Posts

Echo of Non-Compliance

Everyday, we hear about new ways we can use our smart speakers. Retailers, radio stations, product companies, and others remind us that we can use our Amazon Echo or Google Home to buy, listen, or learn. The term “smart speaker”, however, is misleading.  These are microphones and they are always listening. They are also likely recording everything they hear.

If you are covered by HIPAA or other privacy regulations, do not talk about protected information within earshot of Alexa.

This warning stems from a 2015 murder case in Arkansas. Believing that the Amazon Echo may have “heard” a murder, the District Attorney subpoenaed any recordings that Amazon may keep from the device. Amazon fought the decision on First Amendment and privacy rights, not by claiming that it was not recording. Amazon did not deny having recordings.

The issue for data privacy compliance is that your smart speaker may be listening to and recording conversations you have about protected information.  Allowing this is a violation of HIPAA and other regulations protecting personal identifying information (PII).

When is your Amazon Echo recording?

The short answer is: we are not sure, but maybe always.

Looking at the Alexa Terms of Use, Amazon tells us “Alexa streams audio to the cloud when you interact with Alexa” and “Alexa uses recordings of your voice to create an acoustic profile of your voice characteristics.” Alexa use is also covered by the Amazon Privacy Notice, which states, “We receive and store any information you enter on our Web site or give us in any other way.”

While Amazon tells us they are recording your “Hey, Alexa” commands, the Terms of Use and Privacy Notice are a bit more ambiguous. Neither document tells us that Amazon records only when listing and processing commands. Nor do the policies limit Amazon’s recording to those commands. We do not know, for sure, when Amazon is not recording what it hears on your Echo.

Better Safe Than Sorry

When speaking about sensitive or protected information, stay away from your “smart speaker” or manually mute the device.


One more thought:  Ever notice how after certain conversations, you see ads on Facebook related to the topic discussed?  Unless you turn off microphone access, Facebook is using your phone to listen to your conversations, analyze what you say, and profile you. Letting Facebook listen is another potential HIPAA and PII breach.


 

Email Encryption is Not Compliance

Security Key
While providing a reasonable level of protection from inappropriate access to your data, the built-in encryption is not sufficient to meet information privacy regulations. Laws such as the Health Information Portability and Accountability Act (“HIPAA”), and industry regulations including the Personal Card Information (“PCI”) standards require more than data encryption.

Privacy laws and regulations typically include three components:

  1. Policies and procedures that, when followed, provide appropriate data protections
  2. A means to monitor compliance, with the ability to detect and mitigate potential violations of the policies and procedures
  3. A defined response and resolution procedure in the event of a breach

As explained in our eBook, Email Encryption in Google Apps, Technology can support the implementation of these three components, but does not offer a full solution on its own.


Contact us to assess your email encryption needs and to define an affordable solution.


 

4 Questions to Ask When Selecting an Email Encryption Solution

Email Lock
Once you determine who within your organization should be using email encryption to secure sensitive and protected information, you need to select from sea of vendors all claiming to be the “leading” provider.

Here are four (4) questions to ask when selecting an email encryption solution

1) Does the solution include a hosted, shared email encryption network?

Encrypting every email is hard, expensive, and does not accommodate the way most of us work. Using passwords and accessing portals are extra steps that take time and can create frustration. A shared email encryption network ensures that 100% of emails sent within the network are secured without any additional actions required by the sender or the recipient.

2) Does the solution offer policy-based encryption filters?

Most encryption solutions relying on users to trigger encryption by clicking a button or putting a tag into the subject line.  Even if users understand every scenario that warrants encryption, they are likely to miss a few along the way. Solutions with policy-based encryption filters scan and automatically encrypt messages that contain sensitive information. The best solutions provide standard heuristics for common regulatory requirements and let you create custom policies to meet your business’ specific needs.

3) Is the solution easy to use?

Email is a business tool, and email encryption is no different. Ideally, the solution should be easy to use for sender and recipient. Difficult processes result in mistakes, compliance breaches, lost productivity, and users circumventing the system. Easy to use solutions foster adoption and compliance by automatically encrypting message, decrypting inbound messages at the gateway, and ensuring that replies and forwards get encrypted as well.

4) Is the solution provider awesome?

Choosing an email encryption provider is a long-term commitment and the lowest price is not always the best deal. Make sure your provider is trusted by others in your industry. Check to ensure their infrastructure has certifications and accreditations, such as SysTrust/SOC 3 or PCI Level 1. Make sure the solution can be deployed quickly and that your provider supports your deployment technically and with user training. Verify that your provider will support you on an on-going basis and minimize the resources required from you and your team.

 


 We offer multiple email encryption solutions. Contact us to discuss your needs and explore the solution best for you and your business.