Category: Compliance

27 Dec 2019

Shadow IT: The Danger of Open Tech Stacks in Banking

Banking, financial services and insurance companies are in danger—and this danger is lurking at employees’ fingertips. Employees, clients and vendors are wooed daily by unvetted third-party apps that promise to make workflows easier—and if financial organizations don’t put a stop to these shadow IT environments, they could pay a hefty price. Let’s dive into what shadow IT environments are, why they happen, why they’re dangerous and how a user-friendly encryption solution helps organizations eradicate them.

What are shadow IT environments?

Shadow IT refers to third-party software your employees use that are outside the control of your IT department and network. They become part of your unofficial tech stack and leave your organization vulnerable to malicious actors. Security professionals consider unapproved third-party software and apps unwelcome additions to an organization’s network—and yet, employees continue to indulge in them.

What causes shadow IT environments?

It’s easy to blame shadow IT environments on negligent, malicious or clueless employees. But organizations in banking, financial services and insurance must be accountable for what goes on in their organizational networks.

Shadow IT environments happen for three main reasons: clunky existing tools, lack of employee education about security and insufficient IT controls to disallow rogue downloads and network access. When your organizational tools aren’t as easy to use as third-party tools, employees find easier ways to get the job done. If you don’t train employees on security threats, they won’t understand how seemingly-innocent behaviour can put the company at risk—and they’ll keep flipping company information through Gmail and using unsecure apps on free WiFi at their favourite coffee shops on work-from-home days. And without sufficient controls, you’ll miss catching aberrant behaviour that slips through even after you put user-friendly, secure options and employee training in place.

Why are shadow IT environments dangerous?

Shadow IT environments are dangerous because they allow company information to leave the security of your network and they can allow nefarious agents access to your secured network. And in many cases, staff don’t realize they put company information at risk. For example, an employee talking to a client on a cell phone might believe it’s safe to send the client some documentation through third party instant messaging apps, like WhatsApp (it’s encrypted, right?), Facebook Messenger, DropBox or their personal Gmail account.

To illustrate the problem with these third-party scenarios, let’s say you have an employee who sends confidential European data from your company through Gmail, for example. As soon as they click ‘Send,’ this sensitive information, which might include sensitive customer data, enters Google servers in the United States and can be re-purposed for other uses, like for third-party ads hosted through AdWords. In this instance, the subsequent lack of control over this sensitive data and its presence in the US can cause problems with the GDPR.

Then there’s malware and privacy backdoors that accompany third-party apps. The AV-TEST Institute, an independent German research institute for IT security, found that malware has almost doubled since 2015.

And according to a paper called 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System, researchers studied 88, 113 Android apps and identified five types of side and covert channels they use to access private data—without permission.

The bottom line is when banking organizations haphazardly allow third party software into their tech stacks, they put client privacy and organizational security at risk.

What can be done to eradicate shadow IT environments?

To eradicate shadow IT environments, organizations must address the issues that cause them by:

  • Replacing cumbersome communication tools with user-friendly solutions that integrate so well into work flows that employees want to use them.
  • Implementing effective and ongoing training for all employees on information security, cybersecurity and data privacy.
  • Putting controls in place to prevent and/or discourage use of unvetted apps and software for company business and on company devices.

 

Echoworx OneWorld is a user-friendly and customer-centric encryption solution that helps banking, financial services and insurance companies secure client communications in transit and at rest. Because it’s so easy to securely transmit information, employees don’t need to search for third-party options that fit into their workflow.

Echoworx OneWorld features that help organizations eradicate shadow IT environments:

  • Easy and frictionless user experience – In a recent Echoworx survey, we found that 53 per cent of organizations with encryption found it “too difficult to use.” An encryption solution can’t protect client and organizational data if nobody uses it! OneWorld makes it easy for employees and customers to use and makes inbound and outbound encryption the path of least resistance.
  • Definable policies – Automatically control which communications get encrypted (and how) based on the message content, subject lines and key words. Flexible controls for every scenario means you stay in control of encrypted messages while they’re in transit and at rest.
  • Enable inbound encryption – While you can’t control what type of information clients and vendors send you via email, you can control how you receive and secure it. Emails with sensitive information are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • No registration process – Encryption solutions that require recipients to register before reading encrypted emails make secure communication cumbersome. OneWorld eliminates the registration process and allows the sender to share a secret phrase—also known as a passphrase—with the recipient. To open the encrypted email, the recipient simply types in the passphrase.

Not only does Echoworx OneWorld help banks eradicate shadow IT environments, it also helps them save money. A recent Forrester Total Economic Impact™ study showed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of only seven months.

By: Brian Au, IT Specialist, Echoworx

20 Dec 2019

CCPA vs GDPR: What’s the Difference?

In 2018, the business world shuddered as the General Data Protection Regulation (GDPR) came into full force. More shuddering is expected shortly with the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020 – with enforcement measures beginning six months later. But what’s the difference between these two privacy acts? This article gives a high-level overview of the similarities and differences between the GDPR and the CCPA and why you need a flexible policy-based encryption solution to deal with one or both of them.

What is the California Consumer Privacy Act (CCPA)?

The CCPA establishes data privacy rights for Californian residents and it applies to businesses that sell products and services to California residents and collect information about them.

Under the CCPA, California residents have the right to:

  • Know what personal information is collected about them.
  • Know whether their personal information is sold or disclosed and to whom.
  • Opt out of allowing businesses to sell their personal information.
  • Access the personal information collected about them—in the last 12 months—in a user-friendly format.
  • Equal service and price, no matter what privacy options they choose.
  • Erase personal data collected (in some situations).

 

Under the CCPA, Californians can opt out of almost all secondary uses of their personal information including sale to data brokers, tracking and other uses not directly related to service delivery.

Here’s what banks need to know about this law.

What is the General Data Protection Regulation (GDPR)?

The GDPR establishes data privacy rights for Eurpean citizens (who may or may not be residents); it’s a uniform privacy law that applies across the Eurpean Union to protect its 512 million citizens. Companies that do business in Europe are subject to the GDPR.

Under the GDPR, Europeans have the right to:

  • Access their personal data.
  • Correct errors contained in their collected personal data.
  • Withdraw consent for data processing.
  • Stop automated decision making when the decision has a legal implication.
  • Withdraw the consent that allows businesses to sell their personal information.
  • Erase personal data collected (in some situations).
  • Access some personal information collected about them in a user-friendly format.

 

Similarities between the CCPA and the GDPR

Both acts give consumers access to personal data, the right to have companies erase some personal data, a way to opt out of having their personal data sold to third parties and claim damages through a private right of action.

Differences between the CCPA and the GDPR

The GDPR gives citizens the right to stop automated decision making when there’s a legal implication and the right to correct errors in collected data but these aren’t included in the CCPA. It’s hard to say which act is more aggressive with enforcement penalties. While the GDPR tops out at four per cent of a company’s annual global revenues, the CCPA allows fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Depending on the type of breach, those CCPA fines could add up quickly.

Advantages of the CCPA and the GDPR

For consumers, the advantages of the CCPA and the GDPR are clear: more privacy rights and the power to protect those rights through right of action damages and enforcement penalties. The advantages of the GDPR for business is that it’s one blanket regulation to conform to—which is easier than managing patchwork privacy. Imagine if every country in the EU had its own privacy regulations!

