Accidental Sharing: When Email Encryption Is Not Optional
Cybersecurity Business April 2026 · 4 min read

Accidental Sharing: When Email Encryption Is Not Optional

Accidental Sharing: When Email Encryption Is Not Optional

Written by: Tyson Wilcox

We’ve spent a lot of time recently describing various steps you can take to help protect your organization from security threats—managed detection and response services, secure email gateways, password vaults, MFA solutions—but so far these are all focused on protecting from incoming threats from the outside. What about the information your employees are sending outside the organization? Did you know that, by default, emails are sent in plain text over the Internet, where anyone with the means and desire can intercept and read them?

Imagine being at the doctor’s office. You’ve checked in and you’re waiting to be called back to see the doctor, but instead, the doctor comes out into the waiting room and starts your examination right there among all the other waiting patients. Your private details are suddenly out there on full display for everyone to see and hear. The doctor isn’t intending to share your problems with the whole room, but anyone present now has access to information never intended for them.

When sending an email without encrypting it first, it’s a lot like the doctor coming out to talk to you in the waiting room. Granted, the majority of email content is perfectly acceptable to send as-is, and we’re not here to tell you that every single email needs to be protected. Emails sent without encryption become a problem when they contain information that is protected—either by company policy or by law.

Who Needs Email Encryption

As we stated previously, not all email requires encryption, and a lot of organizations can get away with never encrypting a single email. There are, however, certain categories of information that are required, by law, to be protected by reasonable technical measures—and encryption is widely treated as the baseline control for electronic transmission:

  • Personally Identifiable Information—PII is defined by several government compliance regulations as any information that by itself or in combination with other included information can be used to identify a single individual. Examples include social security numbers, full names, government issued ID numbers, biometrics, and more.
  • Sensitive Financial Information—Like PII, any information that can reasonably be used to identify an individual’s financial identity, accounts, or transactions, is considered protected. These fall under a protected status because they have the potential to be used for identity theft or fraud. While they are not often mandated to be encrypted in transit, they are classified as requiring “reasonable safeguards,” which, in modern enforcement standards, almost always includes encryption when transmitted electronically.
  • Medical Information—Any information that can reasonably be used to identify a person’s medical history or current medical state falls under strict regulations. Across healthcare and privacy regulations, unencrypted transmission of personal health information (PHI) is consistently treated as an unreasonable risk.
  • Educational Information—Any information that can be used to identify a student as it relates to their educational records is considered protected. This would include transcripts, student IDs, biometrics, and more.

If none of the above information is ever sent via email from your organization, then you are not legally required to protect those emails under sector-specific regulations, though your company’s own policies may still require vigilance related to the information you send.

Consequences of Violations

Government regulations clearly define consequences related to violations of compliance laws. If information is intercepted and used maliciously, regulators immediately ask one key question: ”Did the organization take reasonable steps to protect sensitive information once it chose to transmit it electronically?” If the email was sent without encryption, it becomes significantly harder to defend against that question. Consequences are clearly defined and strict. They include:

  • Notification must be sent to affected individuals, government regulatory agencies, and sometimes even the media.
  • Payment of civil penalties, which can range from tens of thousands of dollars to millions of dollars, depending on the regulation, severity, and scale of the incident.
  • In the case of FERPA (education) violations, organizations can lose federal funding and be subject to stricter government oversight.

In addition to government penalties, organizations become subject to civil lawsuits and a loss of customer trust, which can be far more damaging to a company than legal penalties.

Final Thoughts

Not everyone is going to benefit from an email encryption service, and it shouldn’t be treated as just another checkbox on the list of security needs. As stated earlier, the majority of email communications sent globally do not require encryption and claims to the contrary often rely more on fear than on fact. It is important, however, to ask yourself where your organization stands:

  • What data do you transmit?
  • If the data you’re sending is exposed, can anyone be legally or ethically harmed?
  • What controls do you need to properly mitigate that risk?
  • Can actual human beings be reasonably expected to consistently utilize those controls?

We’re here to help you answer those questions honestly and without hidden motives. Our role is to be your partner in evaluating where your business stands in the world of technical compliance and help you put the proportionate safeguards in place to mitigate the risks you actually carry.

← Back to News & Blog