SlideShare a Scribd company logo

Raising the Bar for Email Security: Confidentiality and Privacy Standards that Lawyers Should Follow

Jim Brashear
Jim Brashear

Presentation for the North Carolina State Bar seminar on Real Estate Hot Topics on February 20, 2015. This presentation focuses on email security and its role in complying with the ALTA Best Practice on Privacy and Protection of Non-Public Personal Information.

Law
1 of 37
Raising the Bar on Email Security James F. Brashear General Counsel Zix Corporation
Why this sudden focus on email security?
Risk of Email Interception
How email seems to work Company NetworkCompany Network Router Router DLP Router Router AS/AV How email actually works The Cloud Email is Cloud Data
Unencrypted Email “Email sent in the ‘default’ manner over the Internet is inherently insecure.”  Benefits of Secure Email: • Integrity • Confidentiality • Privacy • Authenticity • Proof of receipt • Nonrepudiation “Now is the time to get serious about your email system.”
Webmail Providers Advocate Encryption
Data Intercepts Happen Even if you don’t see them
Slide 9 Spying by N.S.A. Ally Entangled U.S. Law Firm By JAMES RISEN and LAURA POITRAS FEB. 15, 2014 The list of those caught up in the global surveillance net cast by the National Security Agency and its overseas partners, from social media users to foreign heads of state, now includes another entry: American lawyers. A top-secret document, obtained by the former N.S.A. contractor Edward J. Snowden, shows that an American law firm was monitored while representing a foreign government in trade disputes with the United States. The disclosure offers a rare glimpse of a specific instance in which Americans were ensnared by the eavesdroppers, and is of particular interest because lawyers in the United States with clients overseas have expressed growing concern that their confidential communications could be compromised by such surveillance.
Unencrypted Email Intercepted • Gmail, Hotmail and Yahoo! accounts targeted by hackers – China’s Gmail DNS diversion
Man-in-the-Middle Attacks • SSL Certificate Spoofing • Several SSL Certificate Authorities hacked • Courts in The Netherlands advised lawyers to stop using email
Targeting Real Estate Professionals  Thieves intercept from title agencies emails providing wire transfer information for borrowers  Thieves alter the email by replacing the title company’s bank account information with their own, and then send it along to the borrowers  The emails appear to be genuine - containing the title agency’s email information and branding  Unsuspecting borrowers transmit earnest money to the thieves
Reasonable Expectation of Privacy?
Slide 15 Privacy Laws
North Carolina Data Breach Notice Law  GS § 75-65. Protection from security breaches – Applies to any business that owns, licenses, maintains or possesses “personal information” of North Carolina residents  Requires notice of a “security breach” – An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer – Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach  Safe Harbor: encryption and a secure key – "Encryption“ means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key
Federal Data Breach Notice Standard?  White House proposed in January 2015 a federal data breach reporting standard that would preempt the various state laws  Proposal would create a safe-harbor, exempting companies from the notice requirements, if an assessment concludes that there is no reasonable risk of harm  Rebuttable presumption there is no reasonable risk of harm if the data “was rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted by experts in the field of information security”  In other words, using strong encryption would provide a safe-harbor for businesses
GLBA Safeguards Rule  Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confidentiality of customers’ personally identifiable financial information  Financial institution means any business that is significantly engaged in providing financial products or services  Term includes: – Mortgage brokers – Non-bank lenders – Loan servicers – Real estate settlement services – Real estate appraisers
GLBA Safeguards Rule  Nonpublic financial information means: – Personally identifiable financial information; and – Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available  Personally identifiable financial information means: – Information a consumer provides to obtain a financial product or service – Information about a consumer resulting from any transaction involving a financial product or service – Information otherwise obtained about a consumer in connection with providing a financial product or service to that consumer
GLBA Safeguards Rule  Protect customer information – The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security:  Employee Management and Training  Information Systems  Detecting and Managing System Failures  Develop a written information security plan – Flexible standard appropriate to each company’s:  size and complexity  nature and scope of activities  sensitivity of customer information handled
Information Security Plan  Plan must cover: • designate employees to coordinate the information security program • identify and assess risks to customer information in each relevant area of the company’s operation • evaluate the effectiveness of the current safeguards for controlling these risks • design and implement a safeguards program, and regularly monitor and test it • evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring. • select service providers that can maintain appropriate safeguards • make sure contracts requires service providers to maintain safeguards • oversee service providers’ handling of customer information
Oversight of Service Providers  CFPB Bulletin 2012-03 - Consumer Financial Protection Bureau expects financial institutions to oversee compliance with GLBA Safeguards by any person that provides a material service in connection with a consumer financial product or service  Financial institutions should take steps to ensure that service providers do not present unwarranted risks to consumers, including: – Due diligence to verify compliance with GLBA – Review service provider’s policies, procedures, internal controls and training materials about compliance with GLBA – Contractual provisions addressing compliance with GLBA – Establish internal controls and ongoing monitoring to determine compliance with GLBA – Take prompt action to address fully any problems
Title Industry Standards ALTA Best Practices: Pillar #3 – Protecting NPI  Written Plan: Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law  Procedures include: Use only secure delivery methods when transmitting Non‐public Personal Information.
GLBA Email Security Guidance “Take steps to ensure the secure transmission of customer information” “If you must transmit sensitive data by email over the Internet, be sure to encrypt the data”
Securing Data in Motion
Encryption Considerations  Client’s instructions  Degree of sensitivity of the information  Possible client impact from disclosure  Data breach laws  Likelihood of disclosure  Inherent level of security  Reasonable steps to increase security  Cost of additional safeguards  Urgency of the situation  Legal ramifications of unauthorized interception, access or use
Channel Encryption Protects Email in Transit
Channel Encryption From the Experts: SSL Hacked! Enterprise can't rely on encrypted communications anymore, but corporate counsel can champion a fix Security of HTTPS channel encryption relies on trust in SSL certificates Browser Website Server Identity inquiry SSL certificate Trust confirmation Acknowledgement Encrypted channel session
Manual Encryption Traditional Email Encryption Tied to one device
How can users connect with so many roadblocks? • Portals • Passwords • Secure attachments • Password resets • Extra steps 31 THE FRUSTRATION OF SEPARATE COMMUNITIES Encryption Key Management
An elegant solution works without you even knowing it. Encrypts every email within the community 32 THE POWER OF ONE COMMUNITY Shared Key Directory
Influencers What encryption does your regulator use?
Zix Customer Sending ZixGateway Zix Customer Receiving through ZixGateway Non-Zix Customer Receiving through ZixPort Non-Zix Customer Receiving through TLS or ZixDirect Mail Server ZixDirectory of 43 million shared public keys Sender’s Email Environment Zix Cloud External Recipients ZixPort Zix Customer Receiving through ZixMail DETERMINES MOST SECURE AND EFFICIENT DELIVERY METHOD BEST METHOD OF DELIVERY®
Frictionless Email Encryption Transparent to end-users • No portals • No passwords • No extra steps
Automated Email Encryption • Email composed and read in normal inbox • Content scanned and encrypted automatically – Attachments too • Inbound messages decrypt automatically – Can scan inbound messages for policy compliance
With many email encryption tools, recipients are unable to easily open encrypted email on mobile devices. The result: • User frustration • Interrupted workflow • Reduced productivity WHAT ABOUT MOBILE DELIVERY? 37
38

