11:50 AM
Connect Directly

Encrypting Cloud Email Isnít as Easy as You'd Think

Fund managers need to consider who holds the encryption keys for cloud-based email, or face potential legal risks.

One of the major stumbling blocks of moving email into the cloud is the perceived data security problem. While there are many benefits to using cloud-based systems, the downside is that data security and privacy is always a top concern for financial firms.

Sandton Capital, a New York-based private equity firm focused on alternative credit opportunities, decided not to host email on its own premises. Instead, it chose to use Gmail, hosted by Google. As the investment firm grew, and it looked at the kind of data it was emailing, it began to focus on the safety and security of this information. With so much of its confidential data related to investors and lenders via email, Sandton turned to cloud-based encryption to protect its data.

“We looked at Gmail for a number of ways to encrypt it, and none of them were very seamless,” says Rael Nurick, managing partner at Sandton Capital, which manages a $750 million investment fund. While Google offered email encryption, the process required the recipient to register on a different website to decrypt and open the email. In addition, Sandton used Google Apps and found it wasn’t that good at seamlessly syncing with other devices.

While hackers and cyber security data breaches are always a concern, this was not the reason that Sandton was concerned about protecting its email. With $750 million under management, there are several hundred positions in its portfolio. “We send emails about those positions, and there’s information on investors, too,” Nurick tells us.

[Do you aspire to the C-suite, or some other spot in upper IT management? Then bulk up your credentials around today's most pressing IT movement, digital business, at the InformationWeek IT Leadership Summit.]

Nurick says that, although security from hackers is important, the firm was even more concerned about outside parties accessing Sandton’s emails through a subpoena or legal proceeding. Often, when an email hosting provider is issued a subpoena, it complies immediately and turns over the required emails immediately. Without any oversight by Sandton, he felt, the actions by an email hosting service could add vulnerabilities.

Since Sandton’s specialty is purchasing under-performing bank loans and providing rescue finance to troubled companies, it does get into litigation occasionally. The private equity firm had two different sets of data it needed to protect:

  • Investor information (bank account and personal info)
  • Borrower information (loans to businesses)

Most importantly, Sandton needs “to make sure that no outside party, even if they get hold of the data, can read the information,” Nurick says.

Different flavors of cloud encryption
Nurick feared that he would lose control of his data to third-party hosting companies if they were to receive a court order to turn over confidential email. “Big hosting companies like Microsoft and Google have no incentive to do anything but give away all of your emails.”

In light of these factors, Sandton was motivated to investigate other options.

To control its data, Sandton wanted to find an encryption provider that worked with a cloud-hosting agent and could still allow it to hold the encryption and decryption key.

In June, Sandton moved its email over to the cloud-based Office 365 hosted by Microsoft, while simultaneously deploying Vaultive’s cloud-based encryption technology. The investment firm uses Rackspace to host that encryption feature. “Our email gets fed through another server that does the encryption. It goes to Microsoft encrypted, and it comes out of Microsoft encrypted. It’s a seamless process,” says Nurick.

However, recent legal cases show that cloud-based service providers cannot fully protect their customers when the government bangs on the door.

Next page: A legal gray area

Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Becca L
Becca L,
User Rank: Author
9/30/2014 | 7:05:18 PM
Re: Privacy first
When all that information is handed over, customer data and competitive secrets and more, does the judge not have an obligation to keep that data private, out or competitor's hands? Or is this a matter of a judge being hacked because we assume he/she has less powerful firewalls than the bank originally housing the email documents?
User Rank: Author
9/29/2014 | 9:41:14 AM
Re: Privacy first
Encryption (and decryption) seems to be the first line of defense for any company facing litigation. Any hosting vendor can be forced to turnover a treasure trove of customer emails to a court under subpoena. It's not that the hosting vendor wants to turn in their clients, but they have to comply with a subpoena. Firms like this private equity firm want to control their confidential emails to the extent they can.   They want the opportunity to weed out anything that is not-germane or attorney-client privilege tpe of things.

As far as emails stored in a disorganized fashion, that can be addressed with archiving and e-discovery systems. Firms need to have their emails sorted by key words and other methods in order to comply with regulatory demands for compliance in a certain amount of time.
Becca L
Becca L,
User Rank: Author
9/26/2014 | 5:03:03 PM
Re: Privacy first
Good ponit. Managing email is a challenge, the informaiton is largely added to the datacenters in a rather unorganized fashion and it mixes sentitve customer data with public information, and impossible to separate after the fact. I heard corporations also spend untold dollars on lawyers to shift through piles of emails  (from discussions about trade execution to "what do you want to eat for lunch?") to pull out only those that include the relevant information for regulators or government requests. What a waste of money!
User Rank: Moderator
9/26/2014 | 6:13:23 AM
Re: Privacy first
Every day you hear about how judges blindly hand out subpoenas to get access to mass amounts of digital data. Just because data exists, does not mean that it is all relevant to a court, or to a legal case. Holding the encryption keys gives you some sort of protection, at least. 
Greg MacSweeney
Greg MacSweeney,
User Rank: Author
9/25/2014 | 4:45:21 PM
Privacy first
Interesting take on email encryption. I never thought of the legal aspect of it...where a judge could require a vendor to hand over all emails. This could essentially reveal competitive secrets to competitors if the email provider blindly hands over everything.

It is a very real risk too.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.