The cost of getting it wrong
HIPAA
Up to $1.9M
per violation category per year
FINRA / SEC
$1.8B+
in fines across 16 firms in 2022 alone
GDPR
Up to 4%
of global annual revenue per violation
CCPA
$7,500
per intentional violation + private right of action
Every major compliance framework that touches email is, at its core, requiring you to do the same things good security practice demands: encrypt sensitive data, prevent unauthorized access, detect and respond to threats, and maintain an auditable record of what happened.
The difference is that compliance frameworks attach specific penalties, audit timelines, and documentation requirements to those controls. Deploying email security is not just the right thing to do — it is the documented, defensible thing to do when a regulator, auditor, or plaintiff asks what controls were in place.
Organizations that deploy ICES, DLP, encryption, journaling, and SAT are not just more secure. They are more compliant, more insurable, and more defensible in litigation.
Lower cyber insurance premiums
Underwriters discount premiums for organizations with documented email security controls — DMARC enforcement, ICES, and SAT are standard underwriting questions.
Audit-ready documentation
ICES deployment, DLP incident logs, SAT completion records, and journaling archives are the exact artifacts auditors and examiners request.
Reduced breach probability
ICES reduces phishing and BEC success rates. Fewer incidents means fewer breach notifications, fewer regulatory investigations, and lower litigation exposure.
Defensible security posture
When a breach occurs, the question is whether reasonable controls were in place. Documented ICES deployment and SAT completion is a strong affirmative defense.
Each framework imposes different obligations, penalties, and documentation requirements. Here is what each one requires from your email program — with the specific regulatory citations.
45 CFR §§ 164.312, 164.314 (Security Rule)
Maximum penalty
Up to $1.9M per violation category per year
Applies to: Healthcare providers, health plans, clearinghouses, and their business associates
PHI transmitted via unencrypted email, phishing attacks that expose patient records, and missing audit trails for email access are the three most common HIPAA email violations cited by HHS OCR in enforcement actions.
Encryption
PHI must be encrypted in transit and at rest (addressable standard — but failure to implement requires documented justification)
Access controls
Only authorized users may access systems containing PHI — email account takeover is a direct HIPAA breach
Audit controls
Activity logs for systems that access PHI must be maintained and reviewable
Transmission security
Email containing PHI must use TLS or equivalent encryption
How GetToInbox.com addresses HIPAA
FINRA Rule 4511; SEC Rule 17a-4(b)(4); SEC Rule 17a-4(f)
Maximum penalty
FINRA fines from $10,000 to $1M+ per violation; SEC enforcement actions with disgorgement
Applies to: Broker-dealers, investment advisers, registered representatives, and their supervisors
FINRA and the SEC treat business email as a books-and-records obligation. Failure to retain, supervise, or produce email on demand has resulted in some of the largest regulatory fines in financial services history — including $1.8B in penalties across 16 major firms in 2022 for off-channel communications alone.
Retention
Business-related email must be retained for a minimum of 3 years (first 2 years in an easily accessible place)
WORM storage
Records must be stored in non-rewritable, non-erasable format (Write Once, Read Many)
Supervision
Firms must supervise electronic communications — including review of flagged content
Production on demand
Records must be producible to regulators within the timeframes specified in examination requests
How GetToInbox.com addresses FINRA / SEC
GDPR Articles 5, 25, 32, 33, 83
Maximum penalty
Up to €20M or 4% of global annual revenue, whichever is higher
Applies to: Any organization that processes personal data of EU residents, regardless of where the organization is based
Email is the primary channel through which personal data is transmitted, processed, and leaked. A phishing attack that results in unauthorized access to email containing EU resident data triggers a 72-hour breach notification obligation under Article 33 — and potential fines under Article 83.
Data minimization
Only collect and transmit personal data necessary for the stated purpose — DLP enforces this at the email layer
Security of processing
Article 32 requires 'appropriate technical and organisational measures' — email encryption and anti-phishing are explicitly cited in guidance
Breach notification
Breaches involving personal data must be reported to supervisory authorities within 72 hours
Data subject rights
Organizations must be able to locate, export, and delete personal data on request — email archiving with search capability is required
How GetToInbox.com addresses GDPR
Cal. Civ. Code §§ 1798.100–1798.199.100; CPRA amendments
Maximum penalty
$2,500 per unintentional violation; $7,500 per intentional violation; private right of action for data breaches
Applies to: For-profit businesses that collect personal information from California residents and meet revenue or data volume thresholds
Email is a primary collection and transmission channel for California resident personal information. A breach resulting from a phishing attack or account takeover that exposes California resident data triggers CCPA's private right of action — meaning individual consumers can sue without waiting for regulatory enforcement.
