SPONSORED BY sponsored ON - How to Encrypt Email …€¦ · How Encrypting Content in Transit and...

sponsored by Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • [email protected]

www.ostermanresearch.com • twitter.com/mosterman

An Osterman Research White Paper

Published August 2011

SPONSORED BY !!

sponsored

How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization

SPON

WH

ITE

PA

PER

SP

ON

How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for Any Organization

©2011 Osterman Research, Inc. 1

Executive Summary Corporate content is everywhere: in server-based email databases; local email databases; file servers; client devices like desktops, laptops, netbooks, smartphones and tablets; cloud-based file transport and storage systems; instant messaging and Web conferencing databases; corporate and “public” social media databases; portable media like flash drives, CDs and DVDs; backup tapes; archiving systems; personal Webmail systems; and home computers – among other places. The growing number of employees who work remotely, the increasing “consumerization” of IT, and the diversity of cloud-based communication and storage services mean that the places in which corporate data can be stored – and from which it can be sent – are growing in number. And therein lies a critical problem for virtually every organization: data is everywhere and most of it is not encrypted. That means that sensitive or otherwise confidential data is open to intentional or accidental interception, resulting in breaches of data that can have serious consequences, including violation of statutory requirements to protect this data, loss of corporate reputation, expensive remediation efforts, loss of goodwill among customers, loss of revenue and other fairly nasty results. KEY TAKEAWAYS This white paper discusses four important points that should be top-of-mind for any IT or line-of-business corporate decision maker: • Encrypt content

Sensitive or confidential content must be encrypted both in transit, such as when sent via email; and at rest, such as when it is stored on flash drives, FTP servers or in cloud-based storage systems.

• Not encrypting has serious consequences

The consequences of not encrypting content – and subsequently losing or misplacing it – can be very damaging.

• Encryption pays for itself and creates new opportunities

Encryption can be not only a defense against inadvertent or malicious loss of data, but can actually generate a significant return-on-investment. It can also create new business opportunities, help businesses to retain or gain new customers, and provide competitive differentiation.

• Encryption reduces corporate risk

Encryption can reduce corporate risk and the costs associated with any sort of data breach. ABOUT THIS WHITE PAPER This white paper discusses the many reasons for encrypting data, both when it is in transit and at rest. It also provides a brief overview of DataMotion, the sponsor of this paper.



Communications and Content Management is Critical THE NUMBER OF VENUES FOR COMMUNICATIONS AND STORAGE IS GROWING The number of tools with which employees and others communicate is growing, as are the number of places in which corporate content can be stored. For example, in the typical organization of information workers there are a large number of tools in use: • Traditional computing platforms like desktop computers, laptops and netbooks.

• Corporate email systems using local clients, such as Outlook; corporate email systems using

Web-based access, such as Outlook Web Access; and personal Webmail systems.

• Unified communications systems.

• Corporate instant messaging and Web conferencing systems, such as IBM Sametime; and consumer instant messaging systems, such as Yahoo! Messenger.

• Dedicated social media tools, such as IBM Connections and Jive; and “public” systems, such

as Facebook, Twitter and LinkedIn.

• File transfer systems in the cloud, such as YouSendIt or Box.net.

• Removable content storage and transfer devices like flash drives, CDs/DVDs and external hard drives.

• Mobile devices like smartphones and tablets. • Content synchronization services, such as Dropbox. • Content backup services like Backblaze and Mozy. • Content archiving services. • Voice-over-IP services, such as Skype.

CONSIDER THE TYPICAL ENVIRONMENT During a normal workday, the typical user will generate, send and store a significant amount of content: • About 50 emails, including many emails replied to or forwarded from others • Several instant messaging conversations via Skype or an instant messaging client • Several word processing documents and spreadsheets • A presentation or two • Backed up copies, potentially on systems managed by the company and the individual • Content stored in archiving systems • Content stored in various cloud-based data centers, potentially in locations around the world



Moreover, users will send files via email, they might copy files to a flash drive to take home to work on after dinner, check their work email from a home computer, upload files to a file-sharing or desktop synchronization service, back them up for safekeeping to an external drive, etc. The bottom line is that data resides and is being sent everywhere – on multiple devices, in multiple locations and on multiple corporate and personal systems.

