Anyone can read along the way…Email sent in clear text offers more exposure:Copied to >= 2 servers, spam filters, etc., backups, firewalls29% of emails contain attachments96% of total email content volume from attachments.Therefore: protecting integrity of files is just as important.My very own financial advisor emailed 3 PDFs to me, no encryption. No Password. Assistant gets emails, anyone in firm, IT, compliance, if had mistyped. Anyone in their
The study also revealed a variety of primary causes of data breaches experienced by the surveyed companies, including, for example, that:42% of all breaches studied involved errors made by, or compromises otherwise incurred while a company’s data is in the possession or control of, a third party. 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices. Interestingly, the study found that the per-record cost of a data breach involving a stolen laptop or mobile device was just over $224, whereas the per-record cost of a data breach not involving a stolen laptop or mobile device was only around $192.24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).82% of all breaches studied involved organizations that had experienced more than one data breach involving the compromise of more than 1,000 records containing personal information.
% of consumers that upon being notified by the organizations involved in a breach …
States – not just email… IM, other data transmissions.MA is 5 business days away. Short month Gramm-Leach-Bliley Act (GLBA) – requires that financial institutions protect information collected about individuals (name, address, phone #s, bank &CC, SSN, etc.)Payment Card Industry Data Security Standards (PCI DSS) – requirements for protecting security of consumers’ payment account inf. (provisions for secure network, encryption, etc.).The list is quite long and growing quickly…. Covering firms of many types, business, sizes, geographies and client demographics. (We have resource Center @smarsh.com to track and learn more)FINRA (Chairman Rick Ketchum) - stepping up IA & dually registered firms oversight.
Cover Implementation – Outbound mail routed through encryption servicesVs. Appliance, software, hosted 3rd party (unaware), office/outlook. Etc.
Mitigate risk and breach cost…. Ex. California, if data exposed in jeopardy, exception to notification provision if encrypted
FINRA – great starting point, rules, regulations, links to other regulations, webcastsSmarsh – Resource Center covering ever-growing list of regulations, quick facts/practical summary of requirements and where to go for additional information. White Papers Webcasts (DLP, Encryption & Secure FT, )
Growth & Recognition<br />99%+ client retention rate.<br />50-100 inbound competitor migrations monthly.<br />100% annual revenue & customer growth.<br />Highest ranked email compliance vendor in the Inc. 500 for second consecutive year.<br />Ranked No. 61 overall in the Deloitte Technology Fast 500.<br />Fastest growing email archiving vendor in the worldwide market according to an IDC market analysis.<br />#1 fastest-growing private company in state of Oregon for 2009 (Portland Business Journal).<br />
What is Encryption?<br />Encryption is not a single product or solution. It is a process to be applied in an overall information security program.<br />Identify sensitive data and points where it may be most vulnerable.<br />Many “types” of encryption:<br />Hardware vs. Software<br />End-to-end<br />Full-disk encryption<br />Database encryption<br />Mobile device encryption<br />File/Volume encryption<br />File and document transfer<br />Email encryption<br />Even within the scope of email encryption… many types and methods<br />
Why You Need To Encrypt – General<br />“Email is like a postcard”… only worse.<br />Data breaches can be malicious. Typically inadvertent.<br />Email users spent a mean of:<br />152 minutes (28% of typical 9 hour workday) on email vs. <br />138 min (23%) in-person meetings, <br />70 min (13%) on phone. 1<br />Email is default file transport vehicle. So, attachments also at risk.<br />Tax season is upon us, and sensitive information is exchanged every day. <br />Reputational risk<br />Lost Clients<br />Osterman Research study, May 2009<br />
Cost of a Data Breach<br />$204 per record… <br />$750,000 - $31 million cost range<br />33,000 records compromised per incident on average. 1<br />Costs include<br />Direct<br />Communication<br />Investigations and forensics<br />Legal<br />Indirect<br />Lost business<br />Public Relations<br />New Customer Acquisition<br />Ponemon Institute study of organizations having data breaches in 2009<br />
Cost of a Data Breach<br />57% said they lost trust and confidence in the organization…<br />31% terminated relationship.<br />Ponemon Institute study of organizations having data breaches in 2008<br />
Why You Need To Encrypt - Regulations<br />SEC Regulation S-PThe SEC’s Regulation S-P requires financial services firms to adopt written policies and procedures that address the administrative, technical and physical safeguards for the protection of customer records and information.<br />45+ State Data Protection Laws<br />Do business in Massachusetts? The compliance deadline for 201 CMR 17.00, requiring the encryption of all electronically transmitted records and files containing personal information, is March 1, 2010.<br />Nevada? Restrictions on transfer of personal information through electronic transmission. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.<br />FTC Red Flags RuleRequires financial institutions and creditors to implement a written program to detect, prevent and mitigate identity theft.<br />Health Insurance Portability and Accountability Act (HIPAA)Requires that policies and procedures must be established and implemented to protect the use and disclosure of individuals’ protected health information (PHI). As part of the American Recovery and Reinvestment Act of 2009, provisions of HIPAA (and consequences of non-compliance) were significantly expanded to apply to business partners (attorneys, accountants, financial advisors) of entities already covered (pharmacies, healthcare providers, etc.).<br />FINRA Exam Priorities<br />FTC’s Red Flags Rule<br />Protection of Customer Information and IT Security<br />
FTC’s Red Flags Rule<br />Pursuant to the 2003 Fair and Accurate Credit Transactions Act (FACT Act), the Federal TradeCommission (FTC) implemented the Red Flags Rule and other regulations applicable to broker dealers.While all of these regulations became effective November 1, 2008, the FTC delayed theenforcement of the Red Flags Rule until May 1, 2009 June 1, 2010. FINRA issued Regulatory Notice 08-69(www.finra.org/notices/08-69) to alert firms about these regulations. Among other things, theNotice provides specific details regarding the requirement that, pursuant to the Red Flags Rule,firms subject to the rule must develop and implement a written identity theft program. Since theregulations addressed by the Regulatory Notice are FTC Rules and not FINRA Rules, questions aboutcompliance with the regulations should generally be directed to the FTC.<br />
