consistent across the board — particularly regarding encryption. Email compliance either explicitly or implicitly requires encryption in HIPAA, CJIS, CFPB and other regulatory regimes.

Encryption in healthcare is considered “addressable” — i.e., not explicitly required — but don’t let that fool you. The Department of Health and Human Services says that encryption must be implemented if an internal risk assessment shows it is a “reasonable and appropriate safeguard” for Electronic Protected Health Information (ePHI). It can only be replaced by an “equivalent alternative measure” with careful documentation of your rationale. In other words, if you don’t use encryption, you better have a very good reason.

CJIS compliance and data encryption go hand in hand. Section of the CJIS Security Policy explicitly requires users to employ 128-bit encryption or better, and encrypt any data “outside the boundary of the physically secure location.” Server-side encryption solutions like TLS may not meet email regulatory compliance. Data is decrypted and re-encrypted at each server, and messages can be sent as plaintext if a particular server doesn’t support TLS. Only data-centric encryption satisfies a strict reading of CJIS regulations by protecting each piece of data across its entire journey.

CFPB compliance doesn’t explicitly require encryption for email compliance, however it does require organizations to protect Nonpublic Personal Information (NPI) such as name, address and credit score. If you use electronic communication, email encryption is the only practical way to do this. Client portals theoretically meet this standard, but you won’t be able to get all your clients and business partners to use them, leaving some information exposed. Focusing on email regulatory compliance is more reliable, since pretty much everyone you communicate with has email.

How Email Compliance Supports Breach Mitigation
If you lose control of protected data, quick and effective breach mitigation is a must. With the right tools, you can limit the damage done to customers, business partners and your reputation, limit future compliance penalties or even escape breach notification requirements.

Since email is the chief way most organizations exchange confidential information, email compliance tools are an invaluable asset. Data Loss Prevention (DLP) helps with this by monitoring outgoing emails for content that could indicate a breach of email regulatory compliance and security. For example, DLP can warn users if their emails contain Social Security numbers or keywords like “account,” automatically encrypt emails sent to certain addresses, or strip confidential attachments from emails sent outside the company.

The ability to recall an email you’ve already sent is another tremendously useful email compliance feature supported by encryption. Once an email is sent, it’s in the recipient’s inbox and can’t be recalled. However, applications that use the Virtru Encryption as a Service (EaaS) architecture can control permission to read and share the email.

By rescinding the encryption key, you can stop recipients from reading or sharing the message — even after it has been opened. Combined with Virtru Read Receipts, this can address breach mitigation requirements or (if you rescind the message before it’s opened) avert a breach entirely according to HIPAA Breach Notification, and similar disclosure rules.

Email Regulatory Compliance Doesn’t Have to be Difficult
Security and compliance rules aren’t a set of boxes to check — they’re carefully designed guidelines to keep confidential data safe. Encryption is critical to meeting email compliance requirements, safeguarding private information and protecting your relationships with your customers and partners. Use the links below to learn more about how email encryption supports compliance.

Is it a HIPAA Breach Notification or a Close Call?
Do I need a HIPAA Compliant Email Service? A Business Associate Guide
HIPAA Compliance in the Cloud [Guide]
CJIS Compliance for Google Apps [Guide]
The Complete Guide to CFPB Compliance for Realtors [Guide]
Locking Down Financial Data: Why PCI Compliant Businesses Should Use Email Encryption
Email Encryption For Government Organizations [Guide]