Would you send sensitive and confidential information on a Postcard? Would that be secure and compliant, or high risk and a gross negligence? People do this daily using Emails, which don’t even have envelopes like standard mail. i.e. Emails are transferred in Plain unencrypted text via untrusted 3rd party servers (Public Internet).
Sent as Plain unencrypted text - there is no “read authorization” required on email relays.
Sent via untrusted 3rd parties - copies can be made.
Regular Email is impossible to return, and you are exposed to backups on recipients’ computers.
Regular Emails are also exposed to data mining in Web-Browsers, Extensions, and Outlook Add-ins.
On top of inherent cyber security and business security risks, use of Regular Email often violates a number of data privacy regulations.
That is why companies and organizations should understand both Email and regulations to avoid penalties, reputational risks, and legal action against its executive officers.
In many cases, standard SMTP Email violates 15 GDPR articles when used to send personal data.
MILLION IN FINE
The GDPR imposes stiff fines on data controllers and processors for non-compliance. Up to €20 million, or 4% of the worldwide annual revenue, whichever is higher.
Use of Regular Email (sending personal data in Plain unencrypted text via untrusted 3rd party email relays) may violate Principles and numerous GDPR articles:
Article 5 “Principles relating to processing of personal data”.
Article 25 "Data protection by design and by default".
Article 28 "Processor".
Article 32 "Security of processing".
Article 33 “Notification of a personal data breach to the supervisory authority”.
Article 34 “Communication of a personal data breach to the data subject”.
Other relevant Art. 17, 18, 35, 46, 50, 82, 84, 90.
SMTP, Email violates 7 COBIT requirements in many cases.
MILLION IN FINE
YEARS IN PRISON
SOX allows SEC to disgorge CEOs and CFOs executive compensations - penalties and fines can be upwards of $5 million, along with 20 years in prison.
Without additional security, Regular Emails which rely only on 1982 SMTP, may violate COBIT framework:
Identify and protect financial information against unauthorized access, transmission or disclosure;
Authenticate individual message senders and intended recipients;
Secure the transmission of email communications containing financial information;
Secure message indexing, archiving, and retention;
Have the ability to audit and retrieve messages as needed by auditors and compliance officers;
Protect email servers and other systems that store or process emails containing financial information;
You can track and log message traffic.
(Public Company Accounting Oversight Board (PCAOB), established by SOX, recognizes COBIT (Control Objectives for Information and Related Technologies) framework for IT compliance)
SMTP, Email violates 4 Security Rule requirements when used to send e-PHI in many cases.
UP TO$250 000
YEARS IN PRISON
Under HIPAA, healthcare organizations that fail to secure PHI against loss or unauthorized disclosure can face fines of up to $250,000 per incident, while individuals responsible can face up to 10 years in prison for noncompliance.
Security Rules mandate that affected organizations implement appropriate policies, including technical and physical safeguards for information systems that maintain e-PHI to ensure the security and confidentiality of e-PHI against loss or unauthorized disclosure:
Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
Identify and protect e-PHI against reasonably anticipated threats to the security or integrity of the information;
Protect e-PHI against reasonably anticipated, impermissible uses or disclosures;
Ensure compliance by their workforce.
SMTP, Email violates Act’s 3 privacy requirements when used to send NPI in many cases.
UP TO$10 000
PER EACH VIOLATION
YEARS IN PRISON
There are severe penalties for non-compliance: imprisonment for up to 5 years, steep fines, or both. A financial institution can be fined up to $100,000 for each violation; and Officers and Directors can be fined up to $10,000 for each violation.
The act places responsibility on financial institutions to protect customer financial data and personal identifying information, which it calls nonpublic personal information (NPI), and to notify regulators and customers in the event of a data security breach.
The Act's 4th privacy requirement requires each financial institution regulator, "in furtherance of the policy," to establish appropriate "standards" relating to safeguards to:
Ensures the security and confidentiality of customer records;
Protects against any anticipated threats to the security of such records;
Protects against unauthorized access to such records that could result in substantial harm or inconvenience to the customer.
Regulation Fair Disclosure was promulgated by SEC in August 2000. The rule mandates that all publicly traded companies must disclose material information to all investors at the same time.
Regulation FD provides that:
an issuer, or a person acting on its behalf,
selectively discloses material, nonpublic information,
to certain enumerated persons (in general, securities market professionals or holders of the issuer’s securities where it is reasonably foreseeable that the holders will trade on the basis of the information),
then the issuer must make public disclosure of the information.
Regular SMTP Emails containing financial information are sent out daily via untrusted 3rd parties in Plain unencrypted text to financial analysts, investors, public relations companies, legal advisors, and rating agencies - which in certain cases may violate Regulation Fair Disclosure.
CHAPTER II, Article 5
Principles relating to processing of personal data
1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).