It is only natural that email’s dominant role in global communications has also allowed it to become a medium for fraud, unsolicited commercial overtures, malicious code, and other undesirable activities. Despite policies that may dictate otherwise, all forms of sensitive business information find their way into email, making it the primary means by which that data is inadvertently disclosed or purposefully stolen. The incidents of loss or disclosure of sensitive data via email are widespread.

Some of the Key Risk Factors for EMail include:
1. Laptops, wireless handhelds, & other mobile devices with sensitive data stolen or used by inappropriate personnel
2. Sensitive data sent to inappropriate parties
3. Sensitive data exchanged between customers & customer service representatives (CSRs)
4. Lack of a confidential communication channel with the supply chain
5. Out of compliance with regulations for privacy protection, financial systems control, etc.

Action Steps
The best contacts and resources to help you get it done

Understand the Risk to Your business

Each industry and business is subject to different risks. Studies have shown that the cost per lost record averages close to $200.

I recommend: Reading the 2006 Annual Study: Cost of a Data Breach

Know the Laws and Regulations Governing Your Business

Regulations that have proven to have a direct or indirect influence on the need for encryption:• Enterprise email encryption is a comprehensive solution for any organization required to comply with Part 11 of Title 21 Code of Federal Regulations, which describes the FDA's guidance on Electronic Records and Electronic Signatures.• CA SB 1386 – California's Database Security Breach Notification Act. The intent of the law is to protect California residents from identity theft by requiring organizations that have had computer security breaches to notify all affected California residents. The only way an organization can avoid notifying customers is to have encrypted all personal information prior to a security breach.• HIPAA requires the HHS to ensure standardization of electronic patient data, assign unique health identifiers and implement security standards to protect the confidentiality and integrity of all “individually identifiable health information.”

I recommend: Reading abstracts of these laws, including:
*SB 1386 Compliance Management Toolkit
*HHS' guide on Security Standards Technical Safeguards
PGP Corporation's EMail Encryption Buyer's Guide
Abstract of Part 11 of Title 21

Tips & Tactics

Helpful advice for making the most of this Guide

• •  When evaluating solutions for your email encryption needs, some of the areas you should consider include:
• •  -- Standards compatibility – An email encryption solution must be compliant with the various Internet and vendor standards on which you’re the email system is based. To achieve reasonable interoperability with the rest of the world, it must support both OpenPGP and S/MIME encoding—without exception.
• •  --Flexible encryption modes – Organizations need to be able to protect their sensitive information with the most rigorous end-to-end encryption available, but also have the flexibility to protect less-critical data with strong, server-based encryption that is less expensive and easy to manage. These modes must work together seamlessly and support mobile users and handheld devices.
• •  --Coexistence with anti-virus, anti-spam, & content filtering – An encryption solution should plug into the existing messaging security architecture, not go around it.