Most Content is Not Encrypted CONTENT IS EASY TO INTERCEPT BY UNAUTHORIZED PARTIES Because the vast majority of emails, files and other content are not sent or stored with any sort of encryption, they can be easily intercepted and accessed by unauthorized parties, or they can be accidentally leaked in any number of ways. The result is that data breaches are quite common and occur in a variety of ways. For example: • In August 2011, it was revealed that some government officials in Gold Coast, Queensland,

Australia were intercepting emails from “blacklisted” individuals and sending them to another official for reviewi.

• In July 2011, Estée Lauder notified its employees that a company-issued laptop had been

stolen, resulting in the loss of names and Social Security numbers for current employees, former employees and contractors.ii

• In June 2011, a survey hosted by Psychiatric Times exposed the names and email addresses

of survey respondents for roughly 16 hoursiii. • In November 2010, confidential medical information for a number of patients was emailed

by a physician at Geisinger Health System to his personal email accountiv. • In late 2010, emails sent to a BT Connect customer using the domain “btconnect.com”

would be delivered to an entirely different recipient if the domain was mistakenly typed as “btconnect.co”v. BT has since addressed this issue and acquired the latter domain name.

• In 2009, a former employee of Ford Motor Company copied 4,000 sensitive corporate

documents and gave them to Beijing Automotive Company, his new employervi. Moreover, hundreds of thousands of devices – including smartphones, tablet computers, laptops and flash drives – are left behind at TSA checkpoints, in cabs, in restaurants, and in other locations each year. For example, a study by Credant found that 11,000 mobile devices were left behind at major US airports during the preceding 12 monthsvii. All of these errors – and in a small number of cases intentional thefts of unencrypted data – mean that sensitive and confidential content is quite easy to intercept by unauthorized parties. Add to this the problems inherent in many corporate FTP systems for which users share login credentials and that store sensitive information for long periods without encryption or any sort of oversight. Cloud-based services that do not encrypt data also suffer from the same problem.



USER ARE PRONE TO ERRORS In the course of doing their work, people make mistakes, sometimes revealing sensitive information that can be accessed freely in a number of venues. For example: • The Social Security numbers for 20,000 employees of Swedish Medical Center in

Washington State were made accessible on the Internet for nine weeks during April 2011viii. • It was revealed in May 2011 that an employee of San Juan Unified School District in central

California stored confidential employee information on a flash drive. When the employee used that drive for volunteer work at her church, the confidential information was uploaded to a Web site where it was freely available for about six monthsix.

• In 2009, an employee of Rocky Mountain Bank mistakenly sent sensitive information to the

wrong Gmail address and included a confidential attachment that never should have been sentx. Because the unintended recipient never responded to the sender, the bank sued Google to determine the identity of the recipient.

VENDORS AND PROVIDERS ARE ALSO PRONE TO ERRORS Vendors and providers of various services are also prone to errors that can reveal sensitive or confidential information: • On June 19, 2011, Dropbox updated its code and inadvertently allowed access to every

Dropbox account for about four hours before resolving the problemxi. During that time, a hacker was able to download Dropbox customer data from a number of accountsxii.

• In late 2010, a configuration error allowed Microsoft BPOS customers to download address

book information for other BPOS customers for about two hoursxiii. ENCRYPTION IS NOT MORE WIDELY USED FOR SEVERAL REASONS All of the examples noted above revealed sensitive or confidential information that was not encrypted for one reason or another. While the risk from all of these exposures could have been made moot through the use of encryption, most organizations and users do not use encryption to protect data for a variety of reasons: • There is a perception that many encryption solutions are simply too difficult to use or they

require too much user involvement.