Challenges for businesses

American businesses don’t have to imagine patchwork privacy because it’s already happening with state privacy laws and laws governing cyber security, data security and data breach notification in Washington, Texas, Oregon, New York, New Jersey, Nevada, Maryland, Massachusetts, Maine and California. This means organizations that do business across America and Europe have an increasingly complex privacy landscape to navigate. Compliance must be built into the three Ps of business—people, process and products—because even sending an email is no longer simple.

National organizations, for example companies in banking, financial services and insurance, must adapt to and comply with new privacy laws because it’s unlikely the consumer data privacy trend will reverse itself.

Echoworx OneWorld: a flexible, policy-based encryption solution for GDPR and CCPA compliance

An enterprise privacy program covers everything from daily operations and compliance to policies, procedures and investigations. To build compliance across the 3 Ps of business, organizations must adopt a flexible, policy-based encryption solution.

OneWorld features that help enterprises navigate privacy laws including the GDPR and CCPA:

  • Definable policies – This allows you to control which communications get encrypted (and how) based on the message content. These policies are based on your needs, legislation and encryption best practices. Flexible controls for every scenario allow you to create a customized user experience for senders and recipients and stay in control of encrypted messages in transit and at rest. This policy-based encryption helps you stay compliant with privacy laws.
  • Easy and frictionless user experience – A recent Echoworx survey found that 53 per cent of organizations with encryption found it “too difficult to use.” OneWorld makes it easy for employees and customers to use, making encryption — and compliance — a consistent path of least resistance.
  • Enable inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.

Here’s how it works with OneWorld:

Whether it’s the GDPR or the CCPA, encryption is considered an appropriate measure for protecting personal data—and it comes with financial benefits. A recent Forrester Total Economic Impact™ study showed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of only seven months.

Are you ready to make flexible, policy-based encryption—that’s also user-friendly—part of your compliance strategy?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx

27 Nov 2019

Uniform or Patchwork Privacy Laws? How Your Bank Can Mitigate Cyber Risk

As more state privacy laws come into effect in the US, navigating privacy, data residency and jurisdictional requirements is more complicated than ever for banks and financial institutions with national and international reach. Let’s look at what these privacy laws are and how encryption helps banks and financial services institutions mitigate the risk that comes with juggling multiple privacy laws.

Patchwork privacy laws

America is gearing up for the California Consumer Privacy Act (CCPA) that goes into effect on January 1, 2020. The CCPA is now one of many privacy and data security laws that protect consumers across some states.

Current state privacy laws:

  • California Consumer Privacy Act (CCPA)
  • Nevada Senate Bill 220
  • Act to Protect the Privacy of Online Consumer Information (Maine).

While three privacy laws might not seem like much to handle, that’s not the whole picture. There are also laws governing cybersecurity, data security and data breach notification in Washington, Texas, Oregon, New York, New Jersey, Maryland and Massachusetts.

That’s a lot for any national company to keep up with and with each new law enacted, it becomes easier for companies to fall out of compliance, especially if they don’t implement proper risk management.

National privacy laws

National privacy laws include:

  • The General Data Protection Regulation (GDPR) in Europe.
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
  • The Act on Protection of Personal Information (APPI) in Japan.
  • The Health Insurance Portability and Accountability Act (HIPAA) in the USA.
  • The Electronic Communications Privacy Act (ECPA) in the USA, often critcized for being outdated and having no impact.

 

What kind of privacy legislation is best for banks?

Banks and other financial institutions are subject to strict legislation outside of general privacy laws. For example, the Gramm-Leach-Bliley Act (GLBA) governs what kind of information can be shared with third parties and requires financial institutions to disclose how they protect their clients’ private data.

We won’t list the regulations financial services companies are subject to here—suffice to say, banks are already heavily regulated.

The best type of privacy legislation for banking, financial services and insurance companies is legislation they influence to meet their needs (and the needs of their customers).

We’d suggest that one national privacy law would be easier to manage than multiple state laws on top of international privacy laws. Whatever the answer is, banks would be wise to weigh in on the idea of a national privacy law in America—because other businesses sure are.

Why the business community is advocating for an American national privacy law

The CCPA is hailed as “America’s answer to the GDPR” but that doesn’t hold up in terms of reach. The GDPR and the CCPA are similar regulations and both allow for sharp fines for lack of compliance. But the GDPR protects citizens of nations belonging to the European Union—that’s 512 million people. There are 327 million people in the US and 39.5 million people in California.

How many more laws need to be enacted for all 327 million Americans to enjoy the same privacy rights as Californians and Europeans? For many people and businesses, the answer is “too many.”

The complications of patchwork privacy legislation is one reason the Business Roundtable—an association of chief executive officers who promote the U.S. economy through sound public policy—is advocating for a national privacy law for Americans.

Marc Benioff, CEO of Salesforce, writes in a Politico article that a national privacy law is “the right thing for consumers and the industry.”

But this advocacy work hasn’t yet borne fruit so businesses must deal with what is, instead of what could be.

How Echoworx OneWorld—a flexible encryption solution—helps banks navigate patchwork privacy laws

Encryption allows organizations to enhance data protection and breach notification practices. It’s an essential risk management tool that supports an organization’s overall cybersecurity strategy.

Echoworx OneWorld is a user-friendly and customer-centric encryption solution that helps banks and financial services organizations navigate patchwork privacy laws.

OneWorld features that help banks stay compliant to multiple privacy laws:

  • Definable policies – This feature allows you to control which communications get encrypted (and how) based on the message content. This is based on your needs and encryption best practices. Flexible controls for every scenario allow you to create a customizable user experience for senders and recipients and stay in control of encrypted messages in transit and at rest.
  • Multiple options for data residency – We have six data centres located in Canada, the US, Mexico, the UK, Ireland and Germany which means our clients can stay compliant to data residency requirements outlined in the GDPR and American privacy legislation. For example, if an organization works in both the EU and US, they can’t have data residency (or third parties) in the US or else they’ll be out of compliance with the GDPR.
  • Automatic inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • Secure statement delivery – Senders can batch and deliver sensitive encrypted messages, like financial statements, directly to recipient inboxes in an encrypted PDF that’s password protected.
  • Natural extensions for Office Message Encryption (OME) – We work alongside Microsoft to take Office 365 to the next level with flexible use cases, branding, audit and tracking capabilities and certificate encryption. This increases existing encryption capabilities and keeps employees comfortable and confident using their existing communication tools—which makes encryption the path of least resistance.

A recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months.

Banks are already doing business in a patchwork of conflicting privacy environments. Why not make it easier with our user-friendly encryption solution?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx

 

11 Nov 2019

California’s CCPA – What Banks Need to Know

The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020 and enforcement measures are scheduled to start six months later. Banks that do business with the state of California and its residents need to protect themselves and get compliant with the CCPA, hailed as “America’s answer to the GDPR.”

A quick view of the CCPA

The CCPA establishes data privacy rights for Californians and, starting soon, this law applies to businesses that sell products and services to California residents and collect information about them.

Under the CCPA, California residents have the right to:

  • Know what personal information is collected about them.
  • Know whether their personal information is sold or disclosed and to whom.
  • Opt out of allowing businesses to sell their personal information.
  • Access the personal information collected about them—in the last 12 months—and receive it in a user-friendly format.
  • Equal service and price, no matter what privacy options they choose.
  • Erase personal data collected (in some situations).

 

This act means Californians can opt out of many secondary uses of their personal information including sales to data brokers, tracking and other uses not directly related to service delivery.

