Strategic Security: The Encryption Conundrum

Companies deploying end-to-end e-mail encryption often do so to meet state and federal regulations. Ironically, the encryption architecture may stymie administrators charged with enforcing security and policy compliance, which may lead to other legal risks.

As described in "Bolt Down Your E-Mail", an end-to-end e-mail encryption architecture places the encryption keys and functionality on the user's PC. This strategy may suit an organization with only a few users who deal with sensitive information. But the benefits of end-to-end encryption may be overshadowed by the risks associated with being unable to monitor these communications.

For instance, a user could employ the encryption system to facilitate the theft or transfer of trade secrets or other confidential information. End-to-end encryption also defeats content filtering and data leak-prevention systems designed to meet regulatory requirements.

A lesser known concern is an emerging legal standard regarding failure to enforce a monitoring policy--an obvious result if you can't read encrypted messages--which may lead to serious disadvantages in civil litigation.

Under certain circumstances, your company may be prohibited by a court from retrieving, for litigation purposes, the messages sent or received by a former employee in which she discussed legal matters concerning your company with her attorney. The "work product" doctrine and the attorney-client privilege (legal rules designed to protect the confidentiality of attorneys' files and their client communications, respectively), may kick in if you fail to enforce the "personal-use ban"--the common corporate policy restricting computer use to work purposes.A recent federal case set forth this exception to the general rule that employers have broad access to data on employees' computers. Lara Curto sent e-mail messages regarding her employer's alleged violation of a federal employment statute to her attorney using her AOL account from her company-issued laptop. Before leaving the company, she deleted copies of the relevant e-mails and files, but the employer retrieved them with the help of a forensic consultant. Because the employer had not regularly enforced the personal use ban, Curto's communications and files were protected, preventing the employer from viewing or using the e-mails and files in litigation.

The company had only enforced the personal-use ban in a handful of instances--with an employee suspected of gambling and another who was downloading pornography. The court said this wasn't enough to find that Curto had waived her attorney-client privilege. If she did have an expectation that the e-mails would be monitored, then her behavior--sending the e-mails from her AOL account on a company laptop--would have been found to be careless enough to destroy the privilege.

Keep in mind that end-to-end encryption doesn't require this loss of network traffic visibility. Many products provide backup keys that may let security or human resources personnel monitor encrypted e-mail. When evaluating encryption products and the security and legal risks that you are attempting to mitigate, make sure the ability to monitor is high on your list of requirements. The other way to address the issue, of course, is to choose an architecture that encrypts e-mail at the gateway rather than the desktop, which provides centralized monitoring capabilities.

The key to mitigating risks is identifying your e-mail priorities, whether it be regulatory compliance, usability or maintaining the ability to monitor communications. But neither the information security manager nor even the CIO can properly undertake this task alone. Your in-house general counsel or outsourced compliance specialists also should be at the table to help you apply the rapidly evolving standards imposed by information security and data privacy laws and regulations.