- Customer Profile: Wholly owned subsidiary of BBVA
- Goals: Secure sensitive content in email; regulatory compliance
- Solution: PGP Universal™ Gateway Email & PGP® Desktop Email encrypt emails; PGP® Command Line secures server-to-server communication
- Alternatives: External provider with potential access to confidential content
- Deployment: On schedule; within budget
- Benefits: Security; legal compliance; lower communication costs
Texas State Bank introduced the PGP® Encryption Platform to protect communications and data flow with customers and business partners.
Texas State Bank is a wholly owned subsidiary of BBVA, a multinational financial services group that operates in 32 countries. BBVA stock trades on the Madrid stock exchange, and its American depositary receipts trade on the NYSE under the symbol BBV. On September 31, 2006, BBVA had 7,465 branches, 96,369 employees, and total assets of US$510.4 billion.
Before the project started, email communication at Texas State Bank was hindered by its policy not to send any customer information by email to external recipients due to privacy and regulatory compliance concerns. The bank needed to find a solution that would allow it to use email to communicate securely with customers and business partners without potentially disclosing confidential information. In a parallel project, the bank’s IT outsourcing subsidiary needed a way to protect confidential data exchanged via FTP within the banking group and with other organizations.
Policy not to send sensitive emails. Karen M. Gayhart is senior vice president for network operations, a department that handles LAN, WAN, servers, and applications for Texas State Bank. She remembers: “It was our policy not to send emails containing customer information to external partners or customers to protect privacy and comply with regulatory and audit requirements. Our primary concern was that someone could potentially abuse sensitive information when it was unsecured. We were looking for an email encryption solution to prevent identity theft and fraud in addition to maintaining customer privacy.”
Driven by compliance. Apart from the bank’s internal policy, Gayhart also saw a need to comply with relevant regulations: “Regulations were absolutely a driver, especially the Right to Financial Privacy, Gramm-Leach-Bliley, and Sarbanes-Oxley acts.”
The Right to Financial Privacy Act, passed by the U.S. Congress in 1978, protects the confidentiality of personal financial records in response to a U.S. Supreme Court 1976 ruling that found bank customers had no legal right to privacy in financial information held by financial institutions. Also known as the Financial Services Modernization Act, the Gramm-Leach-Bliley Act was passed by Congress in 1999 to help the financial services industry respond to new developments in technology, global competition, and the changing demand for financial services. Passed by Congress in July 2002, the Sarbanes-Oxley Act was created to improve regulatory visibility and accountability of public companies and covers issues such as establishing an accounting oversight board, auditor independence, corporate responsibility, and enhanced financial disclosure.
Secure data transfer. In a parallel project, the bank’s IT outsourcing subsidiary, called The Data Center, needed to protect its sensitive information such as payroll records and customer direct marketing data during FTP transfers between the bank, The Data Center, and other organizations. Texas State Bank had formed The Data Center in response to the growing need for quality processing services for itself and other financial organizations. Since its inception, The Data Center has expanded to serving eight financial institutions in south Texas, several of which have more than US$1 billion in assets. The main sponsor of the encryption project was the President of The Data Center.
After thoroughly evaluating three solutions for secure email, Texas State Bank chose PGP Universal Gateway Email to encrypt email at the gateway. According to Gayhart, “We chose a PGP® solution partly because it’s a very well-known and widely used product, so our internal and external users would be more familiar with it. We also thought that PGP Corporation offered a very competitive price.”
Texas State Bank’s IT outsourcing arm, The Data Center, chose PGP Command Line to encrypt the data flow between FTP servers. By inserting PGP Command Line into automated processes to encrypt and decrypt data, the information is protected both while stored on the FTP server and in transit over open networks or the Internet.
Hosted solution not an alternative. One of the alternatives Texas State Bank considered was a hosted email security solution. The bank decided against that option because it was uncomfortable with another company handling users’ private keys and emails, potentially allowing an external entity to read confidential information.
Standards-based solution required. Texas State Bank required a standards-based solution. “As we start using secure email more frequently with our partners and customers, we want to make it as easy as possible for them to integrate the solution into their networks,” Gayhart explains. “If we’d chosen a proprietary solution, we’d have had to furnish them with whatever was required on their side to decrypt secure emails; otherwise, they wouldn’t have been able to use it.”
Assured access. The bank also wanted to ensure it would be able to access encrypted information for legal and archiving purposes. PGP Universal Gateway Email uses patented PGP Additional Decryption Key (ADK) technology to ensure corporate access to encrypted data in the event a user’s key is lost or unavailable or when required by regulatory mandates or corporate security policy. This unique capability was another factor in the bank’s selection of a PGP solution.
Lower communication costs. Using PGP Universal Gateway Email, the bank can now shift communication from letters and phone to the more cost-effective medium of email. It has not calculated the return on investment (ROI) for the project because it views the investment in the solution as a necessary cost of doing business due to regulatory requirements to protect confidential and sensitive data in transit.
Local PGP reseller deployed solution. Texas State Bank purchased the solution through a local PGP reseller, which also managed the deployment. “PGP Universal Gateway Email was easy to install and bring online,” Gayhart recalls. “We were very satisfied with the deployment services supplied by the PGP reseller, which installed the solution out-of-the-box according to PGP Corporation’s recommendations.”
Active Directory integration. The bank decided to integrate the email encryption process with the existing network infrastructure. As Gayhart explains, “Connecting PGP Universal Gateway Email with our Active Directory makes it easier to generate users on the server. This setup also took less time to deploy.”
The Senior VP appreciates that the bank only had to modify current configurations slightly to integrate the solution into its infrastructure: “We didn’t have to change our existing IT environment to install the PGP solution because it fit right in with what we had. More important, we completed the project on schedule and within budget.”
Good scalability and performance. Scalability and performance were important selection criteria. “As our company grows, our IT infrastructure needs to scale appropriately,” says Gayhart. “So far, PGP Universal Gateway Email has handled all traffic very well. Our solution is hosted by The Data Center, which would like to offer email encryption to other customers on an outsourced basis, so scalability is also important in that scenario.”
Support and training. The PGP reseller manages local technical support and offers additional professional services, as needed. “The email solution is supported by our PGP reseller, which solves all issues quickly and accurately and also trained the first users,” reports Gayhart. To help manage the solution, one of the bank’s engineers will also take part in advanced PGP Technical Training.
Reports to measure success. Texas State Bank is planning to use the statistics generated by PGP Universal Gateway Email to continually measure the success of the project. These statistics include how many messages were encrypted over a certain period so the bank knows how much the solution is being used. PGP Universal Gateway Email generates a set of reports out-of-the-box, but the bank also plans to use its system logging information to generate advanced custom reports.
The current installations satisfy all the bank’s encryption needs. Gayhart is very satisfied with the outcome of the project. “We’re not looking to expand the solution right now, but when we need encryption in other areas, we’ll definitely consider PGP Corporation,” she adds.
The PGP Encryption Platform. The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, FTP or bulk data transfers, and backups. |