Defining personal information under the CCPA

Section 1798.140, subdivision (o) of the CCPA defines personal information and it’s a long list that includes—but isn’t limited to—identifiers, categories listed in subdivision (e) of Section 1798.80, characteristics of protected classifications, commercial information, biometric information, internet and other electronic network activity, geolocation data, audio, electronic, visual, thermal, olfactory information, professional, employment and education information (that’s not already publicly available) and inferences drawn from information collected.

Call your privacy lawyers and experts because this list is exhaustive; staying in compliance will be complicated and being out of compliance will be costly.

Penalites and fees associated with the CCPA

Like the GDPR, the CCPA has teeth when it comes to penalites. PWC reports that the private right of action damages will be between $100 and $750 per consumer, per breach. And the regulator enforcement penalities will be “up to $2,500 per unintentional violation and $7,500 per intentional violation.”[i]

The impact of the CCPA on banking institutions

As more states institute their own consumer privacy laws, it becomes increasingly complicated for national banks to remain compliant across state borders. Today we’re talking about California but Vermont and South Carolina just passed laws about data collection and breach notification respectively.

Banks must understand privacy laws in all states and countries they do business in and have the processes and products in place to stay compliant with these regulations. They should also expect this trend of patchwork privacy laws to continue and be prepared to adapt to ever-evolving privacy laws.

Any banks that have Eurpean clients are (or should be) GDPR compliant so there’s less work for them to do now as the GDPR and the CCPA have many overlapping requirements. Part of that work includes analyzing data flows, implementing processes to meet the needs of the new regulation and clearly documenting all data and data policies.

Encrypted communications are part of the solution because encryption keeps protected personal information safe at rest and in transit. The Echoworx OneWorld encryption platform makes encryption the path of least resistance which is essential in highly-regulated industries such as banking, financial services and insurance.

How Echoworx OneWorld—a flexible encryption solution—helps banks navigate the CCPA

Encryption is a tool that allows organizations to enhance data protection and breach notification practices.

Encryption is considered[ii]:

  • An appropriate technical and organizational measure for securing personal data when implemented with other appropriate controls to protect the encryption process.
  • An appropriate safeguard for processing personal data for a different purpose than the one it was collected for.

 

But encryption only works when it’s used. And, in a recent survey of IT professionals and IT decision-makers, we found that although encryption is a priority for most organizations, less than half the organizations with encryption software use it extensively.

That’s because many encryption solutions are difficult for employees and clients to use where encryption becomes an extra step; when security is outside of the regular workflow, people are less likely to use it.

At Echoworx, we built our OneWorld encryption platform to seamlessly integrate into existing workflows and make encryption and secure communications the path of least resistance.

OneWorld features that help banks navigate privacy regulations, including the GDPR and CCPA:

  • Definable policies – This feature allows you to control which communications get encrypted (and how) based on the message content. This is set up during implementation—based on your needs and encryption best practices. Flexible controls for every scenario allow you to create a customizable user experience for senders and recipients and stay in control of encrypted messages in transit and at rest.
  • Automatic inbound encryption – Emails with sensitive information—including protected personal information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.
  • Secure statement delivery – Senders can batch and deliver sensitive encrypted messages, like financial statements, direct to recipient inboxes in encrypted PDF format, that’s also password protected.
  • Breach notifications – Senders can leverage OneWorld to deliver encrypted and protected communications and notifications to their customers in the instance of a breach.

 

Besides making encryption the path of least resistance, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months.

The clock is ticking on the California Consumer Privacy Act. Why wait to make our user-friendly encryption solution part of your compliance strategy?

By: Brian Cole, Senior Manager Security Operations and Support, Echoworx

 


Source:

[i] https://www.pwc.com/us/en/services/consulting/cybersecurity/california-consumer-privacy-act.html

[ii] https://www.echoworx.com/project/encryption-in-the-gdpr/

 

03 Oct 2019

A Sensitive Issue: Secure Message Encryption for Large Healthcare Networks

Large regional health authorities can employ thousands of people and have a volunteer network in the thousands or tens of thousands. And, since health authorities send, receive and store so much personal and medical data, secure communications are essential.

Here’s why healthcare organizations are vulnerable to privacy breaches, the consequences of mishandling patient data and how encryption makes secure communications possible for health authorities with a large staff and volunteer base.

Why healthcare organizations are vulnerable to privacy and security breaches  

According to a recent report[i], 18 per cent of all cybersecurity breaches happen in healthcare. And internal actors—including employees, former employees, contractors and business associates—cause 59 per cent of the breaches in healthcare.[ii]

Here’s why healthcare organizations including health authorities are vulnerable:

 

  • Lack of training for staff and volunteers – The top two patterns in healthcare breaches relate to miscellaneous errors and privilege misuse. Privilege misuse is about employees peeking into patient records that they have access to but shouldn’t be looking at. Training can help build a culture of privacy and security at healthcare organizations and help staff understand the real consequences of snooping. In 2018, for example, The Ottawa Hospital fired an employee for peeking at 30 patient files and the year before, a student intern was fined $25,000 for accessing the personal health information of 139 people (also in Ontario).

 

  • Outdated communication tools – Some communication tools simply aren’t secure. This includes old pager systems used to send messages—including patient information, diagnoses and hospital room numbers—over unencrypted radio frequencies. When unencrypted communication methods are the path of least resistance, they’ll continued to be used, despite privacy issues.

 

  • Inconsistent mandatory reporting – While mandatory reporting of data breaches is standard across most states and Europe, that’s not the case in Canada. Reporting data breaches isn’t yet mandatory in Manitoba, Quebec or British Columbia. Mandatory reporting is positive because it brings breaches into the public eye—which can encourage organizations to act quickly to resolve security issues.

 

The consequences of mishandling patient data

In Canada, heath information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). When health authorities mishandle patient data, patients lose trust in them, they come under fire from local privacy watchdogs and they can incur significant costs and fines. For example, at Capital Health in Nova Scotia, one employee improperly accessed the private health records of 105 people over six years—which cost Capital Health a $400K settlement.[iii]

For healthcare organizations with a large employee and volunteer base, encryption reduces the likelihood of mishandled patient data while increasing cybersecurity.

What does encryption do?

Encryption converts data and information into a code to prevent unauthorized access to the data while it’s in transit and at rest. It simply means private information is kept private. When choosing an encryption solution, algorithms aren’t the primary differentiators because almost all contemporary security products feature 2048-bit RSA encryption, 256-bit AES encryption and SHA2 signatures.

Instead, the real encryption differentiator is customer experience—how easy is it for patients, employees and volunteers to use the encryption solution? Our OneWorld encryption platform is user-friendly and seamlessly integrates into existing workflows.

5 ways the OneWorld encryption platform makes secure communications possible for health authorities

 

  1. Automatic encryption – Policy-based encryption allows you to automatically secure communications based on their content. For example, with Echoworx’s OneWorld encryption platform, emails with sensitive information—including protected health information—are automatically identified, securely routed to the OneWorld web portal and encrypted. Encrypted delivery methods include TLS encryption, encrypted PDFs and attachments, certificate encryption and web portal encryption.

 

  1. Reporting and monitoring – In cybersecurity, it’s important to be able to identify and investigate irregular communications. For example, you should be able to see who sent any email you’re reviewing, when it was sent and whether it was opened or not. Reporting and monitoring helps you reduce the risk of internal cyber vulnerabilities.