Recommended

Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
Thomas Bronack
 
How can you improve cybersecurity at your law firm?
How can you improve cybersecurity at your law firm?How can you improve cybersecurity at your law firm?
How can you improve cybersecurity at your law firm?
Clio - Cloud-Based Legal Technology
 
Key Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends ReportKey Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends Report
Clio - Cloud-Based Legal Technology
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
David Strom
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Clio - Cloud-Based Legal Technology
 

Recommended

Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
Thomas Bronack
 
How can you improve cybersecurity at your law firm?
How can you improve cybersecurity at your law firm?How can you improve cybersecurity at your law firm?
How can you improve cybersecurity at your law firm?
Clio - Cloud-Based Legal Technology
 
Key Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends ReportKey Insights from the 2019 Legal Trends Report
Key Insights from the 2019 Legal Trends Report
Clio - Cloud-Based Legal Technology
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
David Strom
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Clio - Cloud-Based Legal Technology
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
Shawn Tuma
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...
Jan Carroza
 
Cyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation GianinoCyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation Gianino-Gianino Gino Prieto -Dynamic Connector -Insurance Strategist
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
NetIQ
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
Is Security Team 2 Glba
Is Security Team 2 GlbaIs Security Team 2 Glba
Is Security Team 2 Glbaguestfd062
 
IRBsearch | GLBA data
IRBsearch | GLBA dataIRBsearch | GLBA data
IRBsearch | GLBA data
IRBsearch, LLC
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
PECB
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud Privacy
Act-On Software
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
Eryk Budi Pratama
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
TrustArc
 
BigId GDPRcompliance
BigId GDPRcomplianceBigId GDPRcompliance
BigId GDPRcompliance
Fatime Traoré
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
cliff_rudolph
 
Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
 
Taking your open source email security to the next level
Taking your open source email security to the next levelTaking your open source email security to the next level
Taking your open source email security to the next level
Cyren, Inc
 

More Related Content

What's hot

Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
Eryk Budi Pratama
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
Shawn Tuma
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...
Jan Carroza
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
NetIQ
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
Is Security Team 2 Glba
Is Security Team 2 GlbaIs Security Team 2 Glba
Is Security Team 2 Glbaguestfd062
 
IRBsearch | GLBA data
IRBsearch | GLBA dataIRBsearch | GLBA data
IRBsearch | GLBA data
IRBsearch, LLC
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
PECB
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowAct-On Software
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud Privacy
Act-On Software
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
Eryk Budi Pratama
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
TrustArc
 
BigId GDPRcompliance
BigId GDPRcomplianceBigId GDPRcompliance
BigId GDPRcompliance
Fatime Traoré
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
cliff_rudolph
 

What's hot (20)

Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...
 
Cyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation GianinoCyber Facts and Prevention Presentation Gianino
Cyber Facts and Prevention Presentation Gianino
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
 
Is Security Team 2 Glba
Is Security Team 2 GlbaIs Security Team 2 Glba
Is Security Team 2 Glba
 
IRBsearch | GLBA data
IRBsearch | GLBA dataIRBsearch | GLBA data
IRBsearch | GLBA data
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to Know
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud Privacy
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
 
BigId GDPRcompliance
BigId GDPRcomplianceBigId GDPRcompliance
BigId GDPRcompliance
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
 

Viewers also liked

Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
n|u - The Open Security Community
 
Taking your open source email security to the next level
Taking your open source email security to the next levelTaking your open source email security to the next level
Taking your open source email security to the next level
Cyren, Inc
 
apsec SEPPmail Email Security Gateway
apsec SEPPmail Email Security Gatewayapsec SEPPmail Email Security Gateway
apsec SEPPmail Email Security Gateway
andreasschuster
 
nullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemnullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric System
n|u - The Open Security Community
 
Cryptography by Afroz haider mir
Cryptography by Afroz haider mirCryptography by Afroz haider mir
Cryptography by Afroz haider mir
AFROZ MIR
 
Sonic Wall Email Security End User
Sonic Wall Email Security End UserSonic Wall Email Security End User
Sonic Wall Email Security End UserRichard Daemen
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Sagar Rahurkar
 
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOTELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
SHUBHAM SAHU
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
n|u - The Open Security Community
 
Paper multi-modal biometric system using fingerprint , face and speech
Paper multi-modal biometric system using fingerprint , face and speechPaper multi-modal biometric system using fingerprint , face and speech
Paper multi-modal biometric system using fingerprint , face and speech
Aalaa Khattab
 
Multi modal biometric system
Multi modal biometric systemMulti modal biometric system
Multi modal biometric system
Aalaa Khattab
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014bryan_call
 
Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only
Topsec Technology
 
Introduction to biometric systems security
Introduction to biometric systems securityIntroduction to biometric systems security
Introduction to biometric systems security
Self
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
What is Email Management?
What is Email Management?What is Email Management?
What is Email Management?
Atle Skjekkeland
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
Prafull Johri
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
Nascenia IT
 
Lecture: Digital Signal Processing Batch 2009
Lecture: Digital Signal Processing Batch 2009Lecture: Digital Signal Processing Batch 2009
Lecture: Digital Signal Processing Batch 2009ubaidis
 
Cryptography
CryptographyCryptography
Cryptography
Sidharth Mohapatra
 

Viewers also liked (20)

Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000Regulatory Compliance under the Information Technology Act, 2000
Regulatory Compliance under the Information Technology Act, 2000
 
Taking your open source email security to the next level
Taking your open source email security to the next levelTaking your open source email security to the next level
Taking your open source email security to the next level
 
apsec SEPPmail Email Security Gateway
apsec SEPPmail Email Security Gatewayapsec SEPPmail Email Security Gateway
apsec SEPPmail Email Security Gateway
 
nullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemnullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric System
 
Cryptography by Afroz haider mir
Cryptography by Afroz haider mirCryptography by Afroz haider mir
Cryptography by Afroz haider mir
 
Sonic Wall Email Security End User
Sonic Wall Email Security End UserSonic Wall Email Security End User
Sonic Wall Email Security End User
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOTELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
ELECTRONIC VOTING MACHINE(EVM) HACKABLE OR NOT
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 
Paper multi-modal biometric system using fingerprint , face and speech
Paper multi-modal biometric system using fingerprint , face and speechPaper multi-modal biometric system using fingerprint , face and speech
Paper multi-modal biometric system using fingerprint , face and speech
 
Multi modal biometric system
Multi modal biometric systemMulti modal biometric system
Multi modal biometric system
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
 
Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only
 
Introduction to biometric systems security
Introduction to biometric systems securityIntroduction to biometric systems security
Introduction to biometric systems security
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
What is Email Management?
What is Email Management?What is Email Management?
What is Email Management?
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Lecture: Digital Signal Processing Batch 2009
Lecture: Digital Signal Processing Batch 2009Lecture: Digital Signal Processing Batch 2009
Lecture: Digital Signal Processing Batch 2009
 
Cryptography
CryptographyCryptography
Cryptography
 

Similar to Raising the Bar for Email Security: Confidentiality and Privacy Standards that Lawyers Should Follow

Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Nicholas Van Exan
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
 
Security Basics for Law Firms
Security Basics for Law FirmsSecurity Basics for Law Firms
Security Basics for Law Firms
Clio - Cloud-Based Legal Technology
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
Scott Suhy
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
CBIZ, Inc.
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1
NetWatcher
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Data breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerData breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in Danger
ZitaAdlTrk
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
Raymond Cunningham
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
pdewitte
 
Preventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity TheftPreventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity Theft
Diane M. Metcalf
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop
Kaufman & Canoles
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15E Andrew Keeney
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Law
guest8b10a3
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
Compliancy Group
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffin
WhitmeyerTuffin
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
HB Litigation Conferences
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Don Grauel
 

Similar to Raising the Bar for Email Security: Confidentiality and Privacy Standards that Lawyers Should Follow (20)

Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsPrivacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security Pros
 
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model RulesData Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
 
Security Basics for Law Firms
Security Basics for Law FirmsSecurity Basics for Law Firms
Security Basics for Law Firms
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
 
Data breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerData breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in Danger
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Preventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity TheftPreventing Internet Fraud By Preventing Identity Theft
Preventing Internet Fraud By Preventing Identity Theft
 
2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?2015 09-22 Is it time for a Security and Compliance Assessment?
2015 09-22 Is it time for a Security and Compliance Assessment?
 
