Microsoft Outlook offers some encryption options to increase security, but even sending emails this way is not always compliant under the FTC...
How to Send Documents Securely via Email: Gmail Edition
Learn how to enable different security features in Gmail to satisfy FTC compliance standards when sending sensitive information via email.
In the first two quarters of 2022, email-based cyberattacks increased by 48%. According to the FBI, at least 90% of successful cyberattacks now originate from email breaches, following a 400% rise in phishing attacks over 2021 rates. With the cost of an enterprise data breach now averaging $9.44 million, businesses should ask themselves whether they can expect to send documents securely via email platforms such as Gmail.
In response to increased cybercrime and the growing public liability that vast databases of sensitive, personally identifiable information (PII) represent, the federal government has moved to tighten existing data privacy regulations. According to the stricter FTC Safeguards Rule that goes into effect next month, businesses must “protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest,” or risk serious legal consequences.
As email remains the preferred channel – 92% of the time – for collaborating and exchanging work-related documents with coworkers and clients, achieving compliance under the new Safeguards Rule will require a major overhaul of infosec practices in most organizations.
Gmail: Free, User-friendly and Popular
Gmail is currently the most widely used business email platform, with 37% of the total market. In this guide, you’ll learn how to enable different security features in Gmail and which ones satisfy FTC compliance standards for PII.
Securing Documents in Gmail
For encryption, Gmail users have a few different encryption options.
Default Transport Layer Security (TLS)
By default, Gmail encrypts emails in transit with Transport Layer Security (TLS), the standard cryptographic protocol for HTTPS communications. Personal Gmail accounts and Enterprise Standard accounts do not offer encryption above TLS. As TLS does not provide any storage level encryption, it fails to meet the Safeguards Rule requirements.
S/MIME or PGP Encryption in Gmail
Gmail users with an Enterprise Plus account and admin privileges can enable additional encryption features.
Secure/Multipurpose Internet Mail Extension (S/MIME)
S/MIME is a commonly accepted public key encryption standard used for email encryption and digital signatures. S/MIME provides:
- User authentication through a public key
- Nonrepudiation for digital signatures
- Data integrity services
S/MIME digital signatures ensure data integrity, but they don’t guarantee confidentiality. Unencrypted messages using only digital signatures still transit in plain text and may be viewed or intercepted by third parties. When users select S/MIME encryption for email content – rather than just securing the transmission protocol – S/MIME qualifies as data protection in transit and at rest and meets FTC standards.
To enable S/MIME in Gmail, users must:
- Open the Google Admin console
- Navigate Apps > Google Workspace > Gmail > User settings
- Select a domain or organization under the Organizations tab
- Scroll down the menu to the S/MIME setting option and check the Enable S/MIME encryption for sending and receiving emails box
- To allow users to upload their own certificates, check the Allow users to upload their own certificates box
Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP) is one of the original private-public encryption techniques for digital data communications on the internet. PGP employs a combined protocol of public-key cryptography hashing, symmetric-key encryption, and data compression.
The PGP process begins by pairing key/value credentials consisting of a username and password with a public key. Like other private-public key encryption processes, PGP encrypts with a public key and decrypts with a private key. To control the high volume of private-public key pairs introduced by the internet, PGP employs a certificate authority principle called the “web of trust” that associates individual users with unique certificates to prevent impersonation. As PGP ensures confidentiality and encrypts end-to-end, it complies with the new Safeguards Rule.
Gmail doesn’t have an out-of-the-box option for PGP encryption. Rather, users must install a browser extension such as Mailvelope or FlowCrypt to enable it.
- FlowCrypt: FlowCrypt allows users to import existing encryption keys. It’s available as a browser extension for Chrome and Firefox and as a mobile app for Android and iOS.
- Mailvelope: Users can install Mailvelope for Gmail in a few simple steps.
o Navigate to https://mailvelope.com/
o Select either Chrome or Firefox
o Click Add to accept app permissions
o Mailvelope will open a new browser tab loaded with the setup page. Click the lock icon in the upper right-hand corner to select between Generate Key and Import Key.
o Users without an existing key should select Generate Key.
o On the Generate Key page, users will need to provide their full names and Gmail addresses and create a password. This will generate a new unique key.
o When writing new emails, users will see a pencil icon in the top right of the composition box. To encrypt, tap the icon to open a new composition box – displaying a lock icon in the top right – and enter text.
Secure Document Collection with FileInvite
Although Gmail users have options to encrypt sensitive emails according to new FTC standards, these features are inconvenient and only rarely and inconsistently employed. FileInvite’s secure, SOC 2 Type 2 compliant document collection platform provides bank-grade security for client PII in a single, intuitive interface where clients and their representatives can see the current statuses of all ongoing processes.