 

  1. Communications control – With so many employees, volunteers and healthcare partners, it’s easier than ever for sensitive data to leave the safety of your corporate network, either intentionally or accidentally. You can prevent this with communications controls such as preventing email forwarding, setting automatic encryption based on the type of email, keywords, phrases and attachments and enabling a single sign-on solution—to keep sensitive information on your protected network.

 

  1. Path of least resistance – With a user-friendly encryption platform in place, regional health authorities maintain control over their communications and make security the path of least resistance for their end-users. If an encryption platform makes more work for employees, they won’t adopt it. But when it seamlessly integrates into existing daily tasks, they will. User-friendliness isn’t a nice to have; it’s what makes widespread implementation possible.

 

  1. Positive return on investment – While encryption is no longer optional, health authorities can save money by investing in the right platform. For example, the Forrester Total Economic Impact™ study revealed that organizations that adopt Echoworx’s OneWorld encryption platform can expect a return on investment of 155 per cent, a payback period of seven months and the unquantified benefits that come with enhanced customer experience and reduced downtime.

 

If your regional health authority has thousands of employees and volunteers communicating with patients and other healthcare organizations, choosing the right encryption platform is an essential part of your cybersecurity program. Why wait? Reduce the likelihood of mishandled patient data by enabling automaic encryption for thousands of employees. Contact us today.

By: Michael Roberts, VP of Technology, Echoworx

 

Source:

[i] Cyber Security and Healthcare: An Evolving Understanding of Risk (Symantec)

[ii] Verizon’s 2019 Data Breach Investigations Report

[iii] https://www.cbc.ca/news/canada/nova-scotia/capital-health-privacy-breach-proposed-settlement-1.4858784

25 Jul 2019
Compliance challenges inside and outside of marketing departments are real

Communications Compliance: Why is it Important for Your Marketing Compliance Plan?

Corporate communications, including marketing communications, are subject to enough external regulations and internal controls to make even the most unflappable CCO shudder. Here, we’ll talk about what communications compliance is, the challenges surrounding it and why encryption is now a marketing compliance solution.

What is communications compliance?

Communications compliance is simply ensuring all internal and external communications, including social media postings, meet legal and regulatory standards that govern your industry. These standards are to protect client information and ensure your communications don’t mislead consumers. This is easy to say but gets complicated quickly due to the number of standards your communications must comply with.

For example, regulations and governing bodies that affect corporate communications include:

  • The General Data Protection Regulation (GDPR).
  • The Payment Card Industry Data Security Standard (PCI-DSS).
  • The Financial Industry Regulatory Authority (FINRA).
  • The Securities and Exchange Commission (SEC).
  • The Investment Industry Regulatory Organization of Canada (IIROC).
  • The Markets in Financial Instruments Directive (MiFID II).
  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The Sarbanes-Oxley Act (SOX).

 

And the following bodies also have additional guidelines for social media postings:

  • The Food and Drug Administration (FDA).
  • The Federal Financial Institutions Examination Council (FFIEC).
  • The Federal Trade Commission (FTC).
  • The American Bankers Association (ABA).
  • FINRA and SEC, as above.

 

In social media compliance circles, we’re seeing discussion around professionals who inadvertently violate regulatory agreements on social media. For example, in some jurisdictions, a real estate agent who tweets another agent’s listing may be out of compliance because that tweet suggests an inconsistency with an exclusive-representation agreement. Whatever industry you’re in, you must address compliance issues, and this takes extra diligence in heavily regulated industries like financial services and healthcare.

What are the challenges of communications compliance?

The challenges of communications compliance include:

  • Compliance is a moving target – With multiple regulatory bodies and guidelines to incorporate, plus the expanding role of compliance management professionals, compliance is continually evolving which makes staying ahead of the game difficult.

 

  • Audit requirements – It’s essential that your company can audit your electronic communications which means original copies must be stored properly for the right amount of time. On the other hand, this “paper trail” also highlights any compliance violations which puts you at risk for fines and even class action lawsuits. For example, there’s a class action lawsuit against Bell Canada for its Relevant Advertising Program (RAP) that tracked customer activity to build profiles for third-party advertisers.

 

  • So many communications! – Add marketing messages to customer and vendor communications and it’s easy to get overwhelmed by the sheer number of messages that leave your organization each year. Plus, with different types of messages requiring different approaches and protection, compliance gets complicated—especially if the right staff aren’t aware of the regulatory rules.

 

  • Solutions reside across multiple business units – Compliance doesn’t belong to the compliance office; instead it resides across the entire business which can make governance more difficult and complex. For example, we see more marketing teams pursuing encryptions solutions for compliance—even though encryption is historically under IT’s purview.

 

Why compliance matters in marketing

Marketing is on the frontline of consumer protection. Compliance in marketing governs how businesses communicate with clients and prospects, protects personal data from misuse and ensures the principle of honesty in advertising is upheld.

Compliance challenges inside and outside of marketing departments are real, but organizations that address them holistically and consistently stay on the right side of regulations. One piece of the compliance equation is encryption.

Four reasons encryption is a marketing compliance solution:

 

  1. Data security – Encryption protects personal information used in marketing communications while it’s in transit to and from your customers and partners and while it’s stored on your own network. For example, PCI DIS requires that emails containing cardholder data are encrypted during transmission and protected in storage. This means that sensitive or personal information such as credit card numbers can only be saved on your network if they’re encrypted.

 

  1. Secure bulk delivery – Sending mass personalized communications securely is essential in many industries including insurance, government and healthcare. For example, if there’s a proposal for natural gas drilling in a specific area, a government might need to send a personalized message about this sensitive topic to all citizens residing in that geographical area. Our Secure Bulk Mail (SBM) delivery method makes this possible.Learn more about SBM.

 

  1. Digital trust – In digital customer relationships, trust is easy to get but nearly impossible to get back once it’s been lost. Using encryption to secure your client communications protects clients and shows them your organization takes their privacy and security seriously. With our OneWorld encryption platform, you can set language policies or branding attributes to automatically apply to encrypted communications based on sender, brand, locale and receiver attributes which creates a consistent and trustworthy user-experience.Learn more about building digital trust using encryption.

 

  1. Positive return on investment – Encryption is a compliance tool that saves organizations money. For example, a recent Forrester Total Economic Impact™ study, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits and a payback period of seven months. Get the full Forrester Total Economic Impact™ study of OneWorld now.

 

Whether you’re a marketing, IT or compliance professional, encryption can help your organization reduce compliance risks while protecting personal information and securing customer trust. So why wait to integrate encryption into your communications compliance strategy?

By Neyson Lins, Campaign Manager at Echoworx

02 Jul 2019
Five reasons encryption is essential for healthcare organizations undergoing digital transformation:

Facing the Fax: Why Healthcare is Still Offline

Since the business world entered Industry 4.0, organizations have scrambled to digitize physical assets and integrate them into digital ecosystems. Today, we’ll talk about why healthcare organizations are so far behind when it comes to all-things-digital and how a user-friendly and flexible encryption solution can ease the transition to Industry 4.0.

Why healthcare organizations are slow to adopt digital solutions

Even though electronic healthcare records are becoming increasingly common, there are still many healthcare organizations that rely on fax and paper records to do business.

The common barriers to going digital are:

  • Limited IT resources – Healthcare organizations are dealing with stagnant or declining IT budgets and don’t typically have enough skilled IT security practitioners to keep up with day-to-day demands, let alone enormous digitization projects.
  • Daunting privacy regulations – From the Health Insurance Portability and Accountability Act (HIPAA) to the General Data Protection Regulation (GDPR), healthcare data is heavily regulated. Healthcare organizations may think it’s easier to stay compliant by keeping patient records tucked into filing cabinets but that’s simply not true.
  • Fear of privacy breaches – With so many horror stories in the news about data breaches, healthcare organizations are keenly aware of the risks of going digital. Especially because the average cost per breached record is $380 in healthcare—more than double the cross-industry average.

