Trusttone

Abstract

Businesses are moving more and more of their workflow online using email since email is convenient, fast and free. Adoption of email however, raises the question of security and protection of the information that must be addressed. The nature of the information exchange dictates the obligation to provide protection and also the consequences of neglect. This paper discusses the organizational responsibility for managing security and protection of collaborative information exchange with a focus on role of data encryption for such protection.

Why should an organization protect information?

The following are the main reasons to protect private sensitive information exchanged in emails.

1. Comply with privacy regulations (Organizational Responsibility)
2. Save money
3. Gain competitive advantage

Which organizations must protect information?

The privacy regulations are specifically legislated with Health and Finance industries as targets. Other industries may get affected by the regulations crafted for Health and Finance organizations.
If your organization handles the following type of information, you should consider privacy protection plans.

1. Patient health information - medical record, medications, treatment etc.
2. Customer identity information - SSN, account number, transactions, payroll and tax records etc.
3. Non-regulated but high-value information such as Merger & Acquisition data, business or marketing plans, pricing, intellectual property

More organizations than one might suspect handle private, sensitive information that must be managed carefully and protected in storage and in transit.

Compliance with Privacy Regulations

Do the right thing. Protect your clients and stay on the right side of the law. Avoid penalties.

United States has multiple federal regulations (e.g. HIPAA, GLBA) that require organizations to private information of their customers. Compliance with these regulations is mandatory with significant fines for violations. In addition to these, each state has laws to protect privacy of users in the state. As shown in the map below, only six states have not yet enacted state regulations requiring privacy protection.

Figure 1 - States with Privacy Laws

Federal Privacy Regulations

Health Insurance Portability and Accountability Act (HIPAA)
Primary Target = Healthcare Industry

This federal law stipulates protection of the privacy and confidentiality of "electronic health information" managed by covered entities (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers)

Typically, healthcare providers – clinics, labs, nursing homes and organizations that handle Protected Health Information (PHI) are covered under this law. They must protect PHI from disclosure to unauthorized parties. PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of an individual's medical record or payment history.

We have a separate white paper for more details about HIPAA here.

Gramm-Leach-Bliley Act (GLBA) (a.k.a. Financial Services Modernization Act of 1999)
Primary Target = Finance Industry

The GLBA Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information. This act also stipulates safeguarding of "consumers' personal financial information". The financial institutions should take a closer look at how they manage their customers’ private data and ensure that the data is protected.

State Privacy Regulations

Security Breach Law

In addition to Federal regulations, forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted privacy regulations requiring organizations to disclose to consumers security breaches involving personal information. The State Security Breach Laws were enacted to protect the confidential personal information of consumers.

Examples of State Security Breach Laws

1. California - SB 1386
2. Massachusetts - 201 CMR 17
3. West Virginia - SB 340

Businesses with no locations in the state are required to protect information of the customers living in the regulated states, in some cases.

Examples of violations

HSBC companies slapped with US $5M fines over data breaches

Three HSBC companies have been hit with fines after the financial services watchdog found they weren't doing enough to protect customers' data. You can find the details about this event at the link here.