Privacy Advisor

Secure Webmail 101: Communicating Securely with the Consumer Base

November 1, 2006

Steve Duncan

Ever since the noteworthy ChoicePoint data breach of 163,000 consumer account profiles last year, public concern for personal information privacy has been steadily growing. Companies have been scrambling to protect their online systems from hacking, and deploying laptop security solutions to help prevent a data breach in the event of device theft. Much attention has been paid to protecting consumers through stronger authentication and data security, but what about via email?

As we continue to learn about new breach incidents in the media, unauthorized access to customer information, intellectual property or other valuable information can potentially damage an organization's brand. Possible leakage via email should not be overlooked.

What Is an Email Breach?

An email breach can be defined as the unauthorized disclosure of information via email that compromises the security, confidentiality, or integrity of personally identifiable information such as name and address, Social Security number, date of birth, health care information, bank account information, credit card number, etc. Various privacy laws and industry guidelines such as HIPAA, CA-SB 1386 and the PCI Data Security Standard all contain requirements for protecting against such a breach.

How Can an Email Breach Occur?

When you think about what might constitute an email breach, what's the first thing that comes to mind?

If you're like most people, you might think about an employee accidentally sending out an email containing sensitive information about its customers or employees - and in the blink of an eye - the company is faced with an unwanted disclosure affecting thousands of people. Or you might think about an employee hitting reply-all to a particular message instead of reply, and thereby exposing sensitive information to a much wider audience than intended or permitted by the corporate policy. You might ask, just how frequent are email errors made by an organization's own staff?

Frequent enough. According to The New York Sun (Oct. 11, 2006), just last month, a political staff member accidentally addressed an email containing a list of some of the party's top donors, along with their Social Security numbers, dates of birth, and race. As a result, it found its way into a Gmail Web-based email account and the media had a frenzy over why such information was being sent unprotected within email. As referenced by the Privacy Rights Clearinghouse (www.privacyrights.org), in July, the personal information of more than 8,000 of New York City's homeless was leaked accidentally in an email. In April, the University of South Carolina reported that the Social Security numbers of as many as 1,400 students were mistakenly emailed to classmates when an employee attached a database file to an email. And, back in February, Blue-Cross, Blue Shield of Florida experienced a breach when one of its contractors emailed names and Social Security numbers of approximately 27,000 current and former employees, vendors and contractors to his home computer, violating a company policy - just six months after the company experienced a similar disclosure via direct mail.

The Many Faces of Email Breach

When it comes to communicating electronically with consumers, there are many ways for a breach to occur. User error, as in the employee misuse cases described above, is not the only source of worry.

Combating Phishing Emails

Phishing is one of the most common ways in which hackers attempt to gain unauthorized access to online banking or other types of user accounts. The hacker sends a consumer a fake, 'spoofed' email that appears to be coming from the service provider (such as a bank), asking for the input of personal account information. The unassuming consumer may not realize the email has not actually been sent from his or her bank. In this case, it's not the user who provides the threat of breach, but rather, the hacker. The bank needs a mutual way of sending a secured email to the consumer to convince him or her of the bank's integrity, as well as a way for the consumer to securely reply back to the bank. But how can the bank do this when it doesn't know what kind of email application the user has installed on his or her home PC, or whether the application will be able to accept encrypted emails? The bank certainly doesn't want to have to train the user to install and manage a personal digital certificate to decrypt, read and reply to emails from the bank. Though this method of "one-off" email encryption has been around for a long time, it has really only been adopted by the most technical email users, such as consultants and those working directly in the IT field.

Protecting Against the Unsolicited Sensitive Customer Request

Many retailers offer online shopping services with a proper shopping cart transaction system protected via Secure Sockets Layer (SSL) security, so credit card data is encrypted as it is submitted by customers for processing. However, what about protecting against consumers voluntarily emailing customer support team with specific requests pertaining to account details, or worse yet, submitting an order manually and sending credit card data to a consumer in an unprotected email? Consumers likely have encountered several Web sites with an infamous disclaimer posted saying things like the following,"Please do not include any confidential information in your message (such as account numbers or credit card numbers)," or "No messages containing requests about your personal account information will be dealt with via email." However, experience shows that it's inevitable that customers will send emails containing this sensitive data. By offering users a secure way to send and receive email communications, organizations will be encouraging customers to do business in the way they feel most comfortable, while putting an automatic measure in place to protect the company's brand from a potential leakage. Secure email can give customers choice, without compromising their security.

The Value of Protecting Emails for Consumers

Consumers are not restricted to one particular email technology, application, or even Web browser. Not wanting to force users to download and install any specific applications, institutions that need to communicate securely with their consumers are usually limited to direct mail, which is not only costly, but also slow and one-directional. Consumers are demanding real-time service, and enabling electronic communication with them provides the best solution, but at what potential cost to the organization?

Secured email can provide not only peace of mind for privacy protection, but also productivity enhancement, by enabling organizations to move more sensitive and higher value transactions online, as well as enabling electronic delivery of regular communications with customers (such as billing and account statements, insurance claims and application processing documents).

Messages that were previously limited to more traditional methods of communication, because of concerns about information security, can now be moved online with a similar level of assurance of confidentiality as before. However, in order to take advantage of the benefits of online communication with consumers, security and trust are essential.

Consumer Email Security Gaining Momentum

The "lowest common denominator" of online consumer security is SSL-protected Web sites. SSL security is often verified by a site seal placed prominently in view on the service provider's Web site to let consumers know the site can be trusted for secure transaction processing. Though all providers of credible online services such as banks and retailers have SSL security deployed on their Web sites, not many offer secure email. But that is changing. Citibank, plagued by the threat of phishing, has risen to the security challenge by offering its registered users an online secure mailbox which they can utilize to communicate with the bank. As part of Citibank's online security practices described on its Web site (web.da-us.citibank.com), Citibank will notify users by email when there is a message waiting for them in the online inbox, and the email sent can be verified using something they refer to as the "Email Security Zone" containing the user's first and last name, and the last four digits of their ATM/debit card.

Protecting Email for Your Consumer Base: Secure Webmail to the Rescue

Powered by a gateway or boundary email server placed at the edge of a company's network, email messages coming from a typical enterprise mail client, such as Microsoft Outlook, can now be encrypted for mass consumer users, without knowing what kind of email application they are using to access their messages. This can be achieved using a boundary email security solution that supports secure Web-enabled mail delivery.

Boundary Email Security

Boundary email security solutions are easier to install and manage since they do not require that client software be installed on user desktops. Senders need not worry about manually choosing to encrypt or not encrypt a message for a particular user, as the server does that for them. When setting up the boundary solution, the company can set policies for encrypting messages automatically before they leave the corporate network, such as "encrypt all messages," or "encrypt all messages going to a certain type of domain," or "encrypt all messages coming from a particular set of users." This automation means an organization doesn't have to worry about a potential email disclosure of sensitive information because all messages will be encrypted without relying on users to take any specific action.

Secure Web-enabled systems use SSL-based protocols in the delivery of secured messages. There are two primary models for secure Web mail message delivery - pull and push. Within pull models, a notification message along with a URL, is sent to the recipient to pull the user back to a Web portal where a secure inbox is displayed. The recipient can then view the secured message using a common browser authenticated via a SSL session. According to Gartner, "Secure email solutions using a 'pull' approach are best for business-to-consumer (B2C) communications." (Gartner "Differentiators of Leading Secure E-Mail Architectures", Eric Ouellet, Feb. 28, 2006) Within push models, a secured message is delivered to a recipient, pushed as an attachment along with executable code, for users to decrypt and display the message directly in their Web browsers. Decryption keys for the push methodology are managed by the sending organization and delivered to recipients through an authenticated SSL connection.

A good boundary email solution is one that enables flexibility in the delivery of encrypted messages. It will do the heavy lifting for the sender, by determining which delivery format is required for each particular recipient, based on their domain, and deliver it accordingly - in other words, users of Web-based email services such as Hotmail and Yahoo! will be pushed or pulled to access secure messages via the Web-enabled delivery method, while users with mail clients that support traditional encrypted email formats such as SMTP or PGP, will be able to read and reply to the messages within their existing mail clients. This integration with pre-existing email security systems such as those driven by Public Key Infrastructure solutions, and transparency to users, are both critical factors for a successful secure email deployment.

Who Can Benefit From Secure Web Mail?

Banks. Insurance Companies. Healthcare providers. Utilities such as gas, electric and water service providers. Telephone and cable companies. ISPs. The list is long and the possibilities are wide for how Secure Web-enabled mail for consumers can help transform the online world into one of trust as well as one of greater efficiency.

Sealing the Electronic Envelope: Things to Consider

So, if a company could benefit from communicating securely with its consumer base, boundary email security could be the answer. However, it's important to keep the following in mind. Email security has to be three things for users (and consumers, in particular) to adopt: easy to use, confidence-inspiring and rewarding. It should not require a user to make any more effort to send a secured email than is required to send a regular email, and the communication method itself should reassure the customer that the system is secure and can be trusted to protect his or her personal identity. Lastly, the process of sending and receiving secure emails with the service provider should offer the consumer some value or reward for doing so, be it time or cost savings from doing things online that the user would not have otherwise been able to do, such as file and submit an insurance claim or request changes to their monthly mortgage payments. Secure Web mail can open the door to a stronger customer relationship, and help close the door to fraud.


Steve Duncan is a Senior Product Manager with Entrust. With more than 20 years of experience in technology marketing and sales, Duncan is responsible for driving the Information Protection Security Solutions portfolio at Entrust. He and his team are focused on creating a well integrated portfolio of solutions designed to protect customer's intellectual property and sensitive information. Duncan can be reached at +613.270.3406 or by email at steve.duncan@entrust.com.