These barriers are real, but they represent the cost of doing business instead of something that can be avoided – or something that can be an advantage. There’s no turning back from digitization in business, including in healthcare.

Three reasons for healthcare organizations to go digital sooner than later:

  • Increased user demand – Healthcare organizations serve millennials and baby boomers who now have technology in common. Millennials grew up with it and boomers begrudgingly learned to master the technology they now consider indispensable. Clunky, paper-based reports and systems are nearing extinction in the on-demand world people now expect.
  • The digital ecosystem is no longer optional – Industry 4.0 is digitizing and connecting everything in the supply chain and healthcare organizations can either join in or be left out. Except healthcare organizations don’t operate in a vacuum because they need to communicate with hospitals, labs, insurance agencies and business associates. At some point, it will no longer be possible to operate outside of this digital ecosystem so why not plan for a smooth digital transformation now rather than rush at the last minute?
  • Reduce churn by increasing digital trust – The Ponemon Institute’s 2017 Cost of Data Breach Study found that health organizations experience a relatively high abnormal churn rate. They also found that when organizations cultivate customer trust around how personal data is protected, churn is reduced.

It’s time for healthcare organizations to embrace Industry 4.0—starting with encryption.

Five reasons encryption is essential for healthcare organizations undergoing digital transformation:

  • Protects patient data even if other organizations don’t – Encryption keeps your electronic health records secure on your network and while they’re in transit to and from your organization. For example, if you receive unencrypted personal information via email, Echoworx’s One World encryption platform automatically reroutes this sensitive incoming data to an encrypted web portal. This is one way encryption builds digital trust.
  • Provides flexible delivery methods – Choosing a user-friendly encryption solution with flexible delivery methods allows healthcare organizations to handle multiple business scenarios. This means patient data stays protected whether it’s delivered through secure PDF, web portal access, TLS and encrypted attachments or S/MIME and PGP.
  • Makes it easy for staff to protect patient data – Unfortunately, healthcare has more breaches due to insider threats than outside malicious agents. Accidental disclosure of personal information happens because of mistakes or when staff bypass a clunky security protocol. Implementing a user-friendly encryption solution with definable policies that control which communications require encryption (and what delivery method to use) greatly reduces the risk of these inadvertent disclosures.
  • Simplifies compliance – These same definable policies simplify compliance processes and keep healthcare organizations on the right side of privacy regulations. This is useful since HIPPA fines are becoming substantial; in 2018, Anthem Insurance was fined $16M after a 2015 privacy breach.
  • Delivers a substantial return on investment – A recent Forrester Total Economic Impact™ study found that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can accelerate the adoption of digital document delivery, save $1 per paper document delivered digitally instead of through the postal system and accumulate a three-year cost savings of $1.5M. The same study indicated that organizations adopting Echoworx’s OneWorld encryption platform can expect a return on investment of 155% and a payback period of seven months. Get the full Forrester Total Economic Impact™ study of OneWorld now.

Healthcare organizations operating in the fax and paper world are using systems that are on borrowed time. There’s a better way and that starts with finding the right encryption solution to fuel your healthcare organization’s digital transformation.

Learn more about how encryption can help you get there.

By Steve Davis, Director Products, Echoworx

26 Jun 2019

Keeping Electronic Health Records Safe in Transit

Electronic health records aren’t stationary documents that remain protected behind a single wall of defence. They travel between healthcare organizations and third-party business associates frequently and each journey carries the risk of security breaches. Today we’ll talk about the type of personal data exchanged in healthcare and how encryption helps keep that data secure.

Personal data exchanged in healthcare

Electronic health records are a treasure trove of sensitive personal information including:

  • Medical history, medications and immunizations.
  • Diagnoses and treatment recommendations.
  • Lab reports including radiology images and test results.

 

To create a unified electronic health record takes collaboration between multiple parties. This means medical information—including colonoscopy test results—is in transit more than you think and probably more than you are comfortable with.

Electronic health records travel between these organizations in various routes:

  • Hospitals.
  • General practitioners.
  • Specialists.
  • Laboratories.
  • Clinics.
  • Insurance agencies.
  • Homecare agencies.
  • Third-party business associates including companies that process claims, administer benefits, transcribe medical reports, store and dispose of documents, etc.

 

The cost of unprotected digital patient records

Unprotected electronic health records—in transit and otherwise—are a costly disaster waiting to happen. The personal data found in patient records is valuable to nefarious agents—so valuable that breaches are common and costly in healthcare. And the more records that are breached, the more the breach costs. Data breaches cost on average $141 per breached record—except in healthcare where the average cost per breached record is $380.

As you saw from the list above, many organizations receive and send digital patient records as part of business processes. In the summer of 2018, for example, CarePartners, a homecare company and business associate of the Ontario government was hacked, and 80,000 patient records were affected. To add insult to injury, the hackers told the CBC that the data they stole wasn’t even encrypted!

Too many electronic health records are at risk because healthcare organizations are dealing with stagnant or declining IT budgets year-over-year. But deprioritizing cybersecurity is short-sighted because the average cost for a ransomware incident is $76,000 and the average hacking breach costs $2.4M.

But research indicates that implementing an organization-wide encryption solution is a cost-saving initiative. For example, the Ponemon Institute’s 2017 Cost of Data Breach Study suggests that the top three factors that reduce the potential cost of data breaches are having an incidence response team, using encryption extensively and training employees. Additionally, a recent Total Economic Impact™ study conducted by Forrester Research revealed that organizations which adopt Echoworx’s OneWorld encryption platform can expect a return on investment of 155 per cent and a payback period of just seven months.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

How encryption protects electronic health records in transit

To protect the private data in digital patient records in transit, encryption is essential. We recommend implementing a flexible and user-friendly encryption solution – like Echoworx’s OneWorld platform which employs up to five secure encryption delivery methods.

Four ways encryption protects your electronic health records in transit:

  1. Multiple flexible delivery methods – Not every healthcare organization will have the same cybersecurity measures in place so your encryption platform must be able to handle multiple business scenarios. These include Secure PDF (e.g., secure record delivery) and web portal access, TLS and encrypted attachments and support for S/MIME and PGP.

 

  1. Inbound encryption – When organizations accept inbound emails without encryption, the information is stored in clear text on their network or not accepted at all. Inbound encryption allows organizations to automatically reroute sensitive incoming data to an encrypted web portal.   

 

  1. Secure Bulk Mail (SBM) – This functionality automates the process of emailing mass personalized documents securely. In 2017, the British National Health Service lost 900,000 patient letters—including test results from physicians—which might not have happened if a SBM solution was in place.

 

  1. Privacy by design – When your encryption platform includes definable policies to control which communications require encryption and how they’re sent, it relieves busy healthcare administrators of the burden of making security decisions while processing patient records. This encryption solution also means organizations stay compliant with regulations like the US’ Health Insurance Portability and Accountability Act (HIPAA), the US’ Health Information Technology for Economic and Clinical Health Act (HITECH) and the EU’s General Data Protection Regulation (GDPR).

