In the ever-evolving world of digital communication, protecting Non-Public Personal Information (NPI) remains a paramount concern for businesses. The Federal Trade Commission’s (FTC) revised Safeguards Rule (Rule) underscores the importance of secure information transit. In response, ComplyAuto has been hard at work creating innovative solutions to address these evolving challenges. We’ll spend some time discussing the Rule’s actual requirements as well as our newest solution that answers the question, “How do I deal with sending and receiving sensitive customer information?”
What is Encryption In-Transit?
The Rule requires financial institutions to encrypt NPI “in transit” over external networks. Encryption in transit refers to the practice of encrypting data while it is being transmitted over a network. When data is sent from one point to another, such as between a user’s device and a server, encryption in transit ensures that the data is protected from unauthorized access or interception during its journey. This is commonly achieved by using protocols like Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt the data while it’s in transit. The good news is that almost all enterprise email accounts will have this enabled by default, and it’s usually free. Indeed, the FTC has noted that it would be “unusual” in today’s environment for a business to not be satisfying this requirement with respect to emails.
It’s important to note that the Rule does not require “end-to-end encryption”, which provides a higher level of security by encrypting data at the source (sender) and decrypting it only at the destination (receiver). End-to-end encryption, usually accomplished by special tools that come at a cost, ensures that the data remains encrypted and unreadable to anyone in between, including service providers or intermediaries. However, even though not required by the Rule, we’ll discuss below why using tools with end-to-end encryption may be a best practice under certain circumstances.
The Pitfalls of Regular Email and Text Messages for NPI
Commonly used communication channels like email and text messaging pose significant challenges to the safe transmission of NPI. They lack proper encryption and can be intercepted by unauthorized individuals (i.e., “man-in-the-middle” attacks) making them unsuitable tools for the safe and secure transmission of sensitive information. This concern directly affects dealership sales & finance teams (as well as other departments) who often need to send and receive sensitive customer information such as driver’s licenses, social security numbers, insurance information, proof of residence, proof of income, and credit applications.
Secure Communication Alternatives
Fortunately, there are secure alternatives that are widely available to anyone who looks for it. Microsoft Office 365, for example, offers a built-in end-to-end encryption tool that provides an extra layer of protection for the dealership’s email messages. This encrypted email service ensures that only the intended recipient can read the email content and its attachments, thereby aligning with the requirements of the Safeguards Rule. Moreover, numerous other tools on the market offer similar protection. Regardless of the solution the dealership chooses, it is crucial to remember that an encrypted communication tool is only as good as its usage policy. Meaning, giving your employees access to the “best in breed” solutions will do nothing to reduce the dealership’s risk of data breaches if the employees don’t use it.
Electronic Use Policy
To ensure secure communication, it is imperative to implement an Electronic Use Policy that prohibits employees from sending or requesting NPI via unencrypted email and text messages. By using ComplyAuto’s free electronic use policy builder, dealerships will reduce the risk of data breaches because the policy the dealership will create sets out clear guidelines for employees on the safe and acceptable use of electronic communication. The policies ComplyAuto’s tool creates are tailored for the Safeguards Rule and other similar regulations across all 50 states. Dealers are now able to easily create a comprehensive, legally sound policy that can protect the company and its sensitive information.
ComplyAuto’s Innovative Encrypted Email Messaging Tool
To further strengthen the protection of NPI, ComplyAuto is developing its own end-to-end encrypted messaging tool that will be available later this year. This tool will integrate seamlessly with popular email clients like Gmail and Office 365 and provide an additional layer of security to the dealership’s digital communication.
Solving the Texting Issue
Recognizing the convenience and ubiquity of text messages in the dealership’s daily operations, ComplyAuto is creating a secure solution to solve this problem. Soon, employees will also be able to scan a QR code or copy a unique URL that will give them access to a secure portal similar to popular chatting applications. Here, they can easily request sensitive information and documents through their phone without sacrificing convenience, and, most importantly, security.
As our world becomes more digital, the importance of secure data transmission grows exponentially. By understanding the Rule, leveraging available encrypted communication tools, and capitalizing on ComplyAuto’s innovative solutions, dealerships can significantly reduce their risk of a data breach and potential fines from the FTC and other liabilities.
This article should be used as a compliance aid only and though its accuracy has been made a priority, it is not a substitute for professional legal advice. Each dealer should rely on their own expertise when using it.