Microsoft Outlook offers some encryption options to increase security, but even sending emails this way is not always compliant under the FTC Safeguards Rule.
With 3.35% of the global market share, Microsoft Outlook is the third-most-popular email client worldwide. As the default client for Windows and Office 365, Outlook accounts for a higher percentage of business emails than strictly personal communications. Because emails and attachments that contain customer personally identifiable information (PII) now fall under the authority of the enhanced FTC Safeguards Rule, businesses should regulate the use of Outlook to exchange sensitive information and provide their employees with guidelines for sufficiently securing email contents.
Although the FTC conceded in November last year to delay enforcement of the Safeguards Rule until June 2023, many businesses in regulated industries are still struggling to bring their information security practices up to standard. Workplace reliance on email attachments to exchange documents remains a major hurdle. Even though the most widely used email clients – Apple, Gmail, and Outlook – have features for various encryption protocols, most users are unaware of them.
This blog post explains encryption options in Outlook and their pros and cons concerning the Safeguards Rule.
Users can encrypt emails in Outlook in four ways. Note that options 3 and 4 are only available to users with Office 365 Enterprise E3 licenses.
Like Gmail, Outlook uses standard Transport Layer Security (TLS) to encrypt outgoing emails. However, TLS only secures email contents in transit to prevent interception.
As users must re-encrypt opened emails to secure them in storage, TLS alone does not satisfy the requirements of the Safeguards Rule.
Users should also be aware that Outlook prioritizes message delivery over encryption. This means that when Outlook attempts to send a TLS-encrypted email to an account that does not support TLS version 1.2 or higher, the email does not encrypt and transits in plain text. To check if a received email is encrypted:
S/MIME is a popular public-key encryption format. Only when deployed with a digital signature, does S/MIME provide end-to-end encryption in compliance with the Safeguards Rule. Outlook supports the use of S/MIME, but users must add a signing certificate to their keychain to enable it.
To encrypt an email with S/MIME in Outlook:
To add a signing certificate for an outgoing email:
Users with Office 365 enterprise-level accounts can use Microsoft’s client-side encryption and certificate management technology. OME employs 256-bit Advanced Encryption Standard (AES), the highest grade encryption format, and is suitable for use in business operations subject to the Safeguards Rule.
To encrypt a message:
Under the Encrypt-Only setting, recipients cannot disable encryption, but they can forward and download emails and attachments without restriction. For this reason, users should exercise caution when choosing Encrypt-Only recipients.
To apply additional security controls for OME, follow the steps above but choose Do Not Forward instead of Encrypt-Only. The Do Not Forward permission setting applies AES encryption and disables the Forward and Print buttons on the receiving end. Do Not Forward messages are effectively read-only communications and ensure the greatest degree of sender ownership for Outlook emails.
Drafting and enforcing information security policies for email use that ensure Safeguards compliance is a risky venture for businesses in regulated industries. Even with comprehensive policies and training, accidental oversight may still result in data breaches and expose an organization to punitive action and loss of client trust. The most reliable way to mitigate the risk of data breaches is to adopt technologies that are secure by design rather than configuration.
FileInvite’s automated document collection platform provide an efficient single-pane-of-glass solution to the challenges of Safeguards’ compliant file sharing. With document portals secured by 256-bit end-to-end encryption for files in transit and at rest, FileInvite facilitates document collection processes while maintaining bank-grade security.
To learn more about how you can achieve Safeguards compliance in your organization, sign up for a free FileInvite account today.
Learn how to enable different security features in Gmail to satisfy FTC compliance standards when sending sensitive information via email.
The FTC's updated Safeguard Rule's requirements around encryption, authentication, and customer data disposal expose email’s security shortcomings.
Businesses that collect and handle personally identifiable information and other sensitive data must understand their obligations ahead of upcoming...
