Compliance

Is Your Business Email Compliant?

GDPR, HIPAA, and Email Security Requirements

If your business handles personal data, health information, or financial records, your email system must meet specific security and compliance requirements. Non-compliance can result in fines, legal liability, and reputational damage.

Compliance Services Email Security Services

Why Email Compliance Matters

Email is the most common channel for transmitting sensitive business data. Contracts, invoices, personal information, health records, and financial data all flow through email systems daily. Regulations like GDPR and HIPAA recognize this and impose specific requirements on how organizations protect email communications.

$20Mmax GDPR fine (or 4% of revenue)

$1.5Mmax HIPAA fine per violation category

60%of data breaches involve email

83%of organizations failed email audits

GDPR Email Requirements

The General Data Protection Regulation (GDPR) applies to any organization that processes personal data of EU residents, regardless of where the organization is based. Email systems frequently contain personal data -- names, email addresses, and message content -- making them subject to GDPR requirements.

Encryption Requirements

GDPR Article 32 requires appropriate technical measures to protect personal data. For email, this means:

TLS encryption: Enforce transport-layer encryption for all email in transit using MTA-STS
End-to-end encryption: Use S/MIME or PGP for emails containing sensitive personal data
Encryption at rest: Ensure stored emails and attachments are encrypted on the mail server

Data Protection Measures

Beyond encryption, GDPR requires organizational and technical safeguards:

Access controls: Limit who can access email accounts containing personal data
Data minimization: Only collect and store the personal data you actually need in email
Breach notification: Report email-related data breaches to the supervisory authority within 72 hours

GDPR Consent and Email Marketing

Explicit consent: Obtain clear, affirmative consent before sending marketing emails. Pre-ticked boxes do not count.
Right to erasure: Be able to delete all email data related to an individual upon request
Data portability: Provide individuals with copies of their email data in a machine-readable format on request
Records of processing: Document what personal data your email systems process, why, and for how long

HIPAA Email Requirements

The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and their business associates that handle Protected Health Information (PHI). If your organization sends or receives PHI via email, you must meet strict security requirements.

What Counts as PHI in Email?

Any individually identifiable health information transmitted by email is considered electronic PHI (ePHI). This includes:

Patient names linked to health conditions
Appointment confirmations or reminders
Lab results or medical records

Insurance or billing information
Prescription details
Internal communications referencing patient data

Technical Safeguards

Encryption in transit: All emails containing ePHI must be encrypted during transmission (TLS at minimum)
Encryption at rest: Stored emails with ePHI must be encrypted on the server
Access controls: Unique user IDs, automatic logoff, and role-based access to email containing ePHI
Integrity controls: Mechanisms to detect unauthorized modification of ePHI in email (DKIM helps here)

Administrative Safeguards

Audit trails: Log all access to email systems containing ePHI and retain logs for 6 years
Business Associate Agreements: Your email provider must sign a BAA if they have access to ePHI
Risk assessments: Conduct regular risk assessments of your email systems
Training: All workforce members must receive training on email security and HIPAA requirements

Other Regulations Affecting Business Email

SOC 2

SOC 2 requires organizations to demonstrate controls over the security, availability, and confidentiality of data. Email systems must have:

Encryption in transit and at rest
Access control and authentication
Monitoring and alerting

PCI DSS

If your organization handles payment card data, PCI DSS prohibits sending unencrypted card numbers via email. You must:

Never send full card numbers via email
Encrypt any partial card data in emails
Implement DLP to prevent accidental leaks

CCPA / CPRA

California privacy laws require businesses to protect personal information of California residents, including data in email:

Reasonable security measures for email data
Ability to delete email data on request
Disclosure of data collection practices

Email Audit Trail Requirements

Multiple regulations require organizations to maintain audit trails for email communications. An audit trail provides evidence that your email security controls are working and helps with forensic investigation after incidents.

What to Log and Retain

Email Activity Logs

Who sent and received emails, with timestamps
Email access events (login, read, forward, delete)
Changes to email security settings
Admin actions on email accounts

Authentication Logs

SPF, DKIM, and DMARC authentication results
Failed authentication attempts
DMARC aggregate and forensic reports
Spoofing and phishing detection events

Retention Periods

HIPAA: 6 years minimum for all audit logs
SOC 2: 1 year minimum (most organizations retain 3-5 years)
GDPR: As long as necessary for the stated purpose, but must be defined and documented
PCI DSS: 1 year minimum, with 3 months immediately available for analysis

Email Compliance Checklist

Technical Controls

TLS encryption enforced for email in transit
Encryption at rest for stored emails
SPF, DKIM, and DMARC configured
MFA enforced for all email accounts
DLP policies for sensitive data types
MTA-STS deployed for enforced transport security

Administrative Controls

Email usage policy documented and signed by staff
Regular security awareness training
Incident response plan for email breaches
BAA signed with email service provider (HIPAA)
Data retention policies defined and enforced
Regular risk assessments of email systems

Common Email Compliance Failures

What Goes Wrong

Sending PHI or personal data in unencrypted email and assuming TLS is always available
Using consumer email services (Gmail, Yahoo) for business data without BAAs
No DMARC enforcement, leaving the domain open to spoofing and phishing
Failing to log and retain email access records

How to Fix It

Deploy MTA-STS to enforce TLS and prevent downgrade attacks
Use a HIPAA-compliant email provider with a signed BAA for healthcare data
Deploy DMARC at p=reject to prevent domain spoofing
Enable comprehensive audit logging and configure retention to meet regulatory requirements

Get Your Email Compliance in Order

Whether you need to meet GDPR, HIPAA, SOC 2, or PCI DSS requirements, our team can audit your current email security posture and implement the controls you need for compliance.

Compliance Services Email Security Services

Get Security Insights Delivered

One email per month with our best articles. No spam.