Cybersecurity Workshop
Cybersecurity Workshop Cybersecurity Workshop
Cybersecurity Workshop
 
CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15CULCT Cybersecurity Workshop 2.10.15
CULCT Cybersecurity Workshop 2.10.15
 
Mass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy LawMass 201 CMR 17 Data Privacy Law
Mass 201 CMR 17 Data Privacy Law
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOT
 
Privacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffinPrivacy law-update-whitmeyer-tuffin
Privacy law-update-whitmeyer-tuffin
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 

Recently uploaded

Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
ShivkumarIyer18
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
Daffodil International University
 
Tax Law Notes on taxation law tax law for 10th sem
Tax Law Notes on taxation law tax law for 10th semTax Law Notes on taxation law tax law for 10th sem
Tax Law Notes on taxation law tax law for 10th sem
azizurrahaman17
 
原版制作(PSU毕业证书)宾州州立大学公园分校毕业证学历证书一模一样
原版制作(PSU毕业证书)宾州州立大学公园分校毕业证学历证书一模一样原版制作(PSU毕业证书)宾州州立大学公园分校毕业证学历证书一模一样
原版制作(PSU毕业证书)宾州州立大学公园分校毕业证学历证书一模一样
osenwakm
 
Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
Wendy Couture
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
9ib5wiwt
 
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
o6ov5dqmf
 
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Massimo Talia
 
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdfDaftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
akbarrasyid3
 
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersDefending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
HarpreetSaini48
 
Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
Knowyourright
 
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdfXYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
bhavenpr
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
Trademark Quick
 
Rokita Releases Soccer Stadium Legal Opinion
Rokita Releases Soccer Stadium Legal OpinionRokita Releases Soccer Stadium Legal Opinion
Rokita Releases Soccer Stadium Legal Opinion
Abdul-Hakim Shabazz
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
9ib5wiwt
 
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Syed Muhammad Humza Hussain
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
9ib5wiwt
 
Lifting the Corporate Veil. Power Point Presentation
Lifting the Corporate Veil. Power Point PresentationLifting the Corporate Veil. Power Point Presentation
Lifting the Corporate Veil. Power Point Presentation
seri bangash
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
9ib5wiwt
 
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptxHighlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
anjalidixit21
 

Recently uploaded (20)

Bharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptxBharatiya Nagarik Suraksha Sanhita power.pptx
Bharatiya Nagarik Suraksha Sanhita power.pptx
 
ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.ADR in criminal proceeding in Bangladesh with global perspective.
ADR in criminal proceeding in Bangladesh with global perspective.
 
Tax Law Notes on taxation law tax law for 10th sem
Tax Law Notes on taxation law tax law for 10th semTax Law Notes on taxation law tax law for 10th sem
Tax Law Notes on taxation law tax law for 10th sem
 
原版制作(PSU毕业证书)宾州州立大学公园分校毕业证学历证书一模一样
原版制作(PSU毕业证书)宾州州立大学公园分校毕业证学历证书一模一样原版制作(PSU毕业证书)宾州州立大学公园分校毕业证学历证书一模一样
原版制作(PSU毕业证书)宾州州立大学公园分校毕业证学历证书一模一样
 
Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)Business and Corporate Case Update (2024)
Business and Corporate Case Update (2024)
 
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
1比1制作(swansea毕业证书)英国斯旺西大学毕业证学位证书托业成绩单原版一模一样
 
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
一比一原版麻省理工学院毕业证(MIT毕业证)成绩单如何办理
 
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...
 
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdfDaftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
Daftar Rumpun, Pohon, dan Cabang Ilmu (28 Mei 2024).pdf
 
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersDefending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence Lawyers
 
Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....Car Accident Injury Do I Have a Case....
Car Accident Injury Do I Have a Case....
 
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdfXYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
XYZ-v.-state-of-Maharashtra-Bombay-HC-Writ-Petition-6340-2023.pdf
 
Secure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark TodaySecure Your Brand: File a Trademark Today
Secure Your Brand: File a Trademark Today
 
Rokita Releases Soccer Stadium Legal Opinion
Rokita Releases Soccer Stadium Legal OpinionRokita Releases Soccer Stadium Legal Opinion
Rokita Releases Soccer Stadium Legal Opinion
 
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
办理(waikato毕业证书)新西兰怀卡托大学毕业证双学位证书原版一模一样
 
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordina...
 