 

Healthcare organizations have an obligation to protect sensitive patient information in electronic healthcare records in three scenarios: when the personal data is on their network, leaving their network and arriving at their network. When healthcare organizations implement a flexible and user-friendly encryption solution, they protect this personal data across all three scenarios. Isn’t it time for your healthcare organization to get encrypted?

By Alex Loo, VP Operations, Echoworx

14 Jun 2019

Thinking Inside the Box: Addressing Internal Cyber Vulnerabilities

In cybersecurity, it’s easy to become obsessed over external malicious factors and lose sight of the whole picture which includes internal vulnerabilities. When it comes to cybersecurity, the best defense includes shoring up your internal defenses because many critical vulnerabilities are too close to home for comfort.

What is an internal cyber vulnerability?

A vulnerability is a flaw in a system that exposes the system to risk of attack. In cybersecurity, these vulnerabilities can be related to the computer systems and processes and procedures you use. While you may know famous software vulnerabilities like Heartbleed and WannaCry, internal vulnerabilities can be much more mundane. For example, someone leaving the default password on a router or assuming your employees know how to recognize spear phishing attacks can lead to a lot of heartache for a chief information security officer.

As they say in sports, “The best defense is a good offense.” In this case, a good offense includes taking a proactive approach to identifying and fixing vulnerabilities, which we’ll cover next.

How to identify cyber vulnerabilities in enterprise-level organizations

Before you can identify cyber vulnerabilities, you must have a clear idea of your organizational assets, including intellectual property. Frédéric Virmont, a seasoned cybersecurity expert, says, “You have to identify what’s critical for the business: servers, applications, everything. Once you identify those critical assets, then you can make a plan to secure them and ensure they’re maintained with security patches.”

After identifying your critical business assets, you can expose and triage any vulnerabilities through various security tools—and then patch them up.

Put staff on your list of organizational assets as cyber vulnerabilities include accidental and intentional insider attacks by employees.

Six ways to reduce internal cyber vulnerabilities with pre-emptive measures

1) Encrypt data and communications – Protect your data while it’s in transit and at rest with a user-friendly encryption solution. Billions of emails are sent every day and without encryption each one represents a security risk. And in 2018, 4.8 billion records were stolen during breaches and less than three per cent of those records were encrypted.

2) Teach employees about cybersecurity – A recent PwC report in the US found that 32 percent of respondents consider insider threats more costly and damaging than external incidents. Because employees are on the frontline of cybersecurity, it’s essential to educate them about the importance of using security programs and processes and how to identify and report suspicious incidents. Cybercrime is increasingly sophisticated—especially social engineering and spear phishing—which is why regular and effective cybersecurity training is necessary for all staff.

3) Beef up your security policies – Make sure your policies support your security efforts. Some of the best practices include:

  • Limiting user access through assigning appropriate permissions to non-IT employees
  • Setting appropriate guidelines for creating strong passwords or enforcing two-factor authentication
  • Limiting Internet usage by defining or controlling what type of content can be viewed
  • Defining file storage locations for employees and denying usage of USB drives or personal cloud storage
  • Choosing policy-based encryption with flexible delivery methods for communications
  • Effective vetting of third-party vendors

 

4) Have an up-to-date disaster recovery plan – A disaster recovery plan allows all staff to act swiftly—using prepared strategy—when disaster strikes. This way, organizational efforts can go towards closing the vulnerability and monitoring it, rather than trying to figure out what to do in the middle of a crisis.

5) Don’t migrate vulnerabilities to the cloud – While there are many benefits to offloading on-premise servers and applications to the cloud, organizations must avoid bringing along existing vulnerabilities with them. Implementing security tools prior to cloud migration is essential.

6) Communicate effectively with the board – Since they may not always understand the technical assets, many boards shy away from cybersecurity risk management. Instead of communicating about tech specs, talk to the board about the cost of not implementing security measures, return on investment trends and reputation management with clients. Raphael Narezzi suggests talking to the board of directors like this, “It can be a cost today, but I guarantee you, the scenario we see when a board acts before an event, is a completely different scenario than when they don’t act at all.”

The benefits of closing internal vulnerabilities

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits. As mentioned above, data security results in customer-centric benefits such as building reputation and digital trust and helps pave the way for competitive differentiators.

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits with a solid return on investment. A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization can expect a seven-month payback period and slash $2.7M off their bottom line by employing our flexible OneWorld encryption solution. Get the full Forrester Total Economic Impact™ study of OneWorld now.

With so much at risk, isn’t it time to shore up your vulnerabilities?

At Echoworx, encryption is all we do. Our OneWorld encryption platform and cloud security services are a natural extension to existing security programs and offer a wide range of flexible options for secure message delivery. You can learn more about the ROI of Echoworx OneWorld encryption here.

By: Randy Yu, Senior Manager Technical Operations & Support, Echoworx

21 May 2019
The challenges of a digital government

The Wireless Government: Why a Digital Government is a Better Government

From large conglomeratic banking institutions to massive global shipping firms, the world’s ‘upload to all-things-digital’ continues at breakneck pace. And so does the patchwork list of regional, national and even international privacy regulations dictating who can and how to do business in this brave new digital world continue to grow. But are governments at-risk of slipping behind the very regulations they aim to impose on their business communities?

As American poet Walt Whitman lamented over a century ago: “That powerful play goes on, and you may contribute a verse.” The same can be said for those who run legacy government infrastructure to (finally) take their processes into the 21st Century. And, as our planet continues its perpetual rotations around the sun, the digital world might continue to grow – with or without them.

So how does a government upload their tangle of ministries, services and legislature into a wireless world?

Making digital a priority

From large digital initiatives, like the UK National Health Service (NHS)’s blanket ban of fax machines, announced in early-2019, which affects 1.2 million people, to even more ambitious total uploads of government services, like the Government of Ontario’s digital first strategy, outlined in the Canadian province’s 2019 Budget, governments are beginning to take note of the importance of digital communication. Not only is going digital environmentally friendly, but the resulting systems are streamlined, instantaneous and competitive.

And, with digital adoption, comes the need to communicate securely. From complex back-and-forth procurement agreements with vendors to sensitive citizen services, like sending health records between hospitals, encryption plays an important role at every level of a digital government. At Echoworx, we facilitate seamless transitions from cumbersome paper communications to paperless solutions.

Here’s how enterprise organizations are uploading legacy systems to the cloud.

The challenges of a digital government

Unlike the nimble tech start-ups we have become used to, most governments are the product of decades – even centuries – of incoming politicians, revolutions, legislature and mountains of paperwork carefully wrapped in layers of red tape. In other words, they are hardly the right environment for the fast-moving sweeping changes necessary for digital innovation. Combined with a contemporary customer-centric digital business model, which balances an excellent user experience with airtight secure data-protecting algorithms, and you have a true bureaucratic headache on your hands.

Working with third-party providers, like Echoworx, can help mitigate the workload of uploading an existing paper-based system online. From helping banks send millions of e-statements per day to something as simple as adding branding and language options to a secure communication, for examples, third-party providers are experts at what they do and offer seamless access to existing digital infrastructure.

Here are some advantages of third-party email security systems.

A new type of government

When a customer enters a coffee shop, they are prompted to join a queue to either place an order with a smiling barista or pick up an order they commanded via a mobile device. While in line, this customer is presented with an array of colour, branding and, most important, impulse buys or add-ons shown as tantalizing options through display case glass – just out of reach.

This coffeeshop model of greeting, presenting and selling to customers is a form of client stewardship beginning to permeate into banks, financial services and even insurance organizations. The cold professionalism of yesteryear is rapidly being replaced by a more fun, inviting and open model which puts the customer at ease and, most importantly, puts them first.