• By nature, many people (and organizations) tend to be reactive and not proactive – they will react to the loss of a laptop computer or accidental posting of sensitive information by implementing encryption or procedures to protect data, but they will not take these steps before a breach occurs.

• Some solutions have a lack of transparency, automation and poor key management

schemes that inhibit their deployment and use. • Many users believe that password protection for a file or a laptop is sufficient to prevent

unauthorized access to this content and so view encryption as unnecessary.



• Many older encryption schemes were not scalable and required a significant amount of effort to maintain. While that is no longer the case with the bulk of encryption solutions offered today, many still hold to this outdated perception of the difficulties associated with encryption.

What Happens if Content is Not Encrypted? DATA BREACH LAWS CAN BE VIOLATED Forty-six of the 50 US states, as well as the US Virgin Islands, Puerto Rico and the District of Columbia, now have laws on the books that require individuals to be notified if a data breach has occurred. Alberta also passed a similar provision in 2010 that was incorporated into its Personal Information Protection Actxiv. Status of US Data Breach Notification Laws

In July 2011, two bills were introduced to the US Senate – the Data Security Act of 2011 and the Data Breach Notification Act of 2011xv – that would require notification when consumer data was breached or might have been compromised in some way. These join other US federal bills, including the Secure and Fortify Electronic Data Act, the Best Practices Act, and the Consumer



Privacy Protection Act. Most countries around the world have passed data breach notification laws in one form or another. Moreover, there are many regulatory obligations that could also be violated by a breach of unencrypted data, including: • Gramm-Leach-Bliley Act (GLBA)

GLBA requires that financial institutions protect information collected about individuals, including names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule (16 CFR Part 313) and the Safeguards Rule (16 C.F.R. Part 314). GLBA also addresses steps that companies should take in the event of a security breach, such as notifying consumers, notifying law enforcement if the breach has resulted in identity theft or related harm, and notifying credit bureaus and other businesses that may be affected by the breach.

• Payment Card Industry Data Security Standard (PCI DSS) PCI DSS encompasses a set of requirements for protecting the security of consumers’ and others’ payment account information. It includes provisions for building and maintaining a secure network, encrypting cardholder data when it is sent over public networks and assigning unique IDs to each individual that has access to cardholder information.

• Financial Industry Regulatory Authority (FINRA)

In late December 2010, FINRA amended Rule 8210 to include a requirement for the encryption of all electronic media that is sent from member organizations to FINRA. Encryption must be 256-bit or higher and FINRA staff members must receive the keys or decryption process independently from the sent files. This requirement, set forth in Regulatory Notice 10-59xvi, applies even if the files that are sent do not contain personal information.

• Health Insurance Portability and Accountability Act (HIPAA)

HIPAA addresses the use and disclosure of an individual's health information. It defines and limits the circumstances in which an individual's protected health information (PHI) may be used or disclosed by covered entities, and states that covered entities must establish and implement policies and procedures to protect PHI. Penalties for violations are up to $25,000 and $1.5 million, depending on when the violations occurred. Further, an individual who knowingly obtains or discloses individually identifiable health information may face a criminal penalty of up to $50,000 and up to one-year imprisonment. There is a specification for encryption of health information communicated over any network for which the transmitter cannot control access (45 CFR Part 142.308[d][1][ii]. It is also important to note that if an unencrypted email that contains PHI is sent across the Internet, a violation of HIPAA may have occurred even if the email was not intercepted. The mere fact that this content is available for review by an Internet service provider or another third party can expose an organization to penalties under HIPAA. Conversely, however, if encrypted information is exposed (e.g., the intentional or unintentional inappropriate release of an encrypted file containing HIPAA-regulated data) this does not constitute a breach under HIPAA rules. In other words, data can be lost or otherwise



“exposed” without consequence – but only if it is encrypted. As part of American Recovery and Reinvestment Act of 2009 (ARRA), the provisions of HIPAA have been significantly expanded. A key component of ARRA is the Health Information Technology for Economic and Clinical Health Act (HITECH) that includes expansion of HIPAA business partners of entities already covered by HIPAA like pharmacies, healthcare providers and others. The new HIPAA will now include attorneys, accounting firms, external billing companies and others that do business with covered entities.

