Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with William Tysiak

February 2007

 

Interviewee: William Tysiak, VP, Enterprise Sales, Echoworx Corporation

 

Interviewer: Terry McQuay, President of Nymity


Subject: Eliminating the Need for Breach Notification

Nymity: What is a privacy breach?

 

Tysiak.  A privacy breach is a security breach that involves personal information.  It is a disclosure of personal information without consent which makes it a violation of privacy laws.  Personal information is any information identifiable to an individual including customers and employees.  In fact, having inadequate safeguards allowing for the potential of a privacy breach is grounds for non-compliance with privacy laws.

 

Nymity:  Why are privacy breaches getting so much attention?

 

Tysiak.  Privacy breaches are not new but the attention they are now getting from the media is unprecedented and likely to continue.  There are several factors contributing to increased media attention, including:

 

    • the growing awareness and fear of identity theft amongst the general public;
    • Privacy Commissioners' attention and investigations;
    • US and Canadian privacy laws that require for breach notification; and
    • The calls for more laws requiring breach notification.

 

Nymity:  What is breach notification?

 

Tysiak:  Breach notification is notice provided to individuals when there has been a breach, or potential breach, of the individual's personal information.  It has been a legal requirement in the Ontario healthcare sector since the enactment of Personal Health Information Protection Act (PHIPA) in 2004 and in over 34 states in the U.S. that enacted breach notification laws.

 

Currently Canada's privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) is under parliamentary review and many expect that PIPEDA will be amended to require breach notification.  Also, Ontario's Privacy Commissioner, Dr. Ann Cavoukian, is calling for private-sector privacy laws in Ontario that will require breach notification. 

 

Nymity:  So is the real problem breach notification?

 

Tysiak:  No, the problem is the breach, but organizations can eliminate the need to notify individuals of their personal information being lost or stolen by encrypting the personal information.  Encrypted information can not be accessed or used by unintended third-parties.  Therefore, if encrypted information is lost or stolen there is no need to contact the individuals or the commissioners offices.

 

Breach notification is extremely costly to an organization, both in hard dollars to notify your customer/employee base and the brand damage that goes along with such an admittance.  Therefore, it makes sense to take steps to mitigate privacy breaches.


Nymity: Should we be concerned about protecting the privacy of email?


Tysiak: Email has become one of the most important communications channels with almost 1.5 billion email addresses in the world and 6 trillion non-spam business email messages sent over the Internet in 2006 alone (according to Ferris Research).

Fifteen years ago, when businesses first started to communicate using email, IT staff warned of the dangers of email. Email travels from the sender to the receiver as a virtual postcard, and as email is stored and forwarded through the Internet, there is a real risk that someone other than the sender or the intended receiver can intercept and either read it or tamper with it. Client-solicitor privilege, fiduciary duties, legislated obligations and fear of general damage to a business’ reputation were all reasons originally cited for stopping the use of email before it even started. Convenience and responsiveness became justification enough to ignore the basic issue that email was inherently not private. The standard form disclaimer that we now see at the end of almost every business email became the solution to protecting the confidential nature of email communications.

Are disclaimers sufficient today? No. In the early days of email there was a commercially reasonable expectation that email would not be read by those not authorized to read it. That was then. Now email is read multiple times by filtering programs that test for viruses and spam. Law enforcement authorities are intercepting email which means that email interception is a generally available capability for anyone interested in email content. The fact is that we use email so much and that email contains vast quantities of sensitive and private information that intercepting email is a lucrative endeavour for hackers. The fact that large volumes of email can be collected, scanned, filtered, read and altered makes email an easier target for illegal interception than regular physical mail. Also, unlike regular mail, you would never know that your email has been copied and read.


Nymity: Why should we protect the privacy of email communications?


