Actionable advice for security newbies and veterans alike on how to meet and exceed the data security requirements of the FTC Safeguards Rule.
How Sending Documents via Email Fails to Meet the Updated FTC Safeguards Rule
The FTC's updated Safeguard Rule's requirements around encryption, authentication, and customer data disposal expose email’s security shortcomings.
Sending sensitive documents via email is familiar and convenient. However, convenience has many downsides, with the biggest being poor data security.
If your staff still rely on emailing sensitive information and unencrypted documents, including those containing your customers’ PII and PIFI (Personally Identifiable Financial Information), then you are taking huge risks.
With the updated FTC Safeguards Rule going into effect on June 9th, 2023, the Federal Trade Commission is no longer tolerating such risky business.
Updates to this Rule require all non-banking “financial institutions” in the U.S. to create a comprehensive information security program that protects their customers’ PII from data breach and identity theft.
The FTC also greatly expands the range of companies defined as financial institutions that must comply with the Rule.
The FTC has already been busy. In October 2022, the FTC cracked down on two companies — edtech provider Chegg and e-commerce company Drizly — for data security failures. Both were ordered to restrict the type and amount of customer data they can collect, destroy unnecessary data, adopt multi-factor authentication, and let customers access and delete their own data.
While the Safeguards Rule does not explicitly ban sending secure documents via email, it considers email to be a major risk, noting a 2020 FBI report that blames $2.1 billion lost by U.S. businesses from email-related data breaches.
Moreover, it is clear that the way most documents are shared today via email fails to comply with the specific data security requirements laid out in the Safeguards Rule.
Here are five specific instances:
1. “Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest.”
Many emails today are protected in transit by a basic level of encryption called Transport Layer Security (TLS). TLS encrypts the connection and content streamed between TLS-capable email servers. Google says about 90 percent of its incoming and outgoing emails are encrypted with TLS.
That’s the good news. The bad news is that TLS encryption is not end-to-end, meaning it offers no protection to emails and attachments in either the sender’s outbox or receiver’s inbox.
For that, users must turn to either S/MIME or PGP encryption. Most business email services, including Gmail/G Suite and Outlook, allow users to choose S/MIME or PGP encryption for individual messages. Email administrators can also turn on S/MIME or PGP encryption as a required policy for some or all employees.
However, end-to-end email encryption has failed to catch on. According to a study quoted by the New Scientist, fewer than 1 in 1,600 emails use either S/MIME or PGP. The same study found only 5.5 percent of users had ever used S/MIME or PGP. The reason, according to the magazine? “Too much of a hassle.”
The hassle is two-fold. First, ensuring that both parties have digital certificates/keys set up to encrypt and decrypt the emails is a technically-forbidding process that must be continually repeated to ensure up-to-date “trust.” The second is training employees to routinely encrypt outgoing messages and documents, and quelling the protest when they have trouble decrypting incoming messages and attachments.
This hassle remains, and may have already doomed the chances of end-to-end email encryption ever catching on. “PGP is dead,” declared Wired in 2018.
2. “Authenticate and permit access only to authorized users” and “limit authorized users' access only to customer information that they need to perform their duties and functions”
Beyond the password, email-based authentication can be strengthened. S/MIME and PGP provide recipient authentication by verifying their certificate/digital key. And Gmail’s confidential mode lets senders set an expiration date to email, manually revoke access, and prevent users from forwarding emails and downloading attachments.
The fundamental problem remains — email’s inherent decentralization means that customer data can quickly go into the wild. Once emails and attachments are sent to customers, partners or anyone else outside of your organization, you lose the ability to authenticate and control access to sensitive documents.
3. Adopt “procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information.”
Driven by last decade’s Bring-Your-Own-Device (BYOD) movement, more than 70 percent of emails today are opened and read on mobile devices, most of them employee-owned ones.
That creates huge risks — and consequences.
Last month, a high-ranking UK politician was forced to resign after she used her smartphone to send confidential government documents using her personal email.
No wonder 62 percent of cybersecurity pros worry about data leakage/loss from mobile devices, while another 53 percent worry about lost devices.
BYOD is too popular to ban. And attempts to secure mobile email such as MDM have proven to be either ineffective band-aids, or overhardened schemes that destroy email’s convenience and cause users to complain.
4. “Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.”
Every time a document is shared as an attachment by email, an additional version is stored on a server or cloud instance. For important documents with multiple revisions, that can lead to tens or hundreds of versions of the same file scattered in multiple locations in and outside of your organization — all of them containing key customer PII and PIFI.
Monitoring and logging access by authorized and unauthorized users to all of those scattered documents containing customer PII becomes an impossible task.
5. “Securely dispose of customer information no later than two years after your most recent use of it to serve the customer.”
Similarly, allowing users to freely email documents — whether encrypted or not — makes managing customer data through its lifecycle nearly impossible. Finding and deleting all of the instances of customer data inside your organization becomes a labor-intensive nightmare. For documents that are shared with the customer or other third parties, deleting those instances will prove impossible.
A Proven, Practical Alternative to Email Document Sharing
Complying with the FTC means companies cannot stand still, but must choose one of several paths forward. One is to attempt to shore up their legacy email infrastructure with complex encryption, authentication and device management features. Besides throwing good money at a less than ideal solution, that still provides imperfect protection of shared documents and sensitive information, while destroying email’s beloved convenience.
Another path is to replace the process of sending secure documents over email with a centralized data governance architecture over all your files whether on server or in the cloud, and protect them with an RBAC (Role-based access control), MAC (Mandatory access control) or ABAC (Attribute-based access control) system. This would be an expensive, risky project that would take most organizations years to complete.
The third path is the most pragmatic and cost-effective: a secure document portal that safely shares sensitive files containing your customer PII. For companies, this provides fine-grained access control and powerful monitoring and lifecycle management features in a turnkey, economical solution. For authenticated workers and customers, this provides the same convenience as email document sharing, but with additional time-saving features to expedite the document collection process.