Why Email is “Not Secure”

May 09, 2014
Kevin Lam


It’s general knowledge that sending sensitive information by email is a bad practice.  What normally gets left out is why. In this article I’ll quickly explain why in terms that just about anyone can understand.

Regulatory and Standard Data Protection 101

When it comes to data protection, regulations (HIPAA/HITECH, GLBA, etc.) and standards (PCI, etc.) generally have two things in common. That is, they require sensitive data to be:

  • Criteria #1 – Protected at rest: Data must be protected when it’s stored on disk.
  • Criteria #2 – Protected in transit: Data must be protected when it’s transmitted.

Each regulation and standard may have additional requirements, but these are the common items that we’ll use for our discussion. Just remember “data protection at rest” and “data protection in transit“.

Why Email is Considered Insecure

Understanding why email by default is considered insecure is pretty easy. When you send an email, this is what happens:

  1. Send email:  In this step, your email is send to your email server (called a SMTP relay server). By default, transmission is not encrypted.  Fail on criteria #2.
  2. Store email: Once your email server has received your email, it has to be stored. You have no assurance that your email will be encrypted at rest. Fail on criteria #1.
  3. Deliver email: Your email server then delivers the email to your recipient’s email server. Again, by default the transmission between the two servers by default will not be encrypted. Fail on criteria #2.
  4. Wait for pickup: Your recipients’s email server stores your email until that recipient is ready to pick it up. There’s no assurance that the email will be encrypted while stored, and by default encryption isn’t used. Fail on criteria #1.

So at every step of the email transmission and delivery, you have no assurance that your customer’s data is protected (at rest or in transit).  That’s it.  And now you know why email is considered insecure. If you still need to send sensitive data by email, read this article on how to send email securely.

That’s it for this week’s Data Protection Friday article. Have a great Friday and see you next week,  

Kevin Lam signature