Proofpoint: Security, Compliance and the Cloud

Tip 'o' the blog to our resident eDiscovery expert, Robert Cruz, who pointed out an interesting Gartner press release from last week — see "Gartner Says by Year-End 2013, Half of All Companies Will Have Been Asked to Produce Material from Social Media Websites for E-Discovery" — that had slipped by me.

Gartner's announcement references a recent piece of Gartner research, authored by analyst Debra Logan, and published during December of 2010.

Not sure why they're just getting around to promoting that report now, but it's an interesting piece (Gartner subscribers can access a full copy of Social Media Governance: An Ounce of Prevention at http://www.gartner.com/resId=1498916). Many of the most interesting points in the full document are actually made in the press release. These include:

1. Social media content isn't special when it comes to eDiscovery: Says analyst Debra Logan, "Social media content is like all other content that is created by companies and individuals and is subject to the same rules, laws and customs." So, just as with email, companies will need to be able to quickly discover and produce social media content in response to legal or regulatory discovery requests.
   
   "In e-discovery, there is no difference between social media and electronic or even paper artifacts. The phrase to remember is 'if it exists, it is discoverable'," says Logan.
   
   
2. Keep social media policies simple and consistent: On the topic of policies, Logan suggests that, "Policymakers need to keep policies simple when it comes to what should and should not be done online. A good rule of thumb is that  whatever the company code of conduct is for in-person encounters, and whatever the rules are for general good behavior and common sense, apply in the online world as well."
   
   Additionally, Logan notes that the "legal landscape" around social media remains in flux due to "overlapping, conflicting and contradictory laws and regulations." Because there is no clear guidance, "the safest option is to have a consistent policy and apply it consistently."
   
   
3.  In the absence of technology controls, banning access might be appropriate: Says Logan, "If... a technology creates content that cannot be captured for archival purposes and that archive is required by law, then the organization must tell employees... not to use the technology, even unofficially." Gartner's press release also notes that Gartner estimates that, by the end of 2012, 50% of companies will attempt to block access to some or all social networking sites.
   
   Proofpoint's own research on this subject (see page 13 of our Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 report) shows that roughly half of large enterprises already have policies that prohibit the use of popular social networking sites such as Facebook (53% ban by policy), YouTube (53% ban by policy) and Twitter (49% ban by policy) — whether they actually attempt to block access to such sites.

Of course, the problem with banning or blocking employee access to social media sites is that one is sacrificing the many benefits of social media in favor of security and compliance. As a result, many employees will attempt to "work around" such blocks and restrictions.  Over time, such situations won't be sustainable.

But the good news is that the technology to monitor, enforce compliance rules and retain/archive social media content actually exists today and is getting easier and less costly to deploy.

We'll be discussing this topic in detail in our upcoming (March 9, 2011) live web seminar, "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers." To register, click the preceding link, or simply fill out the form below: