Selsecure - email instructions 8/26/2016

From: Shantery, Bryan
Sent: Friday, August 26, 2016 3:01 PM
To: SelmanEmployeesAllLocations <selmanemployeesAllLocations@selmanco.com>
Subject: Encrypted email

Email encryption has been a feature long sought after by many in the organization and I am pleased to announce that starting today email encryption is available when the following conditions are detected.

• Credit card numbers
• Bank account numbers
• Social Security numbers
• Tax ID numbers

 Each of these conditions will help reduce Data Loss Prevention (DLP) by scanning your emails and attachments for keywords, validation of checksums, compositions and written expressions that are known to match patterns which violate HIPAA and GLBA policy.

The rules are applied to emails where recipients are outside of our organization.  Internal email will not be encrypted under these conditions, but you will receive a notification reminding you that it is best practice to omit financial or private information in emails.

 The ability to force an encrypted email is available by keying the word selsecure in the Subject or Body of the email.  The recipient of an encrypted email will need to register or use a one-time password to open the message.  If a reply is sent, it will automatically be decrypted for you once it enters your Outlook.

TLS Connection - further explanation 1/9/2020

From: Chapman, Nick <nchapman@selmanco.com>
Sent: Thursday, January 9, 2020 1:08 PM
Subject: Email encryption at SelmanCo

There has been recent discussion and some confusion around types of encrypted email utilized at SelmanCo. I wanted to start with this group and share some information that may help clarify.
 
Essentially, there are four types of email encryption possibilities:
 
1. Default TLS (Transport Layer Security) between mutual Microsoft Exchange Online customers – Example (gotoservice.chubb.com)
Exchange Online servers always encrypt connections to other Exchange Online servers in our datacenters with TLS 1.2. When you send mail to a recipient that is within your Office 365 organization (For example, gotoservice.chubb.com is in the Selman organization), that email is automatically sent over a connection that is encrypted using TLS. Also, all email that you send to other Office 365 customers is sent over connections that are encrypted using TLS and are secured using Forward Secrecy.  

2. Forced TLS between Office 365 and external, trusted partners – Example (Chubb.com)
If we decide to configure TLS between Selman and a trusted partner organization, Exchange Online can use forced TLS to create trusted channels of communication. Forced TLS requires our partner organization to authenticate to Exchange Online with a security certificate in order to send mail to us. Our partners need to manage their own certificates in order to do this. In Exchange Online, Microsoft uses connectors to protect messages that we send from unauthorized access before they arrive at the recipient's email provider. 

3. Utilizing SELSECURE
 If you are:
• Unsure if the TLS is explicitly set up with an organization you are sending private information to OR
• Unsure if the organization is also utilizing Microsoft Exchange (Office 365) OR
• Just unsure and want to be safe 
You can type SELSECURE in the subject or body of the email. This will force encryption of the email but it will provide a different experience for the recipient. The recipient of an encrypted email will need to register or use a one-time password to open the message.   If a reply is sent, it will automatically be decrypted for you once it enters your Outlook. 

4. Automatic email scanning / encrypting
Email encryption will occur automatically when any of the following conditions are detected.
• Credit card numbers
• Bank account numbers
• Social Security numbers
• Tax ID numbers
 
Each of these conditions will help reduce Data Loss Prevention (DLP) by scanning your emails and attachments for keywords, validation of checksums, compositions and written expressions that are known to match patterns which violate HIPAA and GLBA policy.  The rules are applied to emails where recipients are outside of our organization.  Internal email will not be encrypted under these conditions, but you will receive a notification reminding you that it is best practice to omit financial or private information in emails.
 
**Important - best practice** - If you are unsure, please error on the side of caution and utilize SELSECURE when sending any private information.

Selsecure - FAQ's

Q: If I send an email with PII to a Carrier that utilizes a TLS connection and cc: the broker, will the email still be encrypted?

A: Yes. Still utilize the best practice of adding selecure in the body/header of the email.  The TLS connection encrypts the email to the Carrier and selsecure will encrypt the email to the broker.  Contact Greg Galla/Diane Salle with further questions.

Q: How do I know if my email was encrypted?

A: Contact Nick Chapman.  He'll access the selsecure encryption log and provide details.