For government services, the goal needs to be the same – offering seamless digital services which add a warm pulse to sometimes cold mundane processes. And this inviting environment starts with opting out of soulless white envelopes for the more engaging and instantaneous world of encrypted digital communications.

Take the mass encrypted messaging capabilities of Echoworx OneWorld, for example. Using OneWorld’s ‘Secure Bulk Mail’ delivery option, senders can deliver encrypted, branded and personalized communications to massive lists of recipients at the click of a mouse. In addition to leveraging the monetary savings of going paperless, Secure Bulk Mail offers senders options to track the status of their messages – which is especially important to government departments and ministries who need to send out mass messages to concerned or affected citizens.

See Echoworx’s full array of secure flexible delivery methods.

Going digital keeps the treasury happy

Like in the business world, a government is always keeping an eye on its bottom line. But, while a business may experience ups and downs, answering to its board or shareholders, a government ultimately answers to its citizens – who vote during elections. In addition to streamlining services and enabling simpler secure dialogue with constituents, a digital government also has additional cost-mitigating factors to consider.

For example, according to recent Total Economic Impact™ (TEI) study conducted by Forrester Research, the average enterprise-level organization, such as a government, can expect cost-mitigating benefits valued at up to $2.7M. And, given an average $1 cost-per-page associated with sending communications via traditional snail mail, a government has the potential to save approximately $1.5M over a three-year period.

But the best part? With an average payback period of about seven months, a government can adopt OneWorld, a fully flexible, user-friendly and robust enterprise-level encryption solution and get their money back before election time!

See the full TEI study of OneWorld by Forrester Research here.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

24 Feb 2019
YWhat's Your Post-Brexit Plan

Privacy in a Post-GDPR Britain: What’s Your Brexit Plan?

Deal or no deal – Britain is heading for a Brexit. And, while some Britons stockpile everything from pasta to clothing to cat food, British companies are bracing themselves for a digital void of uncertainty. But with the right proactive cybersecurity measures in-place and a little planning, there is no reason for a UK business to be lost at cyber-sea!

Here are some points to consider when constructing your Brexit plan:

  1. The General Data Protection Regulation (GDPR) is not a law

    As its name suggests, the GDPR is not a law – but a regulation. While the GDPR does apply to all member states of the European Economic Area of the European Union, each country is free to interpret the regulation as they see fit. In Denmark, for example, a stricter interpretation of the GDPR has led to mandatory encryption laws being applied to Danish data. As a rule: Be sure to read up on the local GDPR-inspired laws for any EU regions you operate in.

  2. Third-country – not third-class

    Since they all fall under the GDPR, and must theoretically comply with the privacy regulation, organizations operating out of member states of the EEA are free to exchange information across EU borders. But, while so-called ‘Third-Countries,’ referring to nations outside EEA borders, are not likewise given a free pass, they can exchange data once they are vetted as having adequate data protection laws and practices.

    See how Canada is changing its laws to be more GDPR-friendly.

  3. The UK just might be OK

    By the time the Brexit break is made official, Britain will have been under the GDPR for nearly a year. Among other things, this means their Data Protection Act 2018, if left intact, should theoretically comply to GDPR demands. But special attention must be paid to mirror any subsequent changes to the GDPR – like if Denmark’s mandatory encryption laws were to be adopted by other EU nations, for example.

  4. The GDPR is out of UK control

    A post-Britain Brexit no longer has a seat at the EU negotiating table – including for any matters related to the GDPR. This means that, if your British organization is going to do business on the Continent, preparing for unanticipated decisions might be your best course of action. Having proactive data protection features, like end-to-end encryption, for example, can help you navigate any sudden changes.

    See how the NHS is beginning to ramp up their digital defenses.

  5. You can’t hide from the GDPR

    Even after Brexit, countless citizens of EU nations are going to continue working in Britain. In addition to covering nations within the EEA, the GDPR also covers the citizens of those nations – regardless of where they reside. If a Belgian national living in London, for example, provides personal information to your British organization, their data is protected by the GDPR.

    Learn more about the GDPR.

  6. It’s not just about you

    If you intend to navigate the GDPR and continue doing business within the EEA from Britain, you need to consider who you are working with in the UK. Under GDPR regulations, any third-parties working alongside your organization, who might be handling EU personal data, must also be compliant. Before establishing or continuing a third-party relationship post-Brexit, look for cybersecurity audit certifications – here’s why they are important.

Your Post-Brexit Plan:

While the UK continues to battle, outline and hash out its Brexit plan, there are ways your organization can help weather the storm. In addition to adopting proactive data protection policies, like encryption, your organization should consider having a backup plan. Echoworx, for example, has data centres in Ireland and Germany, which allows our clients to securely send GDPR-compliant messages within the EEA.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

15 Feb 2019

Got Danish Data? Email Encryption is Now Mandatory in Denmark

To encrypt or not to encrypt: that is no longer the question in Denmark – where new interpretations of the General Data Protection Regulation (GDPR) are making encryption history. As of January 1, 2019, all organizations working in any capacity with Denmark must now apply acceptable encryption when communicating sensitive data.

Why Denmark?

While the GDPR does apply to all EU members and their citizens, regardless of where they reside, each country has unique interpretations of the specific parts of the regulation. In the case of Denmark, a more literal definition of Section 9 of the GDPR, addressing the ‘processing of special categories of personal data,’ has been adopted. As a result, any sensitive data in transit falling under Danish jurisdiction needs to be protected – meaning mandatory email encryption.

What does this mean for Danish business?

Any organization conducting business in Denmark or involving Danish citizens, including in a third-party capacity, must protect personal data with either secure TLS or end-to-end encryption. But how you employ data protection measures is also important. Opportunistic TLS, for example, where unsuccessful connections fall back to clear text, does not offer adequate protection. Non-abiders to the new rules can face sanctions or, worse, crushing fines in the aftermath of a breach. This new GDPR development is expected to spur similar measures in other EU countries.

Learn more about encryption delivery methods.

What measures can an organization take?

Since the GDPR came into effect last May, the message has been clear and simple from Europe: Protect personal data or do business elsewhere. And, by adopting proactive privacy by design policies, using the GDPR as a baseline, an organization can ensure they are compliant in the EU and anywhere else where similar privacy policies exist. Therefore this newest Danish development should be viewed as a competitive advantage – not a hindrance.

While a closed system theoretically might work for Danish companies who interact solely with Danes, this mindset can cause compatibility problems the second business is conducted abroad. A flexible secure message platform can help avoid compatibility issues and maintaining compliance.

Learn more about the flexible features of Echoworx’s OneWorld encryption platform.

By Christian Peel, VP Engineering, Echoworx

18 Jan 2019
Protecting sensitive incoming data

Inbound Encryption: The Why and How

While your organization has systems in place to encrypt outgoing emails, what happens when you receive an email that contains sensitive information? If it’s not already encrypted, do you refuse to accept it? Does it get caught in your compliance filters? If so, what message are you sending by not receiving?

What is inbound encryption?

Inbound encryption is the process by which emails containing sensitive information, such as credit card numbers, are encrypted before they are stored in an organization’s mail servers. Inbound encryption filters scan all emails against a set of established rules, looking at content and attachments, as well as recipients.

Why is inbound encryption needed?

PCI requirements state that emails containing cardholder data must be encrypted during transmission across open, public networks, and that cardholder data must be protected while it is stored. This means that sensitive or personal information such as credit card numbers cannot be saved on your network without being encrypted.

