Skip to main content

by Karen Gregory

More on This Topic

Industry Encryption Standard

As part of DTCC's drive to mitigate risk by protecting the information it handles on behalf of the industry, the organization has further strengthened its email security.

The latest enhancements add new levels of encryption to protect the integrity of non-public information (NPI) that is exchanged with customers. Examples of NPI are names, birth dates, ABA routing numbers, Social Security and credit card numbers.

The new capabilities build on a protocol DTCC implemented in 2006 called Transport Layer Security (TLS). Mark Clancy, DTCC managing director and chief information security officer, explained that TLS protects information by encrypting email messages between servers without any user intervention.


Now, DTCC has expanded its TLS protocol to include NPI. In addition, for those customers that cannot or do not use TLS when sending NPI or other sensitive information, DTCC has developed a new secure email gateway.

"Together, these capabilities allow us to continue using the tools our customers are familiar with and, at the same time, ensure that our communications are securely and consistently protected as they flow between our network and our customers' networks," Clancy said.

In January, customers began testing the new protocol, which will go live March 15. After that date, customers will be required to use one of the encryption methods for exchanging NPI data with DTCC via email.

Ensuring regulatory compliance

When the state of Massachusetts announced a new compliance regulation in March 2010 requiring the protection of personal information contained in both paper and electronic records, DTCC implemented a temporary measure whereby its system returned to senders any email deemed to be potentially in conflict with the handling requirements of the regulation.

"The Massachusetts regulation gave us an opportunity to look at our full customer base outside of the TLS environment," Clancy explained. "That, in turn, led us to create a more robust technology solution to enforce protection of a wider array of content based upon automated detection."

The new capability also protects messages that users specify they want encrypted when an automated rule might not otherwise kick in. "An automated rule is an application within the system that looks at the content of the message," explained Clancy. "If the NPI content matches, for example, a Social Security number, the system automatically redirects the message to the secure mail delivery gateway."

How the protocols work

Here's the difference between the two types of encryption.

TLS Encryption: Customers already utilizing TLS will receive NPI in the same way they now receive other restricted emails. As TLS automatically encrypts the transmission of the message at the sender's gateway and deciphers it at the recipient's gateway, documents can be opened immediately in readable form without any further steps being taken.

TLS also allows customers to leverage their existing compliance monitoring and records retention systems without modification.

Non-TLS Encryption: This capability will ensure DTCC email is securely delivered to customers that do not use TLS. DTCC will encrypt outgoing email content, wrap it inside an envelope and send it with a message to the recipient directing the individual to a secure email gateway. After going through an initial registration process, the recipient will be able to download the document - now decrypted - to his or her computer. To eliminate any possibility of spamming or spoofing, DTCC will disable the "Reply" and "Forward" functions from the secure email gateway. DTCC is advising customer firms that have a policy blocking access to encrypted messages to work with their information technology support teams to enable the TLS protocol on their existing mail gateways. @

[For more information, customers can contact Parthiv Shah, DTCC vice president, Information Security Technology, at]