• UK Data Protection Act (DPA)

The DPA imposes requirements on businesses operating in the United Kingdom to protect the security of personal information and to preserve information only as long as it necessary to do so. The Act requires, at least by implication, requirements for encrypted transmission of personal information and its secure retention.

• Personal Information Protection and Electronic Documents Act (PIPEDA) PIPEDA is a Canadian privacy law that applies to all private companies operating in Canada. Like many other privacy laws, it requires that personal information be stored and transmitted securely. Canada’s Privacy Act, in place since 1983, protects the personal information collected by government institutions.

US STATE ENCRYPTION LAWS CAN BE VIOLATED In Oct. 1, 2008, a Nevada law (Nev. Rev. Stat. § 597.970 [2005]) went into effect stating that: “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” Such personal information includes an individual’s first name or first initial and last name, along with details like a Social Security number, driver’s license number or credit card number with security code. Law experts say that since the Nevada law doesn't define a “customer”, the rules could be interpreted as applying to customers regardless of where they reside. A more stringent law, Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00), took effect in Massachusetts in March 2010. The law mandates that personal information – a combination of a name along with a Social Security number, bank account number or credit card number – be encrypted when stored on portable devices, when transmitted wirelessly or when transmitted on public networks. The law affects “persons who own, license, store or maintain personal information” about Massachusetts residents. OTHER CONSEQUENCES In addition to violating statutory requirements to protect data, organizations that experience a breach of unencrypted data can experience a number of other consequences, including: • Damage to corporate reputation

One of the most significant “costs” of breaching unencrypted data can be loss of corporate reputation. While this may not necessarily impact the goodwill component of an affected organization’s balance sheet, it can have a very serious impact on a company’s reputation in the context of its stock price. For example, Heartland Payment Systems announced a major



data breach in January 2009, after which its stock price fell by more than 50% in a very short period.

• Loss of customers

Some customers may be reluctant to do business with a firm that has lost its confidential information, simply because of the loss of trust that follows any such breach. For example, the Ponemon Institute estimates that a US-based financial services firm could lose 5.2% of the customers it informs of a data breachxvii. CyberFactors estimates that Epsilon could lose up to $45 million in business as a result of its data breach in April 2011xviii.

• Expensive remediation costs

The direct cost to inform customers of a data breach via postal mail can be several dollars per customer, potentially resulting in an immediate cost of several tens or hundreds of thousands dollars in communication expenses depending on the size of the data breach. Moreover, some companies may be compelled to provide free credit reporting services to affected customers – for example, a US senator is calling for Sony to provide such services to its PlayStation customers for two years as a result of the company’s data breach in April 2011xix.

ENCRYPTION CAN MITIGATE CORPORATE RISK By using encryption, an organization can mitigate its risk from a data breach in two important ways: • Minimize the risk of data loss after a breach

While the loss of a laptop, smartphone, backup tape, data from hacked servers, etc. is never a fun experience for any organization or the individual who misplaced it or had it stolen, the loss of encrypted data typically carries with it few ramifications beyond the loss of the device or media itself.

• Minimize the required response

More importantly, however, an organization that loses encrypted data normally does not have to report the loss to the individuals whose data was breached. For example:

o California’s Civil Code Section 1798.82 reads, in part, “Any person or business that

conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” [Emphasis added]

o If Protected Health Information (PHI) is breached, the HIPAA Security Rule requires notification of the breach be sent to patients, the US Department of Health and Human Services and local media (if more than 500 records are breached). However, if the breached data was encrypted, patients do not have to be notified.



