21 Jul 2011

Is There a Need to Encrypt Email Within One’s Own Domain for Compliance?


Customer Q&A:

Q:  We are using email encryption for emails containing critical information sent outside of our office. Is there any need to use Email Encryption when sending an email with critical data to someone within our own domain?

A:  The reasons one would encrypt ‘internal’ email that contains sensitive information are:

i) if one is concerned as to whether or not there is sufficient security at the company gateway such that the internal emails may be exposed while residing on end user computers or in transit to email servers; and

ii) If one is concerned about information privacy in the case where internal IT staff, who may have access to the mail server or users computers, could access the information.

But, since the question specifically references “within our own domain” one could also envision a likely situation where the domain is managed by a third party provider and the mail server associated with the domain is external to the user’s organization and firewalls, and email going from one person within the domain to another actually routes out to the Internet from one’s desktop, to the email hosting company, and then back to the recipient’s desktop.

Even though sender and recipient might be in offices a few feet away, in the situation described above, the email would route to the Internet and then back, and one should encrypt that message if they are concerned about data privacy.

Most small businesses operate in the manner as noted above, where email within the domain should be encrypted if data privacy is a concern.