Top 5 industries that can’t compromise on email encryption

According to Statista, in August 2025, the US had the highest volume of emails exchanged, with 9.8 billion daily emails sent on average. For several industries, hitting "send" without encryption can be a federal violation carrying penalties in the millions of dollars.

Unlike the European Union's GDPR, which applies a single framework across all sectors, the US takes an industry-by-industry approach to data privacy. The result are laws, each with specific provisions governing how sensitive information must be protected when stored and transmitted. For organizations in the industries below, email encryption is a regulatory obligation.

1. Healthcare

The law

The Health Insurance Portability and Accountability Act (HIPAA), enforced by the HHS Office for Civil Rights.

Who it covers

Hospitals, clinics, insurers, pharmacies, and any business associate that handles protected health information (PHI) on their behalf.

Specific provisions

HIPAA's Security Rule, codified at 45 CFR § 164.312, sets out the technical safeguards that covered entities must implement for electronic PHI (ePHI). The regulation addresses encryption in two places:

• § 164.312(a)(2)(iv) - Encryption and Decryption (Addressable): "Implement a mechanism to encrypt and decrypt electronic protected health information."
• § 164.312(e)(2)(ii) - Encryption (Addressable): Under the Transmission Security standard, covered entities must "implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."

"Addressable" according to HIPAA, does not mean optional. It means an organization must either implement encryption or formally document why an equivalent alternative measure provides the same level of protection.

Does it mention email specifically?

Yes, guidance from HHS and updated enforcement standards state that email transmitting ePHI falls within the scope of § 164.312(e). As of 2025, proposed updates to the Security Rule are expected to make encryption a required (not merely addressable) specification.

Penalties

Up to $1.9 million per violation category per year. Criminal penalties apply for willful neglect.

Read also: Secure, HIPAA compliant email for healthcare

2. Financial services

The law

The Gramm-Leach-Bliley Act (GLBA), with enforcement split between the FTC, federal banking regulators, and the SEC depending on entity type.

Who it covers

Banks, credit unions, mortgage lenders, auto dealers, tax preparers, insurance companies, investment advisers, and any business "significantly engaged" in financial activities.

Specific provisions

The FTC's Safeguards Rule, updated in 2021 and fully in force since June 2023, is the operative regulation. The encryption mandate is found at:

• 16 CFR § 314.4(c)(3) - Encryption: "Encrypt all customer information held or transmitted by you both in transit over external networks and at rest."

Unlike HIPAA's "addressable" framing, the updated Safeguards Rule uses mandatory language. The rule goes on to specify that if encryption is not feasible for certain stored data, the institution must implement equivalent compensating controls and document them, but for transmission over external networks (which includes email), encryption is non-negotiable.

Does it mention email specifically?

The regulation applies to all transmission of Non-Public Personal Information (NPI) over external networks, which includes email. Sending loan documents, account statements, tax information, or financial advice via unencrypted email constitutes a breach of the regulation.

Penalties

Violations can result in civil penalties, and in some cases individuals may face personal liability depending on the statute and facts.

Read also: Protect policyholder data with secure email for insurance

3. Education

The law

The Family Educational Rights and Privacy Act (FERPA), enforced by the US Department of Education.

Who it covers

All schools, colleges, and universities that receive federal funding.

Specific provisions

FERPA protects the privacy of "education records," defined as any records directly related to a student and maintained by the institution. The statute itself at 20 U.S.C. § 1232g prohibits the disclosure of personally identifiable information (PII) from education records without written consent, with certain exceptions.

While FERPA does not prescribe specific technical controls, the Department of Education has stated that institutions are responsible for any unauthorized disclosure, including disclosures resulting from unencrypted electronic transmission. Relevant obligations under 34 CFR Part 99 include:

• 34 CFR § 99.31 - Sets out permissible disclosures without consent, with the requirement that all disclosures must be made securely.
• 34 CFR § 99.34 - Governs disclosures between educational agencies, establishing that records must be transmitted in a manner that protects confidentiality.
  
  

Does it mention email specifically?

The Department of Education has ruled that an institution is responsible for unauthorized viewing of student records through its electronic transmissions, which implicates unencrypted email.

Penalties

Loss of all federal funding.

Read also: Protect student data with secure email for education

4. Legal services

The rules

ABA Model Rule 1.6 (Confidentiality of Information) and Model Rule 1.1 (Competence), adopted in various forms by state bars across the US.

Who it covers

All licensed attorneys and law firms in jurisdictions that have adopted the ABA Model Rules.

Specific provisions

The legal profession is governed not by a single federal statute but by state bar ethics rules derived from the ABA's Model Rules. Two rules are directly relevant:

• ABA Model Rule 1.6(c): "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
• ABA Model Rule 1.1 (Comment 8): Requires lawyers to "keep abreast of changes in the law and its practice, including the benefits and risks of relevant technology."

On email encryption, the ABA's Standing Committee on Ethics and Professional Responsibility addressed this in Formal Opinion 477R (2017), titled "Securing Communication of Protected Client Information." The Opinion acknowledges that while unencrypted routine email may still be acceptable in some contexts, lawyers must conduct a fact-based analysis of sensitivity and risk, and that "particularly strong protective measures", including encryption, are required when transmitting highly sensitive client information. Several state bars, including New Jersey, have issued opinions going further, stating that encryption may be required for certain categories of client communication.

Does it mention email specifically?

Yes. Formal Opinion 477R addresses attorney email and encryption obligations.

Consequences

State bar disciplinary proceedings, potential disbarment, and malpractice liability. Courts have allowed clients to sue for breach of fiduciary duty when firms used inadequate data protections. In Hiscox Insurance Co. v. Warden Grier LLP (W.D. Missouri, 2020), the court denied a motion to dismiss claims, including breach of fiduciary duty, where the plaintiff alleged that the law firm failed to safeguard sensitive personal information in its possession.

5. Publicly traded companies

The law

SEC Regulation S-P (17 CFR Part 248) and the SEC's 2023 Cybersecurity Disclosure Rules.

Who it covers

Broker-dealers, investment advisers, investment companies, and all publicly listed US companies.

Specific provisions

Regulation S-P requires broker-dealers and investment advisers to protect the security and confidentiality of customer records and information. Under the 2023 amendments:

• Covered institutions must adopt a written incident response program.
• Customer information must be protected with appropriate administrative, technical, and physical safeguards, including encryption for transmission.

Under the 2023 SEC Cybersecurity Disclosure Rules, public companies must also:

• Disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality, with the incident described including its "nature, scope, and timing."
• Describe cybersecurity risk management and governance annually under the new Item 106 of Regulation S-K, covering how the company assesses, identifies, and manages material cybersecurity risks.
  
  

Does it mention email specifically?

Regulation S-P's safeguards requirements apply to all means of transmitting customer information, including email. The SEC noted that transmission security, including encrypted email, falls within the scope of required safeguards.

Penalties

SEC fines have reached eight-figure sums for cyber-related violations. Under Regulation S-P, failure to protect customer information carries both civil and criminal exposure.

FAQs

How should small businesses choose an email encryption solution?

Evaluate regulatory requirements, cost, user experience, integration with existing systems, and vendor security practices before selecting a solution.

How should organizations document encryption decisions to satisfy regulators?

Document risk assessments, chosen controls, configuration details, compensating measures, and review cycles in formal policies and audit logs.

What are the risks of using personal email accounts for regulated communications?

Personal accounts increase risk of unauthorized access, poor auditability, and noncompliance with encryption, retention, and breach-notification rules.

How should organizations respond if encrypted email is mistakenly sent unencrypted?

Treat it as a potential breach. Assess exposure, notify affected parties and regulators as required, remediate the process failure, and document actions