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
怎么购买(massey毕业证书)新西兰梅西大学毕业证学位证书注册证明信原版一模一样
 
Lifting the Corporate Veil. Power Point Presentation
Lifting the Corporate Veil. Power Point PresentationLifting the Corporate Veil. Power Point Presentation
Lifting the Corporate Veil. Power Point Presentation
 
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
原版仿制(aut毕业证书)新西兰奥克兰理工大学毕业证文凭毕业证雅思成绩单原版一模一样
 
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptxHighlights_of_Bhartiya_Nyaya_Sanhita.pptx
Highlights_of_Bhartiya_Nyaya_Sanhita.pptx
 

Raising the Bar for Email Security: Confidentiality and Privacy Standards that Lawyers Should Follow

  • 1. Raising the Bar on Email Security James F. Brashear General Counsel Zix Corporation
  • 2. Why this sudden focus on email security?
  • 3. Risk of Email Interception
  • 4. How email seems to work Company NetworkCompany Network Router Router DLP Router Router AS/AV How email actually works The Cloud Email is Cloud Data
  • 5. Unencrypted Email “Email sent in the ‘default’ manner over the Internet is inherently insecure.”  Benefits of Secure Email: • Integrity • Confidentiality • Privacy • Authenticity • Proof of receipt • Nonrepudiation “Now is the time to get serious about your email system.”
  • 7. Data Intercepts Happen Even if you don’t see them
  • 8. Slide 9 Spying by N.S.A. Ally Entangled U.S. Law Firm By JAMES RISEN and LAURA POITRAS FEB. 15, 2014 The list of those caught up in the global surveillance net cast by the National Security Agency and its overseas partners, from social media users to foreign heads of state, now includes another entry: American lawyers. A top-secret document, obtained by the former N.S.A. contractor Edward J. Snowden, shows that an American law firm was monitored while representing a foreign government in trade disputes with the United States. The disclosure offers a rare glimpse of a specific instance in which Americans were ensnared by the eavesdroppers, and is of particular interest because lawyers in the United States with clients overseas have expressed growing concern that their confidential communications could be compromised by such surveillance.
  • 9. Unencrypted Email Intercepted • Gmail, Hotmail and Yahoo! accounts targeted by hackers – China’s Gmail DNS diversion
  • 10. Man-in-the-Middle Attacks • SSL Certificate Spoofing • Several SSL Certificate Authorities hacked • Courts in The Netherlands advised lawyers to stop using email
  • 11.
  • 12. Targeting Real Estate Professionals  Thieves intercept from title agencies emails providing wire transfer information for borrowers  Thieves alter the email by replacing the title company’s bank account information with their own, and then send it along to the borrowers  The emails appear to be genuine - containing the title agency’s email information and branding  Unsuspecting borrowers transmit earnest money to the thieves
  • 15. North Carolina Data Breach Notice Law  GS § 75-65. Protection from security breaches – Applies to any business that owns, licenses, maintains or possesses “personal information” of North Carolina residents  Requires notice of a “security breach” – An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer – Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach  Safe Harbor: encryption and a secure key – "Encryption“ means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key
  • 16. Federal Data Breach Notice Standard?  White House proposed in January 2015 a federal data breach reporting standard that would preempt the various state laws  Proposal would create a safe-harbor, exempting companies from the notice requirements, if an assessment concludes that there is no reasonable risk of harm  Rebuttable presumption there is no reasonable risk of harm if the data “was rendered unusable, unreadable, or indecipherable through a security technology or methodology generally accepted by experts in the field of information security”  In other words, using strong encryption would provide a safe-harbor for businesses
  • 17. GLBA Safeguards Rule  Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the security and confidentiality of customers’ personally identifiable financial information  Financial institution means any business that is significantly engaged in providing financial products or services  Term includes: – Mortgage brokers – Non-bank lenders – Loan servicers – Real estate settlement services – Real estate appraisers
  • 18. GLBA Safeguards Rule  Nonpublic financial information means: – Personally identifiable financial information; and – Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available  Personally identifiable financial information means: – Information a consumer provides to obtain a financial product or service – Information about a consumer resulting from any transaction involving a financial product or service – Information otherwise obtained about a consumer in connection with providing a financial product or service to that consumer
  • 19. GLBA Safeguards Rule  Protect customer information – The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security:  Employee Management and Training  Information Systems  Detecting and Managing System Failures  Develop a written information security plan – Flexible standard appropriate to each company’s:  size and complexity  nature and scope of activities  sensitivity of customer information handled
  • 20. Information Security Plan  Plan must cover: • designate employees to coordinate the information security program • identify and assess risks to customer information in each relevant area of the company’s operation • evaluate the effectiveness of the current safeguards for controlling these risks • design and implement a safeguards program, and regularly monitor and test it • evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring. • select service providers that can maintain appropriate safeguards • make sure contracts requires service providers to maintain safeguards • oversee service providers’ handling of customer information
  • 21. Oversight of Service Providers  CFPB Bulletin 2012-03 - Consumer Financial Protection Bureau expects financial institutions to oversee compliance with GLBA Safeguards by any person that provides a material service in connection with a consumer financial product or service  Financial institutions should take steps to ensure that service providers do not present unwarranted risks to consumers, including: – Due diligence to verify compliance with GLBA – Review service provider’s policies, procedures, internal controls and training materials about compliance with GLBA – Contractual provisions addressing compliance with GLBA – Establish internal controls and ongoing monitoring to determine compliance with GLBA – Take prompt action to address fully any problems
  • 22. Title Industry Standards ALTA Best Practices: Pillar #3 – Protecting NPI  Written Plan: Adopt and maintain a written privacy and information security program to protect Non-public Personal Information as required by local, state and federal law  Procedures include: Use only secure delivery methods when transmitting Non‐public Personal Information.
  • 23. GLBA Email Security Guidance “Take steps to ensure the secure transmission of customer information” “If you must transmit sensitive data by email over the Internet, be sure to encrypt the data”
  • 25. Encryption Considerations  Client’s instructions  Degree of sensitivity of the information  Possible client impact from disclosure  Data breach laws  Likelihood of disclosure  Inherent level of security  Reasonable steps to increase security  Cost of additional safeguards  Urgency of the situation  Legal ramifications of unauthorized interception, access or use
  • 26.
  • 27. Channel Encryption Protects Email in Transit
  • 28. Channel Encryption From the Experts: SSL Hacked! Enterprise can't rely on encrypted communications anymore, but corporate counsel can champion a fix Security of HTTPS channel encryption relies on trust in SSL certificates Browser Website Server Identity inquiry SSL certificate Trust confirmation Acknowledgement Encrypted channel session
  • 29. Manual Encryption Traditional Email Encryption Tied to one device
  • 30. How can users connect with so many roadblocks? • Portals • Passwords • Secure attachments • Password resets • Extra steps 31 THE FRUSTRATION OF SEPARATE COMMUNITIES Encryption Key Management
  • 31. An elegant solution works without you even knowing it. Encrypts every email within the community 32 THE POWER OF ONE COMMUNITY Shared Key Directory
  • 32. Influencers What encryption does your regulator use?
  • 33. Zix Customer Sending ZixGateway Zix Customer Receiving through ZixGateway Non-Zix Customer Receiving through ZixPort Non-Zix Customer Receiving through TLS or ZixDirect Mail Server ZixDirectory of 43 million shared public keys Sender’s Email Environment Zix Cloud External Recipients ZixPort Zix Customer Receiving through ZixMail DETERMINES MOST SECURE AND EFFICIENT DELIVERY METHOD BEST METHOD OF DELIVERY®
  • 34. Frictionless Email Encryption Transparent to end-users • No portals • No passwords • No extra steps
  • 35. Automated Email Encryption • Email composed and read in normal inbox • Content scanned and encrypted automatically – Attachments too • Inbound messages decrypt automatically – Can scan inbound messages for policy compliance
  • 36. With many email encryption tools, recipients are unable to easily open encrypted email on mobile devices. The result: • User frustration • Interrupted workflow • Reduced productivity WHAT ABOUT MOBILE DELIVERY? 37
  • 37. 38

