Sending sensitive data over email

A colleague of mine asked me about sending sensitive information (personally identifiable information or PII) over email. As a CIO/CTO for 15 years I often get these types of requests. I like these better than being asked to fix the projector at a board meeting.

Instead of just telling him that it needs to be encrypted, I was tempted to send him the “Let me google that for you” link.

But, I found that the answer was not clear enough with a quick search. So I decided to do some quick research on what came up.

The consensus is that it is not safe to send emails with sensitive information. To be considered safe for FERPA , HIPPA, or PCI, email must be encrypted in transit over HTTPS and at rest on the servers and computers the email traverses. Take it from Lifehacker:

Don’t send your sensitive documents over email. It may seem private, but even if you’re using an email account that uploads attachments over a more secure HTTPS connection, like Gmail, you have no control over your recipient’s server…

Lifehacker.com

and Seth Rosenblath on The Parallax:

Standard email indeed isn’t safe for sending high-value personal information such as credit card or passport numbers, according to security experts such as Robert Hansen, CEO of intelligence and analysis firm OutsideIntel, now part of Bit Discovery.

https://the-parallax.com/2019/07/03/securely-send-pii/

The problem is, even if you have an email service that says it is secure – both in transit and at rest – you may not know about your recipient. If you are in a corporate system where everyone is using the same email system, or you email a person with the same provider as you, it is possible to have secure email encryption because the system can control the security (with S-MIME, for example).

So if you want your email data to be encrypted and secure, your choices are to have a closed system to send the emails or to use a tool to encrypt emails going to a party on another system and giving them the password or key to decrypt on their end.

Getting an email address and provider that is secure is the first option. These solutions let you put a password on an email when sending to someone not on the system. Make Tech Easier has a great up-to-date list of providers. I like Proton Mail. It’s hosted in Switzerland, a country with great privacy protections (and the data center is 1000m under a mountain). It has a focused interface that lets you add a password for an encrypted email to those recipients not on this service.

The other option is to encrypt the file separately and just send it in regular email. I found 3 methods that mere mortals could use with tools they may already have:

  • Microsoft OneDrive: Add a password to encrypt the file in OneDrive and share the link to the file – for good measure add an expiration date to the link.
  • Adobe Acrobat Pro: Add a password to the PDF and send.
  • 7-zip, my favorite zipping program, allows a password to be added as part of the compression. This can be used to encrypt a bunch of files. This is free software. For developers wanting to send a lot of emails with encrypted files it has an SDK that may allow someone to automate encrypting the files, emailing them, then later sending the password.

Send the password separately by text, phone, or fax =-) for extra security.

Bottom line is do not send sensitive information over email, unless you do an extra step for encryption.

Comments 2

  • In a school environment where G-suite for education is used, it seems that it is secure for a school district to send emails with PII in either the email body or the attachments to students at the G-suite emails. Is this correct?

    • Yes, I should add Google to my 3 alternatives. Schools using Google Suite for Education get FERPA security for PII for emails they receive. Schools must do an extra step to add HIPPA compliance, but that is possible also. Google can also send confidential emails that are encrypted and also require dual factor authentication for sending to email systems that are not on Google Suite. That said, PII in email can still be forwarded easily (or by mistake) so it should we used with caution.

Leave a Reply