What to do Next Osterman Research recommends that any organization undertake a four-step process in evaluating their need for encryption: • Consider the consequences of not encrypting data

First and foremost, decision makers need to understand just how serious a data breach can be in a variety of contexts. For example, losing internal data like trade secrets can have major implications on new product development efforts and overall competitiveness. Worse, if confidential data is stolen and posted to a public Web site, there are scenarios in which a company can actually lose its ownership of those trade secrets. Losing customer information can also have damaging impacts as noted earlier in this report, including direct costs that can be in the millions of dollars, as well as indirect and long-term costs that can be much higher. Although the costs of a data breach can be difficult to quantify, even a back-of-the-envelope calculation can be useful in quantifying what could happen in the event unencrypted data is lost. For example, losing 50,000 customer records could cost:

o $5 per customer to create and send a notification letter, or $250,000 in total. o $10 per customer for credit reporting services for one year, or $500,000 in total. o $500 in lost future business for 5% of customers affected, or $1,250,000 in total.

• Develop a return-on-investment (ROI) case for content encryption

Next, it’s important to develop an ROI case for content encryption instead of viewing encryption as just another cost of doing business. For example, let’s assume the following for a 500-person company:

o Encryption capabilities will cost $25 per user per year. o A major data breach would cost $2 million, as in the example above. o There is only a 10% chance of a data breach occurring within the next three years.

Using these assumptions, we can determine that: o Encryption capabilities will cost $37,500 over three years ($25 x 500 x 3).

o Using a quantitative business analysis approach, the cost of a data breach will be

$200,000 ($2 million x 10% probability of its occurrence).

o As a result, the three-year ROI for an encryption solution will be 333% based on the following formula for ROI (where the “return” is the avoidance of the costs associated with a data breach):

= ROI Return – Investment

Investment = 333% $200,000 – $37,500

$37,500



It is also important to note, however, that encryption is not simply about the avoidance of problems – encryption can also be used to retain customers, generate new business opportunities, provide better customer service, improving customer confidence, etc. For example, if we assume that an encryption system used by a brokerage house will enable it to retain and win a net of 1,000 new customers over a three-year period, and that each new or retained customer will generate $150 in brokerage fees during a three-year period, the additional revenue of $250,000 will generate ROI of 300%:

• Develop policies focused on protecting content

Next, develop policies for protecting content. These should include employee-focused policies that spell out the need to use encryption on any company-owned or personal smartphone, laptop, flash drive, tablet, desktop computer, CD, DVD, etc.; and the requirement to send confidential information in a secure manner when it is transmitted via email, file transfer systems, instant messaging systems, via social media or physically. Moreover, policies should be implemented that will discuss how sensitive and confidential information needs to be encrypted when stored on file servers, FTP systems, collaboration databases, document management systems, or when sent from email-generating applications. These policies should clearly lay out the consequences of violating corporate encryption policies and the use of personal devices for work-related applications, particularly when used to send, receive or store sensitive information.

• Deploy the right technologies and services that will protect your organization

Finally, the appropriate technologies need to be implemented that will protect all sensitive and confidential information both at rest and in transit – we focus on this in the next section of the white paper. It is also important to note that monitoring and policy-based encryption technologies can be a useful tool in training employees about how to handle sensitive information and why encryption is necessary. An Osterman Research study conducted during February 2011 asked IT decision makers in mid-sized and large organizations in North America how they would want to handle various situations involving violations of corporate policy. For example, in outbound content scanning systems, 48% of decision makers would like to see a pop-up reminder appear if sensitive content were being sent unencrypted through email or in some other outbound system. Such a pop-up can be useful in sensitizing users to the need for encryption and to be more careful about how sensitive data is handled.

Steps to Creating an Encryption Strategy Once decision makers decide that they need an encryption strategy (and every one of them should come to this conclusion), there are several steps in developing the strategy:

= 300% $150,000 – $37,500

$37,500



• View encryption as part of the overall corporate compliance strategy First and foremost, encryption must be viewed holistically as part of an organization’s overall compliance strategy. No company can claim to be compliant with HIPAA, Gramm-Leach-Bliley, state data breach notification laws, PIPEDA, the Data Protection Act, other laws focused on data protection, or industry best practice if it does not have the ability to encrypt content both in transit and at rest. As a result, every initiative focused on compliance must also include a full discussion about how data will be encrypted.

