Pitney Bowes: Protecting email for regulatory compliance and security best practices

• Customer Profile: Mail management; 35,000 employees
• Goals: Ensure regulatory compliance; secure email; implement security best practices
• Solution: PGP Universal™ Gateway Email secures email communications; PGP Universal™ Server provides central policy and key management
• Deployment: On schedule and within budget
• Benefits: Regulatory compliance; data security; security best practices

Pitney Bowes chose PGP Universal Gateway Email to protect sensitive information in email communications.

Founded in 1920, Pitney Bowes became known as the postage meter company. Today, the company's capabilities span the entire mailstream and annual revenues total $5.7 billion. The company's 35,000 employees provide software, hardware, and services to help more than 2 million customers worldwide create, produce, distribute, and manage their mail, documents, and packages.

The Enterprise Messaging department at Pitney Bowes is responsible for the messaging and collaboration products that employees use, including IBM Lotus Notes and Domino as well as Microsoft Exchange and Outlook. The department also is responsible for all the products at the gateway, such as the SMTP perimeter products that receive and send email via the Internet.

The Challenge

Complying with data privacy laws, upholding its corporate reputation, and implementing security best practices led Pitney Bowes's Enterprise Messaging team to investigate email encryption for specific employees as part of a broader data security initiative.

Ensure regulatory compliance. Pitney Bowes must comply with a variety of regulations, including the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), and state data breach notification regulations. The Payment Card Industry Data Security Standard (PCI DSS), which provides guidelines for securely handling credit card information and is binding to any organization that deals with third-party credit card information, also applies to the company. Encrypting the email communications of those employees who send sensitive data would help Pitney Bowes comply with these regulations and standards.

Encrypt email of specific employees. Pitney Bowes's Enterprise Messaging team identified several hundred of its 20,000 email users whose outgoing email messages should be encrypted. Those employees include corporate, legal, human resources, and benefits personnel who frequently send sensitive information to external partners via email. Their email communications might contain Social Security numbers, information covered by HIPAA, credit card information, or other financial or personally identifiable information, making it imperative to protect against unauthorized access.

Uphold corporate reputation. The Pitney Bowes team also looked into email encryption as a way to uphold the corporate reputation and brand. The company strives to help its customers streamline their operations, enhance remote commerce, and conduct transactions more efficiently to boost customer acquisition, build customer loyalty, and reduce costs. Fostering the confidence of its partners and customers through email encryption could help Pitney Bowes meet those goals. 

The Solution

Pitney Bowes selected PGP Universal Gateway Email, centrally managed by PGP Universal Server. "We had originally underestimated the need for secure communication," says John Congiu, manager of Enterprise Messaging at Pitney Bowes. "In the second year of deployment, we doubled the number of PGP users."

Track record. Congiu evaluated several companies' products in his search for a suitable email encryption solution. "I knew about PGP Corporation and had used PGP products before," Congiu says. "Frankly, PGP technology is at the top of most industry lists of information security providers and is probably the most well-known for encryption. PGP Corporation easily made our short list along with three or four competitors." Congiu learned about PGP Corporation's gateway encryption solution from a PGP data loss prevention (DLP) technology partner whose products Pitney Bowes was already using. "A big plus was that the partner could help us with the installation of PGP Universal Gateway Email, and its product integrated with the PGP solution," Congiu explains. That partnership, the price, the maturity of the PGP product, and PGP Corporation's track record in the industry helped PGP Corporation emerge as the winning provider. "Those facts made it a no-brainer," Congiu says. "The company's broad platform of data security products was also very important in our decision."

Interoperability. PGP Universal Gateway Email supports the two globally accepted email encryption standards, OpenPGP and S/MIME, enabling seamless communications with recipients using a variety of email solutions. This compatibility factored into Congiu's decision. "We use S/MIME here but the solution's ability to support both secure email protocols was important to us," he says, "If a business partner cannot receive either of these standards, we use PGP Universal™ Web Messenger, a great feature that securely delivers emails to anyone with a web browser."

Partnering to ensure email privacy. Congiu implemented Vontu's data loss prevention solution soon after deploying PGP Universal Gateway Email. "The Vontu content filter brought to light a lot of information that passed through the firewalls via email, and we identified additional people who send sensitive information that should be protected," he says. These individuals were put on a special list so their email would be processed through PGP Universal Gateway Email. "If the Vontu solution finds sensitive information, it flags it. If you're a PGP user, it will route your message to PGP Universal Gateway Email for encryption. If you're not, the flag becomes an 'incident' that will have to be resolved by one of the compliance managers," Congiu explains.

Role separation. At first, Congiu's messaging team, the data security group, and other groups within IT were tasked with managing some compliance issues. "That's like asking the mechanics to hop into the driver's seat and start rolling with these products," Congiu says. "We were happy when corporate acknowledged the situation and the compliance management department staffed up to take on this role." Now, Congiu's team sets up the groups and lists, ensures the system is working, and resolves any system problems. The compliance managers handle the day-to-day upkeep of the groups and lists, and they respond to any data incidents. "The integrated Vontu-PGP solution allows a separation of roles between technical and business administrators. We don't need to have a systems engineer administering the day-to-day operations or compliance incidents. Instead, we can separate those responsibilities so the engineers can focus on the upkeep of the system while the compliance managers deal with the incidents."

The Results

The PGP Universal Gateway Email deployment proceeded on schedule and within budget. The PGP solution is meeting the needs of all users whose email messages require encryption. "We're very satisfied with it," Congiu says. "Performance has been fine, and we've had no problems."

Appreciation of business partners. After the initial rollout, Pitney Bowes received calls from some of its business partners who were unaware of the implementation. "Now, our partners are not only accustomed to the process, but they appreciate knowing their information is encrypted," Congiu says.

No impact on Help Desk. Congiu didn't need to hire additional Help Desk staff to accommodate PGP Universal Gateway Email. "The demand on the Help Desk leveled off after an initial rise in call volume," he says. "Overall, there was no increase in workload."

Ready when needed. Congiu has made only a few calls to PGP® Support. "When our license was nearing expiration, I called PGP Support for assistance in entering the key for renewal," he admits. "Otherwise, we may have called one or two times during the whole year for minor inicidents."

Summary