For example, you might run a large retail organization to which customers are sending email queries containing sensitive data – like credit card information. In order to comply with PCI legislation, your email filtering system might be set up to block or delete these types of emails. This, in turn, might lead to customer dissatisfaction as their emails go unanswered – leading to lost business and unintended brand damage.

How does inbound encryption work?

Using a Secure PDF delivery system allows organizations to minimize their PCI risk. Instead of doing the encryption themselves, they employ a third-party service which provides on-the-fly email encryption, triggered by automated policies on a PCI-certified platform. When messages containing sensitive information arrive encrypted and secure, they are less likely to be blocked by existing email filtering services.

Any incoming emails that trigger an encryption policy are automatically encrypted within a Secure PDF, along with any attachments, before being delivered direct to a recipient’s inbox. Upon receiving the email, the recipient simply downloads the encrypted attachments and enters a self-registered passphrase to authenticate, open and read the contents.

What to look for in an effective inbound encryption solution

Providing a secure encryption option for all inbound email doesn’t have to be complicated. Using a Secure PDF delivery system not only guarantees secure storage of sensitive information, it also ensures that your organization will comply with privacy regulations and data security standards.

Learn more about inbound encryption with Echoworx OneWorld.

In addition to Secure PDF delivery, any encryption solution worth its salt needs to offer additional secure delivery methods, from Web Portal, to Secure Attachments, SMIME/PGP and TLS. Although replies and any additional dialogue may be performed via built-in Secure Reply features, your employees might also exercise additional options to communicate securely with their clients.

Learn more about Echoworx OneWorld secure encryption delivery methods.

By Derek Christiansen, Engagement Manager, Echoworx

09 Nov 2018
Get ready for PIPEDA

Are You Prepared for Canada’s Mandatory Breach Reporting Law?

With the introduction of new rules under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), saying sorry for a data breach is no longer good enough. As of November 2018, all data breaches involving Canadian data of a personal nature must be reported and affected parties must be notified.

But who does PIPEDA apply to?

PIPEDA is Canada’s federal privacy law for private-sector organizations. In a nutshell, this law applies to all personal data collected, used or disclosed in the course of commercial activity when doing business with Canada. Under the new data breach rules, if any of this personal data is leaked, a report must be filed with the Office of the Privacy Commissioner of Canada, a record of the breach must be created, and all individuals affected by the breach need to be notified that their information has been compromised.

Following Europe’s privacy protective lead

The updates to PIPEDA comes on the heels of the European Union’s GDPR – which launched last May. While existing Canadian data privacy protection practices do satisfy current GDPR demands, these additional rules serve as a proactive reassurance as European rules continue to harden over the next few years. They are also designed to help keep Canadian businesses competitive in Europe – and avoid massive fines.

And these new changes to PIPEDA don’t come without teeth!

In addition to brand damage, and the potential for lawsuits, violations to PIPEDA now carry serious fines of up to $100,000. While not as high as the devastating multi-million-dollar fines of the GDPR, the penalties are high enough to enforce compliance.

So how do you stay compliant?

Adequate protection of sensitive personal data is easier said than done – often requiring a multi-pronged approach. In order to comply with new PIPEDA rules, you need to take proactive steps to help prevent a breach from occurring in the first place – this includes protecting data leaving your system. And encryption of sensitive data is a key indicator demonstrating that information has been adequately protected under any privacy regulation or law.

Here are 10 ways you can secure sensitive data in transit.

By Alex Loo, VP of Operations at Echoworx

13 Sep 2018
What is a Chief Data Officer

What is a Chief Data Officer?

We live in a post-privacy age.

Our location can be pinpointed with GPS. Our photos and itineraries are known to the world, through our smartphones connected to the internet. We post our most intimate thoughts and opinions to social media for all to see. We browse targeted advertising based on our Google searches and online buying habits.

Tom Goodwin, head of innovation at Zenith Media, argues that we welcome this loss of privacy because we enjoy the benefits it affords us… right up until a company fails to protect our data.[i] Then we are up in arms about the violation of our privacy. It is the stuff of public relations nightmares.

At Echoworx, our own research finds another data privacy conundrum: the transformative nature of personal data after a breach. People are willing to disclose quantitative data, under the assumption it is protected. This same data takes on embarrassing qualitative characteristics once it becomes public during a breach – leading to a fatal loss of customer trust.

How are businesses to navigate these contradictions? How can businesses offer people the benefits of the post-privacy age without making them feel they’ve surrendered something precious? How can businesses gain the confidence to securely protect sensitive data?

One solution is found in the growing importance of the Chief Data Officer.

Rise of the Chief Data Officer

The Chief Data Officer role was born during the 2008-09 financial crisis. In the aftermath, there was a clear need for a person who could ensure compliance with increased regulatory demands. More than ever in banking and finance, data and its reporting to regulators required greater scrutiny. For years, data had been an afterthought in most organizations. Had available data been managed effectively at the time, we might have had warning of the crisis, or been able to make a more complete recovery.

In the decade since, however, the role of the CDO has expanded and evolved as the era of Big Data dawned. Suddenly the value of data as an asset became clear. The CDO was needed to take charge of maximizing its value.

In 2012, the advisory firm NewVantage Partners began an annual survey of Fortune-1000 c-executives. That first year, only 12% of firms had a CDO. By 2018, that number had risen to 63.4%. This trend looks set to continue. By some estimates, a Chief Data Officer will be considered a “mission-critical” role in up to 75% of large enterprises within the next 3-5 years. Even the Pentagon has hired its first CDO!

Why you need a Chief Data Officer

The CDO’s chief value today is as the point-person for optimizing the vast amounts of data generated by today’s companies. He or she can extract value from it, and foster innovation around Big Data and analytics. The CDO drives technology solutions, enhances cybersecurity and increase revenues. He or she works to eliminate data siloes and redundancies. Technological change is managed to reduce the costs of “data wrangling” within a company.

The CDO plans and executes corporate strategy around emerging technologies such as artificial intelligence (AI), machine learning, and blockchain. The CDO also represents an agile solution to the fast-moving developments in regulation and data privacy for which traditional management may not be well suited. As technology evolves, so too does the CDO role.

Privacy vs value in a post-privacy world

Data is a double-edged sword. It holds tremendous value for corporations. It also demands careful stewardship of information entrusted to them and promises liabilities (both financial and reputational) in the event of a breach.

By bringing all data and related activity under the CDO, organizations can establish systems to ensure that all data gathered by, stored, or shared within an organization is treated securely, ethically, and in compliance with local and international laws and regulations.[ii] Proper data management and careful application of security measures, such as enhanced encryption of sensitive data, can help reduce enterprise risk. These policies also allow companies to maximize value from the data they collect.

In this post-privacy era, corporations that interact with sensitive customer data must adapt if they want to be successful. If they focus on “serving people better” with explicit requests for permission, clear opt-ins, rigorous security and encryption, they can build a “value exchange over a lifetime” with customers. This is the kind of transformation that the CDO can bring to organizations. In this way, the CDO helps navigate the line between privacy and post-privacy in a connected world.

By Alex Loo, VP of Operations, Echoworx

___________

[i] https://www.thedrum.com/opinion/2018/07/17/tom-goodwin-making-the-most-post-privacy-world

[ii] https://aws.amazon.com/blogs/publicsector/the-rise-of-the-chief-data-officer-as-a-data-leader/