Reasonable security
Businesses must implement 'reasonable security procedures and practices' — the standard used in breach litigation
Data inventory
Organizations must know what personal information they hold and where it flows — email archiving supports this
Breach response
Unauthorized access to unencrypted personal information triggers notification obligations
Opt-out and deletion
Consumers may request deletion of their personal information — searchable email archives enable compliance
How GetToInbox.com addresses CCPA
AICPA Trust Services Criteria (TSC) — Security, Availability, Confidentiality
Maximum penalty
No direct regulatory penalty — but audit failure blocks enterprise sales and triggers contract termination clauses
Applies to: SaaS companies, MSPs, and service providers that handle customer data and seek to demonstrate security posture to enterprise buyers
SOC 2 auditors examine email security controls as part of the Security and Confidentiality Trust Services Criteria. Missing anti-phishing controls, absent email encryption, and lack of security awareness training are common findings that result in qualified opinions or failed audits.
Logical access controls
CC6.1 — Access to systems must be restricted to authorized users; email account takeover is a direct control failure
System monitoring
CC7.2 — Anomalies and security events must be detected and responded to; ICES and Petra provide this for email
Risk mitigation
CC9.2 — Risks from vendors and business partners must be managed; email is the primary third-party risk vector
Confidentiality
C1.1 — Confidential information must be protected during transmission; email encryption is a direct control
How GetToInbox.com addresses SOC 2
Cyber insurance underwriters have significantly tightened underwriting requirements since 2021. Email security controls are now standard questions on virtually every cyber insurance application — and the answers materially affect both premium pricing and coverage availability.
Organizations that cannot demonstrate DMARC enforcement, email archiving, phishing simulation training, and multi-factor authentication on email accounts are increasingly being declined coverage or quoted at significantly higher premiums.
Deploying ICES, SAT, and journaling is not just a compliance investment — it is a direct input into your cyber insurance cost structure.
DMARC at enforcement (p=reject)
Required by most underwriters. Domains without DMARC enforcement are considered high-risk for BEC and spoofing claims.
Anti-phishing controls (ICES)
Underwriters ask specifically whether an ICES or equivalent anti-phishing platform is deployed. SEG-only environments are rated higher risk.
Phishing simulation training (SAT)
Completion rates and frequency of phishing simulations are underwriting questions. Organizations with active SAT programs qualify for lower premiums.
Email archiving and retention
Archiving controls reduce litigation exposure and demonstrate operational maturity — both factors in underwriting risk assessment.
MFA on email accounts
Multi-factor authentication on email is now a baseline requirement for most cyber insurance policies. Accounts without MFA may void coverage for BEC claims.
Different industries face different primary frameworks. Here is where to focus based on your sector.
Healthcare & Life Sciences
HIPAA, HITECH, SOC 2
Encryption, DLP for PHI, journaling, account takeover prevention
Financial Services & Fintech
FINRA Rule 4511, SEC 17a-4, GLBA, SOC 2
WORM archiving, eDiscovery, supervision, DLP for PII and financial data
Legal & Professional Services
State bar rules, ABA Model Rules 1.6, GDPR (if EU clients)
Encryption for privileged communications, DLP, journaling for matter records
Government & Public Sector
NIST 800-53, FedRAMP, CMMC, FISMA
DMARC enforcement, encryption, audit logging, phishing defense
Nonprofits & Education
FERPA (education), COPPA, state privacy laws
Anti-phishing, DLP for donor/student PII, basic email authentication
SaaS & Technology
SOC 2, ISO 27001, GDPR, CCPA
SOC 2 audit readiness, DLP, encryption, SAT for engineering and support teams
Compliance and email security questions answered plainly.
We use cookies to improve your experience. Essential cookies are always active. Learn more