Introduction
As you are aware, email has become the preferred method for corporate communication. However, email is not a private conversation; unencrypted email messages can be intercepted and read.
With the adoption of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), all communication containing Protected Health Information (PHI) and Personally Identifiable Information (PII) must be encrypted. To ensure the confidentiality of private information sent via email and comply with privacy HIPAA and FERPA regulations, we are implementing a new email encryption service through Zix Corporation, the leader in email encryption services. This service helps us protect our customer’s sensitive information within our email communication.
For both our employees and our customers, Zix Corporation makes encrypted email communication easy. ZixCorp’s services allow us to send encrypted email messages to anyone, whether they are a ZixCorp customer or not.
Secure messaging is not just a Government mandate; it is a practical way to conduct business.
Sending Encrypted Email
ZixEncrypt provides email encryption that includes automated key management and delivery to anyone, anywhere through the Secure Message Center. ZixEncrypt makes it easy to securely send and receive confidential information. Encrypted messages are delivered using your existing email address.
You send the encrypted emails right within gmail!
Sending using keywords
Sending an encrypted email is as simple as adding a phrase or keyword to any email you want to encrypt. Custom keywords and policies can be made upon request.
Text in the Subject of an email is not encrypted. NEVER enter anything sensitive in the subject of an email.
|
Keyword
|
Location
|
Receipt?
|
|---|---|---|
| zixencrypt | Subject | yes |
| sbsencrypt | Subject | no |
| confidential | Subject | no |
Some keywords are configured to provide read receipts when sending to anyone outside of SBS that is not also a Zix Customer. If using a keyword that provides receipts, you will receive an email each time the recipient logs into the Secure Message Center and reads the message.
Read Receipts will only function for recipients that use the Secure Message Center. Recipients that are already Zix Customers will not be asked to use the Secure Message Center so read receipts will not be sent.
Messages in the Secure Message Center are set to expire after 30 days. If you sent a message that you need to expire earlier than that, please open an urgent support ticket and give us the sent date, recipient email address, and sender email address.
Sending using policies
The ZixEncrypt system is also configured for automatic email encryption and data loss prevention. In the event that you send sensitive data and forget to use the keyword, the system might detect the content in the message as sensitive and secure it for you. The system is currently configured to look out for FERPA (Family Education Rights and Privacy Act), HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry), PII (Personally Identifiable Information), and SSN (Social Security Number) data. While it is a very mature and well-written filter, it should never be relied on in place of using a keyword to encrypt a message. If the system detects this type of data in the content of the email or in a scannable attachment in the email it will automatically encrypt it before sending it out. If the system detects this type of data in the subject of the email it will reject the message, prevent it from being sent out, and email you explaining which policy it believes was violated. If you believe that a message was encrypted or rejected in error please open a support ticket.
In the screenshot below, I sent an email with a Social Security Number in the Subject line and it was rejected by the ZixEnrypt System:
In the following screenshot it shows how the ZixEncrypt system detected a potential Social Security Number in the content of the message and automatically encrypted is even though I forgot to put in the special keyword:
Receiving Encrypted Email as an SBS Employee
Sending and Receiving emails between other SBS Employees will be transparent. You will not notice anything, but your emails will be encrypted when sent to and from an @sbs.org address. If you are sent a message by a current Zix Customer or by someone using the Secure Message Center then the message will be delivered in your inbox with a blue banner as in this screenshot:
Receiving Encrypted Email as a Third Party
Recipients that are not currently Zix Customers will get an email alerting them that a message is waiting in the Secure Message Center. The following example shows what an end-user such as a parent or student would experience.
In this scenario, I sent an email from my SBS account (devin.defrisco@sbs.org) to a third party account (devin@ihprint.com).
The third party (devin@ihprint.com) received a message explaining that there is a secure email waiting for them:
Upon clicking the Open Message button, they are either taken to the registration screen if this is their first time:
or the login screen if they have been here before:
After logging in or registering they can view, reply, forward, or delete the message:
The Secure Message Center allows anyone to compose a securely encrypted email to any SBS account. While you can always initiate the exchange by sending an email requesting information, if you are on the phone or sending a fax or letter in the mail you can provide instructions for any third party to signup for an account to email you in a secure manner.
What is Personally Identifiable Information (PII)?
The term “personally identifiable information” refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.source
Examples of PII include, but are not limited to:
- Name
- full name
- maiden name
- mother’s maiden name
- alias
- Personal identification numbers
- social security number (SSN)
- passport number
- driver’s license number
- taxpayer identification number
- patient identification number
- financial account number
- credit card number
- Personal address information
- street address
- email address
- Personal telephone numbers
- Personal characteristics
- photographic images (particularly of face or other identifying characteristics)
- fingerprints
- handwriting
- Biometric data
- retina scans
- voice signatures
- facial geometry
- Information identifying personally owned property
- VIN number
- title number
- Asset information
- Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person
The following examples on their own do not constitute PII as more than one person could share these traits. However, when linked or linkable to one of the above examples, the following could be used to identify a specific person:
- Date of birth
- Place of birth
- Business telephone number
- Business mailing or email address
- Race
- Religion
- Geographical indicators
- Employment information
- Medical information (Medical information may be subject to additional HIPAA requirements)
- Education information (Education information may be subject to additional FERPA requirements)'
- Financial information