Editor's Notes

  1. Edward Snowden
  2. Email can be intercepted at various points
  3. There is NO SECURITY inherent in email or in the Internet Unlike enterprise firewallintrusion detection – you cannot tell if email has been intercepted. Lawyers are increasingly focused on ensuring the security of client data stored in the cloud. What many lawyers fail to recognize is that internet-based email is data that is transmitted and stored in the cloud. Cloud-based email presents different, additional risks than do other cloud data services. With internet email, the lawyer does not control the locations of the multiple servers through which the data might be routed, whether and for how long the data is stored on those servers, the ability of third parties to access the data or the terms and conditions of all of the relevant email service participants. In other words, there is a heightened risk that data in unencrypted email could be intercepted and accessed by third parties. After a user composes a message in an e-mail client program,2 a program called a mail transfer agent ("MTA") formats that message and sends it to another program that "packetizes" it and sends the packets out to the Internet. Computers on the network then pass the packets from one to another; each computer along the route stores the packets in memory, retrieves the addresses of their final destinations, and then determines where to send them next. At various points the packets are reassembled to form the original e-mail message, copied, and then repacketized for the next leg of the journey. Sometimes messages cannot be transferred immediately and must be saved for later delivery. Even when delivery is immediate, intermediate computers often retain backup copies, which they delete later. This method of transmission is commonly called "store and forward" delivery. Once all the packets reach the recipient's mail server, they are reassembled to form the e-mail message.
  4. There is no security inherent in the internet or in internet email Using secure, encrypted email provides a number of benefits Besides the obvious: Confidentiality = secrecy Privacy = identity protection It also provides: Integrity = non alteration Authenticity = validating sender identity Proof of receipt = certified delivery Nonrepudiation = non-denial of origination or receipt
  5. In April 2010, a Chinese Telecom was successful in routing 15 percent of the Internet so that traffic flowed through its data centers in China. That traffic could easily have been copied and methodically searched. If there was encrypted email in that message flow, the Chinese company would not have been able to read it. For more information on how the China Telecom attack worked, I recommend this site:http://bgpmon.net/blog USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, USAPA), H.R. 3162 In April 2010, a huge amount of Internet traffic was diverted by hackers traced to China. Diverted email messages could easily have been copied and methodically searched. Wikipedia E-mail is vulnerable to both passive and active attacks. Passive threats include Release of message contents, and Traffic analysis while active threats include Modification of message contents, Masquerade, Replay, and Denial of Service (DoS). Actually, all the mentioned threats are applicable to the traditional e-mail protocols [1]: Disclosure of Information: Most of e-mails are currently transmitted in the clear (not encrypted). By means of some available tools, persons other than the designated recipients can read the e-mail contents. Traffic analysis: It is believed that some countries are routinely monitoring e-mail messages as part of their surveillance. This is not just for counter-terrorism reasons but also to facilitate combat against industrial espionage and to carry out political eavesdropping. However, it is not devoted to the national agencies since there is a thriving business in providing commercial and criminal elements with the information within e-mails. Modification of messages: E-mail contents can be modified during transport or storage. Here, the man-in-the-middle attack does not necessarily require the control of gateway since an attacker that resides on the same Local Area Network (LAN), can use an Address Resolution Protocol (ARP) spoofing tool such as "ettercap" to intercept or modify all the e-mail packets going to and from the mail server or gateway. Masquerade: It is possible to send a message in the name of another person or organization. Replay of previous messages: Previous messages may be resent to other recipients. This may lead to loss, confusion, or damage to the reputation of an individual or organization. It can cause some damage if e-mail is used for certain applications such as funds transferring, registration, and reservation. Spoofing: False messages may be inserted into mail system of another user. It can be accomplished from within a LAN, or from an external environment using Trojan horses. Denial of Service: It can put a mail system out of order by overloading it with mail shots. It can be carried out using Trojan horses or viruses sent to users within the contents of e-mails. It is also possible to block the user accounts by repeatedly entering wrong passwords in the login.
  6. Increasing Risks of Unsecured Internet Email
 Many lawyers believe they can rely on HTTPS browser sessions for secure transmission of client email over the web. That protocol relies on the validity of SSL certificates, which validate the identity of the email Web site. An HTTPS session creates an encrypted “pipeline” or “channel” between the user’s computer and the Webmail server. The problem is that both HTTP and HTTPS sessions are vulnerable to interception. Courts in the Netherlands recently advised lawyers to stop using email. In July 2011, a hacker infiltrated DigiNotar, the digital certificate authority used by the Dutch government, and issued false SSL certificates. That allowed the hacker to imitate the official government Web sites. According to the Wall Street Journal, Dutch lawyers were urged in September to use fax machines and old-fashioned paper mail instead of email. One lawyer described the situation as “an administrative nightmare.” Wikipedia E-mail is vulnerable to both passive and active attacks. Passive threats include Release of message contents, and Traffic analysis while active threats include Modification of message contents, Masquerade, Replay, and Denial of Service (DoS). Actually, all the mentioned threats are applicable to the traditional e-mail protocols [1]: Disclosure of Information: Most of e-mails are currently transmitted in the clear (not encrypted). By means of some available tools, persons other than the designated recipients can read the e-mail contents. Traffic analysis: It is believed that some countries are routinely monitoring e-mail messages as part of their surveillance. This is not just for counter-terrorism reasons but also to facilitate combat against industrial espionage and to carry out political eavesdropping. However, it is not devoted to the national agencies since there is a thriving business in providing commercial and criminal elements with the information within e-mails. Modification of messages: E-mail contents can be modified during transport or storage. Here, the man-in-the-middle attack does not necessarily require the control of gateway since an attacker that resides on the same Local Area Network (LAN), can use an Address Resolution Protocol (ARP) spoofing tool such as "ettercap" to intercept or modify all the e-mail packets going to and from the mail server or gateway. Masquerade: It is possible to send a message in the name of another person or organization. Replay of previous messages: Previous messages may be resent to other recipients. This may lead to loss, confusion, or damage to the reputation of an individual or organization. It can cause some damage if e-mail is used for certain applications such as funds transferring, registration, and reservation. Spoofing: False messages may be inserted into mail system of another user. It can be accomplished from within a LAN, or from an external environment using Trojan horses. Denial of Service: It can put a mail system out of order by overloading it with mail shots. It can be carried out using Trojan horses or viruses sent to users within the contents of e-mails. It is also possible to block the user accounts by repeatedly entering wrong passwords in the login. 