Tysiak: All businesses are starting to adopt measures to protect the privacy of email communications, either because of common sense, or because of privacy legislation and legislation that generally requires that they take “reasonable measures” to protect the privacy of third party information and ensure the integrity and authenticity of corporate information. The Heath Insurance Portability and Accountability Act (HIPAA) is an example of legislation that protects personal information sent amongst health care professionals. The Sarbanes-Oxley Act (SOX) governs integrity of financial operations of publicly traded companies. The Gramm-Leach-Bliley Act (GLBA) requires that all financial institutions protect customer information. The California Security Breach Notification Act (CB 1386) requires disclosure when private personal information of a California resident has been compromised, except if the information was encrypted. Aside from legislation and the potential cost and inconvenience of notifying individuals whose private information is breached - doesn’t it just make sense to put email into virtual tamper-proof envelopes if it can be done easily and inexpensively?


Nymity: How should we protect the privacy of email communications?


Tysiak: Everyone should take positive steps to protect this vital communications channel. Lawyers, financial advisors, accountants, educators, health care providers and other professional advisors have ethical, legal and fiduciary duties to protect confidential information of their clients.

Encryption is the answer. Protecting files with passwords provides a level of protection, but is easily hacked and often inconvenient. Establishing the equivalent of VPN connections to allow the secure movement of email is not scalable. Catering to business partner requests to establish and administer multiple non-standard encryption systems quickly becomes prohibitively expensive.

Adopting an encryption mechanism based on standard PKI-based technology and designed with the mass market in mind is the most cost effective and efficient option. PKI-based encryption products also give both the sender and recipient confidence that:

 

    • the email and its content can only be unlocked and read by the intended recipient;
    • that the email was not altered en-route to its destination; and
    • that the sender was in fact the sender.

 

Question: How does PKI encryption work?


Tysiak: New PKI-based encryption products are now being offered by Internet service providers (ISPs), carriers and other large service providers that give everyone an easy and cost efficient option of enclosing email in the digital equivalent of tamper-proof envelopes. Senders simply click “secure” in their compose screen before pressing “send”. The email is encrypted on the sender’s desktop so that only the intended recipient can open the message. The message is also “digitally signed” so that the recipient is assured as to the source of the mail. Even if the email is intercepted, the email cannot be read or altered.

Until recently, you had to understand the details of PKI to some degree, and had to buy and administer specialized hardware and software. In a PKI system, each subject user (or principal) is issued a digital certificate for the public key that is used to encrypt a message and/or verify a digital signature on a message; such a key is the public component of a public/private key-pair securely generated by the principal. Keys have to be generated, registered, backed up and lifecycle-managed (renewed, re-keyed, re-certified, revoked, etc.); and public keys have to be made available to everyone with whom you want to communicate.

Large ISPs (like Rogers), and technology and service providers (like IBM and Sun Microsystems who operate PKI infrastructure on behalf of AT&T, Rogers, Verizon and other well known carriers) now offer secure e-mail services, targeting small and medium businesses, relieving them from the ongoing lifecycle and infrastructure costs for managing keys and certificates. (See: http://www.shoprogers.com/business/internet/secure.asp)


Nymity: In closing, how can Echoworx help organizations eliminate the need for breach notification?


Tysiak: Now that email encryption products are being made available to the mass market, we should no longer rely on the outdated excuse that encryption products are too complex and expensive to implement and are therefore not commercially reasonable to adopt. Encrypting the email also ensures that email users avoid the cost and inconvenience of legislated requirements of notifying affected individuals that a breach of their private information has occurred.

Next time you exchange email containing a draft statement of defense, litigation opinion, patient information, advice on deal negotiations or other sensitive or privileged information, consider whether it should be placed in the digital equivalent of a tamper-proof envelope. Encrypting email is no longer limited to rocket scientists.

 

Echoworx is a leading provider of security software products for digital communications. Echoworx products are based on industry trusted standard PKI and S/MIME technologies for strong encryption and digital signatures. Echoworx Secure Mail service providers include: AT&T, BellSouth, IBM Canada, LogicaCMG, Rogers, Sun Microsystems, Tiscali, USA.NET, and Verizon. For more information visit www.echoworx.com.

 

William Tysiak
VP, Enterprise Sales
Echoworx Corporation
Office: 416-226-8613
Cell: 416-574-5960
Fax: 416-226-8629
tysiak@echoworx.com
www.echoworx.com

  

 

 

 

 

 

 

 

 


Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY