Email security has become an increasingly important issue since the recent developments about government security. When Edward Snowden explained to the world the existence of the NSA program known as PRISM he changed the way people view data and security forever. The NSA monitors phone calls and emails sent everyday throughout the United States and the world. While this may seem like a broad issue better suited for a Constitutional law class than a small business there are ramifications that business owners need to understand.
Many businesses fall under third party regulatory groups that are concerned with the security of email and the content of the emails. For doctors it is HIPAA, for CPAs it is SSAE 16 and for lawyers it is their state Bar association. These regulatory bodies are concerned with protecting the information and confidentiality associated with the relationship these businesses have with their clients. Business owners must decide what the acceptable level of risk is for transmitting data between their company and third parties via email.
This past week two companies Silent Circle and Lavabit closed their doors. These two companies each specialized in email security and anonymity. The methods for encryption and decryption used by these companies ensured that not only could the data not be intercepted and decrypted by third parties, but even if the host companies were subpoenaed they could not disclose anything because they did not have access to the data. Both companies closed this week and deleted customer data because they knew they could no longer protect the data and comply with government orders for disclosure.
Small businesses are trapped between the services they can afford and the ability for those services to provide security. Fighting government subpoenas is not cheap for the hosting companies so in order to remain competitive they are most likely going to comply with an order. Email that is free is likely not secure and is most likely being mined by the hosting company for marketing purposes. Email that is purchased monthly and provides the proper documentation to show security compliance is most likely appropriate for a business concerned with security. However, in light of the recent security developments it may be safe to say there is no email secure enough to transmit client information. If this is the case secure portals are not only the future but a necessary tool for every business.
Secure portals will provide the end to end encryption necessary to protect client files from third party interference. Clients are provided an access point with a unique identifier such as an email address and a password they use to login to the portal and download the documents or data necessary from the business. Email may be reduced to simple messages similar to text messages.