We’ve all done it- sent an email with the wrong file attached, or perhaps sent one to the wrong email address. It’s easy to do. But for businesses handling sensitive information, such as credit card numbers, social security numbers, or health records, these type of mistakes may not have such a simple fix.
Employee’s need to take extra precautions when sharing sensitive client information via email, not only for the client’s sake, but for the sake of your business. Every industry has regulations regarding email and data security, and small mistakes can result in a costly lawsuit for your company. For example, sending credit card information via email could put your entire email system in violation of The Payment Card Industry Data Security Standard (PCI DSS). Send an email confirming a client’s appointment to the wrong email address, and you have a HIPPA privacy violation. Neglect to encrypt an email about an outgoing investigation, and you may be in violation of the CJIS security policy. The 2018 Insider Threat Intelligence Report found that 78% of assessments found company data publicly accessible online, a 14% increase from last year.
To comply with business standards and industry regulations, organizations need to protect sensitive information- starting with how they handle email. Don’t let a simple email mistake turn into a much bigger issue! Adopting these email Data Loss Prevention (DLP) measures will safeguard outgoing emails- and the wellbeing of your business and clients:
1. Encrypt Your Emails
Any email sent over the web is at risk of being intercepted by an attacker while en route between sender and recipient- an obvious problem for those containing private information. Encrypting emails containing sensitive data is one of the easiest and most effective ways to ensure your message is read only by those intended. Encryption works by scrambling the original content of an email into an unreadable mess, the true message only to be revealed with authentication from the recipient. So when sending appointment reminders or important contracts, rest assured only those it’s intended for can read it- even if accidentally sent to the wrong address! This type of encryption can be done through secure email hosting services, web-based encryption services, or email encryption services that build the encryption into client emails. Gmail, Outlook iOS, OSX, Android and webmail all have options to encrypt emails built right into the platform. Keep in mind that the emails you send aren’t the only things that should be encrypted- the connection from your email provider, as well as stored, cached or archived emails should also be secured.
2. Secure your Attachments
So you’ve encrypted your emails? Let’s take it one step further. More likely than not, the attachments you send with your emails hold a lot more valuable information than the email itself- encrypt your attachments, even if the email has already been encrypted. Encrypting attachments not only prevents them from being hacked while in transit, but prevents the recipient from saving or forwarding attachments to unauthorized employees or outside peoples. For word documents, you can encrypt the file with a password before sending it out. PDF files, however, can be a little trickier. You can set passwords for PDFs using Adobe Acrobat and OS X- if these aren’t an option for your company, encryption plugins such as Vitrium and Jira are available.
3. Add a Legal Disclaimer
Never assume that a recipient is aware that the data they received is confidential. Avoid an embarrassing (and potentially damaging) lack of communication by including a disclaimer at the top of emails containing private data. Any emails regarding health records, legal contracts, finance records, or confidential industry information should have a disclaimer in place- in fact, disclaimers are usually an industry requirement. Contrary to the popular belief that email disclaimers are not legally enforceable, disclaimers placed at the top or within the text of an email have been found to be relevant in numerous published court opinions throughout the United States, though the legal effects would be limited to only certain situations. Take, for example, the disclaimer below:
Even if sent to the wrong address, a disclaimer stating the intent and confidentiality of an email may prevent it from turning into a bigger issue. Of course, once the information is in the hands of an outside party it’s up to them whether to make the right decision to share it or not, but at the very least there is some legal backing. Make sure your disclaimer can be seen by the recipient and they understand the value of the information.
4. Help Employees Stay Compliant
It doesn’t matter if you have the best DLP security policies or the strongest encryption — without the right training, it’s only a matter of time until someone in your organization breaks compliance and sensitive data from an email is lost to the masses.
- Make sure employees understand what sensitive data is and what types they work with specifically.
- Research all compliance legislation regarding your industry if you aren’t already aware. Health and legal agencies need to be particularly well-informed about required security measurements, but every industry has a security standard to follow. Compliance regulations are continuously being updated, so make sure you’re staying on top of the latest changes. A few ways to do this is to enroll in newsletters from your local legislators, law firms, regulatory bodies, etc, attend a compliance seminar or workshop, or do a good old-fashioned weekly Google search for the latest news regarding your industry. Larger companies may want to invest in a good GRC (government, risk management, and compliance) software or a compliance officer or expert to keep their business up-to-date with regulations.
- Set rules and guidelines regarding work email security. The government may have their own set of rules, but your office should have its own distinct guidelines regarding email. This isn’t as hard as it sounds. One strong set of rules for a category like financial data security can usually satisfy multiple security and compliance concerns. Often, making a broad rule (e.g. “human resources are not allowed to email PII”) and listing exceptions is easier than writing out each prohibition.
5. Adopt a Data Loss Prevention System
Taking precautions to secure your emails is crucial to preventing email data loss, but all these extra steps can slow workflow. To optimize security without sacrificing your employee’s valuable time, consider investing in a data loss prevention system to manage all sensitive data in your network- including your emails. A DLP system identifies, monitors, and protects data in use, data in motion on your network, and data at rest in your data storage area or on desktops, laptops, mobile phones or tablets.
DLP systems provide a centralized management framework designed to detect and prevent the unauthorized use and transmission of sensitive data, protecting against mistakes that lead to data leaks and intentional misuse by insiders or external attackers. Encryption and passwords become obsolete when a DLP system is in place, providing you with more efficient security measures and peace of mind that nothing will get lost in transit when sending out your emails.