Because e-mail connects through many routers and mail servers on its way to the recipient, it is inherently vulnerable to both physical and virtual eavesdropping. Current industry standards do not place emphasis on security; information is transferred in plain text, and mail servers regularly conduct unprotected backups of e-mail that passes through. In effect, every e-mail leaves a digital papertrail in its wake that can be easily inspected months or years later. The e-mail can be read by any cracker who gains access to an inadequately protected router. Some security professionals argue[citation needed] that e-mail traffic is protected from such "casual" attack by security through obscurity - arguing that the vast numbers of e-mails make it difficult for an individual cracker to find, much less to exploit, any particular e-mail. Others argue that with the increasing power of personal computers and the increasing sophistication and availability of data-mining software, such protections are at best temporary. Intelligence agencies, using intelligent software, can screen the contents of e-mail with relative ease. Although these methods have been decried by civil rights activists as an invasion of privacy, agencies such as the U.S. Federal Bureau of Investigation conduct screening operations regularly.[citation needed] ISPs and mail service providers may also compromise e-mail privacy because of commercial pressure. Many online e-mail providers, such as Yahoo! Mail or Google's Gmail, display context-sensitive advertisements depending on what the user is reading. While the system is automated and typically protected from outside intrusion, industry leaders have expressed concern over such data mining. Even with other security precautions in place, recipients can compromise e-mail privacy by indiscrimate forwarding of e-mail. This can reveal contact information (like e-mail addresses, full names, and phone numbers), internal use only information (like building locations, corporate structure, and extension numbers), and confidential information (trade secrets and planning). In the United States and some other countries lacking secrecy of correspondence laws, e-mail exchanges sent over company computers are considered company property and are thus accessible by management. Employees in such jurisdictions are often explicitly advised that they may have no expectation of a right to privacy for messages sent or received over company equipment. This can become a privacy issue if employee and management expectations are mismatched.
  7. Only applies to NC citizens. Doesn’t mandate reasonable data security measure. Personal Information - A person's first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b). SSN, employers taxpayer ID #, drivers license, state ID card, or passport #, checking or savings account #, credit or debit card #, PIN code, electronic ID #, electronic mail names or addresses, internet account #, internet ID names, digital signatures, any other numbers or info that can be used to access a person's financial resources, biometric data, fingerprints, passwords, and parent’s legal surname prior to marriage. Location, location, location. Laws in almost every state require that businesses–including law firms–take reasonable steps to protect sensitive personal information. Texas Business and Commerce Code section 521.052, for example, requires businesses to “implement and maintain reasonable procedures” to protect sensitive personal information, and it provides a safe harbor from data breach notification requirements if the information was encrypted. Even if you’re in a state that does not require the protection of personal data, you may be subject to long-arm privacy laws. Massachusetts 201 CMR 17.00 and Nevada S.B. No. 227 require that personal information of their states’ residents be encrypted when it is transmitted in email, no matter who sends or receives the email or where they’re located. Nowadays, the standards for reasonable procedures to protect sensitive information clearly include using encrypted email.
  8. This is similar to the legislative change recently proposed in the State of Washington, which would replace the blanket encryption safe harbor with one that requires a risk of harm assessment Here is a link to the proposed legislative wording.
  9. Section 313.3(k) of the GLBA Privacy Rule and Financial Activities Regulations
  10. Section 313.3(n) and (o) of the GLBA Privacy Rule and Financial Activities Regulations
  11. http://www.ftc.gov/tips-advice/business-center/financial-institutions-customer-information-complying-safeguards-rule
  12. Section 313.3(n) and (o) of the GLBA Privacy Rule and Financial Activities Regulations
  13. http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf
  14. http://www.ftc.gov/tips-advice/business-center/financial-institutions-customer-information-complying-safeguards-rule
  15. Portable media Mobile devices WiFi Bluetooth Cellular Text Messaging (SMS) Instant Messaging (IM) Email
  16. The degree of care, and level of data security, should be reasonable in the circumstances. Digital security is not binary. It is not simply “on” or “off.” 
  17. There is a balance between reasonable security and reasonable convenience But … Security is like insurance - everybody thinks they have enough until they discover they have too little
  18. What do you mean by encryption of email in transit? When an email is encrypted in transit, that means it’s protected against being read by someone with access to the networks through which the email is traveling, on its way from the sender to the destination. You can think of it as a temporary envelope of security that is wrapped around your email to keep it private while it is being transmitted to its intended recipient. Transport Layer Security (TLS) is the standard means of performing encryption in transit for email. What TLS doesn’t do is encrypt data at rest—that is to say, it does not encrypt email while it is stored on a server.
  19. Improvements expected from Internet Protocol version 6 (IPv6) From the Experts: SSL Hacked! Enterprise can't rely on encrypted communications anymore, but corporate counsel can champion a fix. Steve Roosa All Articles Corporate Counsel September 28, 2011 Creates a HTTPS browser session – the channel is encrypted Vulnerable to session hijacking and MTM attacks EFF identified problem with Certificate Authorities improperly issuing SSL certificates Comodo issued fraudulent digital certificates to hackers.http://nyti.ms/hNJswe  DigiNotar hack Why an encrypted "channel" is not as good as encrypting "content": Researchers decrypt data on mobile networks http://j.mp/or33Nm Sniffer Hijacks SSL Traffic From Unpatched iPhones http://bit.ly/nTJPJ0 The Register http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ Hackers break SSL encryption used by millions of sites Beware of BEAST decrypting secret PayPal cookies By Dan Goodin in San Francisco • Get more from this author Posted in ID, 19th September 2011 21:10 GMT Free whitepaper – Smarter Networking for a smarter data centre Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting. At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL.
  20. End-to-end encryption – most secure … but least convenient Encryption key is stored on one device
  21. Best Method of Delivery Send to anyone Content encryption versus session encryption End-to-End versus server-to-server encryption TLS = Transport Layer Security Opportunistic TLS versus mandatory TLS Guaranteed encrypted replies Push (secure attachment) versus Pull (portal delivery)
  22. Header information is never encrypted Sender email address Recipient email addresses Subject description