Reading Co-operative Bank needed a secure email solution so it could quit the inefficient, time-consuming and expensive process of faxing and mailing confidential information to board members, regulators including the FDIC and the Federal Reserve, and borrowers.
While the bank had a contract to use a solution that would encrypt sensitive email and attachments based on pattern recognition, that system resulted in too many false positives. For example, it would encrypt banal items, such as plans for golf outings, because they included contact information in the email signature.
The application would judge these emails to be sensitive because the amount of digits or the type of information in the email signatures were too close to data characteristics governed by the solution's rule set aimed at flagging truly sensitive information, like account numbers. Thus, emails with simple contact info would trigger encryption. And if a recipient had never used the secure email solution, he'd be asked to set up a username and password, needlessly.
"People on the other side of that email were getting very frustrated," says Anthony J. Patti, senior vice president, CFO and treasurer at Reading. "We'd have to take off the rules, let the email go out, and then put the rules back again."
Turning on and off the rules, however, created the risk that the bank would send confidential data unsecured. That's because doing so required depending on staff to selectively encrypt and to remember when to turn the rule set back on.
Plus, when any senior executives or major clients complained about having to create usernames and passwords just to exchange innocuous emails, it created tremendous pressure on IT to simply take out the rules, and encrypt very little.
Mostly, the $350 million, Reading, Mass.-based mutual savings bank would fax regulatory and loan documents, and mail hard copies of financial packets to board members.
The problems are not unique to Reading nor its solution. Nearly all pattern recognition software suffers from false positives, because pattern matching is inexact. The level of specificity is often not granular enough for the pattern matching to discern real confidential information from material that simply carries similar characteristics of sensitive data sets.
But about five years ago, when Reading's auditing firm began sending the bank results of its audit reports via DataMotion's secure portal, Patti decided to let the legacy contract run out and switch to SecureMail. The bank has been using the cloud-based SecureMail Gateway for the last year to secure email it considers confidential.
In an effort to more accurately discern what it should encrypt, Reading plans to add a feature called "exact match" to DataMotion's software.
Instead of simply matching to a pattern, the exact match feature purports to find and match, for instance, actual, individual bank account numbers, based on a file the bank dynamically updates with the most recent account data.
SecureMail Gateway works with the bank's existing Outlook email client, enabling Reading's senior executives to securely email meeting materials to board members every two weeks. The interface enables the bank to write rules so that all attachments are encrypted. This secures most communications with the board and regulators, because financial information is typically sent via attached documents.
The solution has reduced processing time in the loans department, Patti says. "With commercial loans we need three, four years of tax returns," he says. "They used to have to fax them all. Now they just email them to us." Pages requiring signing are printed out, scanned into a PDF and resent.