Protection of Customer Information and IT Security<br />While technology can create significant efficiencies, it can also expose a firm to new and increased risks. As such, firms should review their IT security procedures to ensure they are sufficient to detersecurity breaches, hacking, cyber attacks, account intrusions and other security threats. Brokerageaccount intrusions, whereby persons illegally access customer accounts, continue to affect the industry. Intruders can use a number of methods to obtain login credentials needed to accesscustomer accounts, such as stealing customer login credentials or robbing firm employees of theirsystem passwords. Once inside an account, the intruders may wire out funds or use the account for a market manipulation scheme in tandem with other accounts. Account intrusions affect introducing and clearing firms of all sizes and securities of many types.Insider threats remain an elevated risk, especially during this time of corporate downsizing in response to current economic conditions.FINRA has seen several high-profile problems result from poor IT account management within the employee ranks. Systems that are used to control employee activities and provide a check and balance should be reviewed to ensure that only currently authorized personnel are granted access to these systems. The same holds true for other systems, such as trading systems that can be used to commit firms to a trade or contract. Weaknesses in these controls can be costly and can significantly damage a firm’s business and/or reputation.The SEC’s Regulation S-P requires firms to have policies and procedures that address administrative, technical and physical safeguards for the protection of customer information and records. Firms must ensure that their policies and procedures are reasonably designed to protect against any anticipated threats or hazards to the security and integrity of customer records and information. Among other things, firms should consider how they protect customer information stored on electronic devices, such as hard drives, CDs, flash drives, floppy disks, laptops and PDAswhen they are in use and after they are discarded by the firm. Firms also should consider how theymitigatethe risk of insider threats, such as through internal surveillance monitoring and controls.In addition, firms offering online customer access and trading should assess their internal surveillance and develop plans for handling account intrusions. This assessment might include a review of the online interface with customers to determine if there are any inefficiencies or gaps that can be strengthened in order to reduce the ability of intruders to access customer accounts andrecords. Introducing and clearing firms should work together to mitigate the risk of intrusions. Firms should also should also be diligent in their review of account activity for red flags that may indicate suspicious activity.<br />
Benefits of Encryption<br />Meet both data protection and regulatory compliance obligations.<br />Send and access secure, protected messages easily.<br />Mitigate risk with policy-based encryption.<br />Transfer large files securely without worrying about file-size limits.<br />Remove the hassle associated with other third-party encryption solutions.<br />Fortify trust with clients and strengthen brand presence with demonstrated commitment to data security.<br />Efficiently administrate message review, often complicated by traditional encryption methods.<br />Stay ahead of the evolving regulatory environment.<br /><ul><li>Save money with consolidated and reliable solutions.</li></li></ul><li>Source: InformationWeek Analytics Data Encryption Survey of 430 business technology professionals at organizations using encryption.<br />Integration - Evaluation Criteria<br />
Integration – Considerations<br />Email Encryption solutions typically need to integrate with:<br />Basic Email Hosting Infrastructure<br />Server & Networking<br />Clients – Webmail, Outlook, Entourage<br />Mobile – iPhone, BlackBerry, Android, Windows Mobile devices<br />Spam & Anti-Virus<br />CRM, accounting & other business applications<br />Email Archiving<br />Data Leak Preventions (DLP)<br />
Integration - Encryption + Archiving<br />Consolidate. The Smarsh Management Console is your administration destination. There is no need to log into separate applications for your encryption software, another to view your "quarantined" pre-review messages and then another for your email supervision system.<br />Enforce policy-based encryption. Messages that meet your firm's customized criteria will be automatically sent with smarshEncrypt. <br />Communicate back-and-forth with clients confidentially within smarshEncrypt. Intellectual property, sensitive client financial information or private health information, for instance, can be transmitted in accordance with emerging state and Federal data protection and data breach mandates and regulations. <br />Outlook? BlackBerry? iPhone? CRM? No problem. Incorporate encryption and data-leak prevention policy enforcement with any email system and with any tool used to send email.<br />Track the entire life cycle of an email message through your compliance audit system. Start with the original ("pre-encrypted") message and track all actions taken on it. <br />
Data Leak Prevention (DLP)<br />Mitigate risk by taking action on emails before they leave (or enter) your organization:<br />Block or Reject<br />Encrypt<br />Redact<br />Remove violating content or attachments<br />Quarantine<br />Prevent important corporate knowledge from leaving your organization.<br />Ensure compliance with consistent, automated policy enforcement.<br />Protect the transmission of your clients' confidential data with email encryption.<br />Prioritize risk, escalate scrutiny and take action on highest-risk sources.<br />Eliminate the need for multiple solutions addressing email compliance, security and classification.<br />
Practical Suggestions<br />Consult email hosting or email compliance service provider.<br />Consider all systems, tools, applications, with which encryption and data protection solution must be compatible.<br />Determine rules, regulations and requirements that need to be addressed for your business.<br />Establish your policies, procedures, and Identify Theft Prevention Plan.<br />Protect the most vulnerable and most sensitive data first.<br />