Data protection is an issue that affects all organisations. With developments in technology permeating all facets of society and business, there has come an increase in the incidence of criminal hacking, data breaches and data loss, writes Rocco Donnino – Executive Vice President of Corporate Development at AppRiver.
Organisations are challenged to navigate a growing, disparate and constantly changing framework of regulations or face harsh penalties and sanctions. For organisations subject to regulatory compliance, securing email communications introduces an added level of complexity and obligation. While it seems simple enough to relegate the heavy burden of compliance to an out-of the-box solution, no technology can ensure compliance alone. It becomes essential that organisations develop an effective policy for email compliance for specific regulations they are subject to and implement flexible technology solutions that enforce that policy. While regulations governing messaging security can be complex, email security doesn’t have to be.
This article offers five straight-forward steps that organisations can follow to develop an effective policy to help address technical security safeguard standards.
The bad news is that there is no universal recipe, guidebook, or plan that can lead organisations of every type to comply with every regulation regarding email – every organisation is unique. On the bright side, there are a few steps all organisations can follow that can simplify the seemingly complex task of developing email compliance policy.
Step 1: Determine what regulations apply to your organisation and how to meet requirements for compliance
Ask yourself what regulations apply to your organisation? What requirements exist to demonstrate email compliance? Do these regulations overlap or conflict? Determine if you need different policies for different regulations or one comprehensive policy.
Here are examples of major regulations that will affect an organisations’ email policy:
UK’s Data Protection Act (DPA)
All organisations in the UK must comply with the Data Protection Act 1998 (DPA), and face stiff penalties if they breach it. It has 8 principles, governing how personal data can be processed and stored. The seventh data principle covers information security, with principle 8 detailing international transmission and protection of data.
EU General Data Protection Regulation (DGPR)
The DPA is due to be superseded by the EU General Data Protection Regulation (GDPR), which is expected to be adopted in early 2016. The Regulation proposes that data privacy should encompass other factors that could be used to identify an individual – such as their genetic, mental, economic, cultural or social identity. Companies must implement measures to protect any personally identifiable information they store or share.
Sarbanes-Oxley Act (SOX)
Incorrectly, the Sarbanes-Oxley Act is often thought to apply to American organisations exclusively, when in fact it can affect businesses globally – including those in the UK. It applies to all public corporations, with harsher penalties for corporations with market caps in excess of $75 million.
It demands companies establish internal controls to accurately gather, process and report financial information. Encryption for financial information sent via email is necessary to ensure data integrity, unauthorised disclosure or loss.
Gramm-Leach-Bliley Act (GLBA)
Any UK financial institutions with US subsidiaries will need to comply with the Gramm-Leach-Bliley Act – these include banks, credit unions as well as additional businesses of a financial nature. Organisations must implement policy and technologies that ensure the security and confidentiality of customer records when transmitted and in storage.
Payment Card Information Security Standards (PCI DSS)
Retailers and other organisations who transact using major credit, debit, and prepaid cards as well as third party payment card processors must comply with PCI DSS. It requires the secure transmission of cardholder data against interception and unauthorised disclosure as well as protections against malware and other threats to the integrity of cardholder data.
Step 2: Identify what types of data sent via email requires protection and set protocols accordingly
Depending upon what regulation(s) your organisation is subject to, you must identify data deemed confidential – be it credit card numbers, electronic health records, or personally identifiable information – that is being sent via email. Then your organisation must determine who should have access to send and receive such information. Followed by setting policies that can be enforced by technologies to encrypt, archive, or even block transmission of email content based on users, user groups, keywords and other lexicons that identify your data as sensitive.
Step 3: Determine if and how data is being leaked or lost
Once you understand what types of data are being transmitted via email, you can track if and how data is being lost through email. Are breaches occurring inside the organisation? Is it within a specific group of users? Are file attachments being leaked? Set additional policies to address your core vulnerabilities.
Step 4: Identify what email solutions you need to implement your policy and remain compliant
Having the right solutions to enforce policy is just as important as the policy itself. To satisfy regulatory requirements and enforce policy, several solutions may be necessary to ensure compliance. Below are solutions organisations can implement to enforce policy and help address technical security safeguard standards:
•End-to-end encryption: To meet regulation requirements that mandate email messages containing relevant confidential data be secured, end-to-end encryption is often necessary to ensure that data remains confidential and secure between the message sender and the intended recipient, preventing unauthorised access or loss.
•Data Leak Prevention (DLP): A DLP solution for email is often essential for email compliance, providing enhanced email security through content filtering, authentication, and permissions rules that limit access and transmission of sensitive information sent within and outside the organisation.
•Archiving: Some regulations require that relevant email messages must be retained, indexed and remain accessible for a period of time after transmission. A proper email archiving system will enable organisations to meet regulatory requirements for message retention and auditing records by capturing, preserving and making all email traffic easily searchable for compliance auditors to evaluate. When encrypted and backed-up, archiving provides additional protections for information against loss and unauthorised exposure.
•Antivirus: Antivirus and anti-malware solutions provide additional protections against exploitation or loss, defending against phishing and other attacks at the email gateway that could compromise the security of confidential data. When selecting an email technology solution, it is important to consider how email is functioning in your organisation and implement a solution that will support business processes and current workflow. Often technologies created to enable regulatory compliance inhibit functionality and workflow, frustrating users.
According to a 2011 study by the Ponemon Institute, over half of email encryption users were frustrated with their encryption solutions being difficult to use.
Step 5: Educate users on applicable policies for email to protect sensitive data
Additionally, an effective compliance policy will focus on user education and enforcing policies for acceptable use. As unintentional human error remains one of the most common causes of data breach, many regulations require the education of users on behaviours that could potentially breach policy. When users understand proper workplace email usage and the consequences of non-compliance, and are comfortable using appropriate technologies, they will be less likely to let their guard down and make mistakes.
For most businesses, email is a vital communication resource. Used to perform essential business functions, many organisations rely on email to send sensitive confidential information within and outside the organisation. Yet the prevalence of email as a business tool also makes it vulnerable to exploitation and data loss. In fact, email accounts for 35% of all data loss incidents among enterprises according a recent industry study by the Ponemon Institute. Email’s many vulnerabilities underscore the need for organisations to secure, control and track their messages and attachments wherever they send them. By implementing the five steps outlined above, organisations can introduce and develop effective policies to introduce the necessary security safeguards and meet regulatory standards.