• Understand all of your obligations to protect data

As noted above, organizations must understand all of their data protection obligations. This includes all of the statutes in the US states, Canadian provinces or countries in which they do business today or plan to do business in the future. It also includes understanding legal precedents that have been established when privacy rights were violated. The key here is to get advice from internal and external legal counsel and develop a cross-functional understanding of needs across the organization – in other words, making sure that legal counsel, the CIO, IT management, line-of-business decision makers and other relevant roles in an organization know each other and openly talk about what they must do to protect content.

• Understand what sensitive data you have, who accesses it, where it is located,

and the potential risks from not encrypting it Organizations need to conduct an inventory of their data across the entire organization, looking for data wherever it may be found and evaluating its sensitivity and the need to encrypt it. Frankly, this may be a difficult undertaking without the right tools in place, since the venues in which data is located can be enormous, including desktop computers, laptop computers, smartphones, tablets, file servers, application databases, flash drives, employees’ home computers, backup tapes, disk-based backup systems, archives, Web servers, etc., etc., etc.

• Look for opportunities to improve processes with encryption

It is important to note that encryption should not be viewed as a purely defensive strategy. On the contrary, the use of encryption can enable an organization to create new business opportunities, gain competitive advantage, or enable customer “stickiness”. For example, a bank that offers the ability to communicate with customers via encrypted email or chat for activities like account dispute resolution or loan applications will have a clear advantage over their competitors that do not offer these capabilities. Similarly, internal processes can also be improved by using encryption – such as, enabling remote employees to communicate securely using their personal devices, or by allowing greater sharing of sensitive information with internal parties because of the assurance that only authorized individuals will have access to it. Moreover, existing communication processes might be replaced with more efficient ones, such as replacing fax with secure email.

• Focus on the key issues

Organizations must also consider and evaluate the myriad topics related to encryption, including:



o Key management o Central auditing and tracking of encrypted devices o Digital rights management and persistent controls over encrypted data o How encryption can create issues with finding and discovering data for e-discovery or

compliance purposes o How to implement solutions that protect data and make it discoverable o How encryption can interfere with malware scanning and how to solve this problem o The technologies and services that are available that can insulate internal decision

makers from some or all of these decisions.

Another important issue that organizations might want to consider in the context of their encryption evaluation is that of authentication and the role that risk-based authentication might play. Risk-based authentication is useful in the overall discussion about encryption, since it matches the authentication scheme used to access a particular type of data or repository, the consequences of a breach of this data, and the risk associated with how this data is accessed. While authentication and encryption are different topics, it makes sense to consider them as part of the risk mitigation discussion.

• Ensure that systems are easy to use

It is imperative that any encryption system is easy to use for both the sender and recipient or it simply will not be used. This is particularly important for data in transit, since two parties are involved instead of just a single party who is trying to access stored content. If an encryption scheme is too difficult to use, or if recipients are confused about how to open an encrypted message, this confusion will be felt by the customer in the form of slower message delivery and increased support requirements. As part of the ease of use discussion, decision makers should consider any encryption system’s interface intuitiveness, how the system handles files, the number of clicks required to access content, and the provision of self-service access for password resets.

• Evaluate your deployment options

There are a number of deployment options for encryption capabilities designed for data in transit, including solutions that are on-premise, in the cloud or are a hybrid of these approaches. Moreover, there are many encryption solutions for static content of various types, such as data on file servers, on desktops or laptops, on flash drives, or when burned to media like CDs or DVDs.

• Measure results before and after Finally, it is important to measure the “before” and “after” pictures of the organization in the context of how encryption has enabled risk to be reduced, business processes to be improved, and new business opportunities to be realized. This will help decision makers not only to determine the ROI they are realizing from the use of encryption, but also how encryption can be improved and additional benefits realized.



Summary Most organizations do not encrypt their sensitive and confidential data either in transit or at rest. Consequently, they incur greater risks because the growing amount of data and the increasing number of places in which it is stored makes access to this data by unauthorized parties more likely. When data is breached, either accidentally or with malicious intent, organizations face expensive remediation costs, loss of corporate reputation, loss of future business and other problems. In order to comply with regulatory, legal and best practice obligations – as well as simple common sense – organizations should encrypt sensitive and confidential data anywhere it might be found. Encryption can not only provide a solid defense against inadvertent loss or malicious theft of data, but it can generate a positive ROI and generate new business opportunities that would not otherwise be possible.

Sponsor of This Report DataMotion is a leader in email encryption solutions that enable businesses to safely and easily transact with partners and customers in the cloud. Organizations in diverse industries such as healthcare, financial services and government look to us every day for easy to use, affordable, secure email and file transfer solutions. The DataMotion SecureMail solution applies military grade encryption to your emails and attachments, including those sent via smartphone, allowing them to travel across the Internet untouched and safe. Our simple, easy to use solution offers exceptional benefits: • For our clients in regulated industries such as financial services and healthcare, reducing

email regulatory risk exposure is critical. SecureMail ensures compliance with regulations including HIPAA/HITECH, and PCI, and GLBA.

• For our clients concerned about the privacy of their customer data, employee data, and

intellectual property, SecureMail offers rock solid protection for their data, image and market reputation.

• For our clients who want to streamline and improve business processes, SecureMail is an

outstanding tool. Our clients regularly report reduced operational costs, and better customer service metrics when they use SecureMail for sending and receiving files and communications.

Best of all, SecureMail addresses the biggest concerns associated with email encryption solutions:

DataMotion, Inc. 35 Airport Road

Suite 120 Morristown, NJ 07960

USA +1 800 672 7233

www.datamotion.com



! SecureMail is exceptionally easy to use for the senders and recipients.

! SecureMail integrates with existing infrastructure and workflows, so there’s nothing to rip and replace.

! And the ROI for SecureMail starts on Day 1. Our solutions are cloud-based so there is no IT overhead, and customers are up and running quickly with little to no training. Organizations start securing messages and cutting postage and courier costs right away.

Solutions are available as hosted services or on-premise software. © 2011 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. i http://www.goldcoast.com.au/article/2011/08/04/338285_gold-coast-news.html ii http://www.databreaches.net/?p=19817 iii Source: PrivacyRights.org iv Source: PrivacyRights.org v http://www.fast2learn.com/2010/10/08/bt-email-intercepted-be-warned/ vi http://articles.cnn.com/2010-11-18/justice/michigan.ford.trade.secrets_1_trade-secrets-ford-employee- ford-design?_s=PM:CRIME vii http://www.darkreading.com/insider-threat/167801100/security/news/231002040/thousands-of-laptops-smartphones-left-at- u-s-airports-in-past-year.html viii http://seattletimes.nwsource.com/html/localnews/2015674739_databreach21m.html ix Source: PrivacyRights.org x http://www.wired.com/threatlevel/2009/09/bank-sues-google/ xi http://www.zdnet.com/blog/apple/did-the-dropbox-security-lapse-poison-the-well-for-icloud/10429?tag=mantle_skin;content xii http://www.zdnet.com/blog/apple/dropbox-ceo-lone-hacker-downloaded-data-from-fewer-than-a-hundred-accounts/10476 xiii http://www.computerworld.com/s/article/9202078/Microsoft_BPOS_cloud_service_hit_with_data_breach xiv http://servicealberta.ca/pipa/ xv http://www.nationaljournal.com/tech/senate-wades-into-effort-to-prevent-data-breaches-20110728 xvi http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p122487.pdf xvii http://www.foxbusiness.com/industries/2011/06/09/costs-data-breach-like-citis-include-lost-business-notification/ xviii http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-to-Cost-Billions-in-WorstCase-Scenario-459480/ xix http://www.wired.com/gamelife/2011/04/playstation-network-hacked/

Date post:	16-Jun-2018
Category:	Documents
Upload:	lamthu
View:	219 times
Download:	0 times