Proofpoint: Security, Compliance and the Cloud

Over at Baseline magazine this week, writer Nick Wreden has a good article on "Social Media Policy Development," summarizing that organizations need to develop firmly written, clearly communicated policies around all types of electronic communications, including those conducted via social media channels.

This is still a sometimes-overlooked area of policy development and, if your organization hasn't yet communicated specific policies around keeping confidential (or regulated) information secure over social media channels, I'd suggest you put this on your "to do" list for the new year.

Nick quotes our oft-cited statistics about data loss and social media in large enterprises, noting that our 2009 research found that "34 percent reported that a loss of sensitive information had affected business. The same study found that 13 percent had investigated troublesome Twitter usage, and 15 percent had disciplined employees for unauthorized posting of videos on YouTube and similar sites."

Note that these numbers increased in 2010 (and you can get a copy of our latest report, "Outbound Email and Data Loss Prevention in Today's Enterprise, 2010" at http://www.proofpoint.com/outbound. Our report also shows that, while acceptable use policies for email are almost universally adopted, there are still a substantial number of organizations that do not yet have formal policies in place around the use of social media sites (including blogs, message boards, social networks, short message services like Twitter and media sharing sites like YouTube).

As I always suggest when considering acceptable use policies for email, when creating these sorts of policies for social media, I'd encourage organizations to focus on the data loss and compliance risks associated with social media sites, not just the "time wasted" aspects of same.

Keep in mind that the cost of a single low-performing employee (who, for example, spends too much time at work engaged in non-work-related social media) is completely bounded by that employee's salary (and such problems are fairly easily addressed). However, a single data loss/breach incident can cost hundreds of thousands or even millions of dollars in remediation costs, potential fines, brand damage and lost business.

The article over at Baseline has some other good suggestions around social media policy development and some real-world examples of what enterprises such as EMC, Xerox and Mel-O-Cream are doing to address the risks associated with social media.

Note also that I'll be touching on this topic a bit in our next live web seminar (January 12th), "Top 10 Privacy Issues for 2011." Do join me! You can register here: http://www.proofpoint.com/id/top10privacy/index.php

Proofpoint has made available some cool new Gartner research on data loss prevention in the form of a reprint of Gartner's 2010 Content-Aware Data Loss Prevention FAQs report.

This 8-page report describes Gartner's advice about the best approaches and benefits of deploying data loss prevention (DLP) solutions. It lists many of the typical questions asked by Gartner clients and provides answers that are applicable to the most common DLP scenarios.

This document has some especially interesting information about the differences between "enterprise" and "channel" DLP and when the channel DLP approach (for example, deploying data loss prevention and encryption features for email). This is a topic that I touched on in a previous blog post (see, "Gartner Analyst: Many Organizations Buying More DLP than They Need").

As the report notes, "Gartner has found that many DLP implementations only use a small subset of the total capabilities. Many times, what has been implemented is often the functionality subset that can be achieved with a C-DLP [channel DLP] solution from an incumbent provider at substantially less cost and complexity."

There are many more interesting insights in this report and it's well worth a read for anyone looking for information on the business cases for adopting DLP technology, deployment tips, evaluation criteria and much more. Follow the link below to read the full report:

Gartner Report: 2010 Content-Aware Data Loss Prevention FAQs

Related Research

Note that Proofpoint currently makes a number of other Gartner reports available, including:

• Gartner Magic Quadrant for Secure E-mail Gateways, 2010: Learn how Gartner rates Proofpoint and other vendors in the email security space.
• Building an E-mail Retention Strategy: Learn best practices that organizations should follow when designing and implementing an email retention (archiving) strategy.

Today we released the latest edition of our Outbound Email and Data Loss Prevention in Today's Enterprise report, now in its seventh year. As always, this report contains a huge number of interesting findings. Check out the video preview, above, for just a few of the top findings. This year, IT decision makers from 261 large US enterprises (all with 1000 or more employees) responded to our survey, conducted with the help of Osterman Research.

You can find more highlighted findings about how large enterprises manage data loss risks in our press release. Better yet, download the complete report, by visiting http://www.proofpoint.com/outbound.

I'll be blogging more about this throughout the week, but here are just a few of the most interesting findings:

Proofpoint found that, despite a growing awareness of data loss risks, large enterprises continue to be impacted by data loss at a surprising rate:

• 36% of respondents said their organization was impacted by the exposure of sensitive or embarrassing information in the past 12 months.
• 31% of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months.
• 29% of respondents said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.

Enterprise concerns and data loss events from social media continued to rise in the past 12 months:

• Social Networking Sites (such as Facebook and LinkedIn): 20% of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site. 7% of companies terminated an employee for social networking policy violations. Twenty percent disciplined an employee for such violations. 53% are highly concerned about the risk of information leakage via social networking sites. 53% explicitly prohibit the use of Facebook, while 31% explicitly prohibit use of LinkedIn.
  
• Blog and Message Board Postings: 25% of companies investigated the exposure of confidential, sensitive or private information via a blog or message board posting. 11% of companies terminated an employee for blog or message board posting policy violations. 54% are highly concerned about the risk of information leakage via blogs and message boards.
  
• SMS and Web-Based Short Messaging Services (such as Twitter): 17% of companies investigated the exposure of confidential, sensitive or private information via one of these services. 51% are highly concerned about the risk of information leakage. 49% explicitly prohibit the use of Twitter.
  
• Media Sharing Sites (e.g., YouTube, Vimeo): 18% of companies investigated the exposure of confidential, sensitive or private information via shared video or audio m5edia. 9% of companies terminated an employee for media sharing/posting policy violations. 21 disciplined an employee for such violations. 52% are highly concerned about the risk of information leakage. 53% explicitly prohibit the use of media-sharing sites.

Regular readers of this blog know that I've been following the legal proceedings around a text messaging privacy case involving City of Ontario, California police officer Jeff Quon and his employer, the Ontario (California) Police Department. Last year, the 9th Circuit Court sided with several police officers (including Quon) who had sued the department for reading hundreds of personal text messages (many of which were of a sexually explicit nature) that officers had sent and received on department-issued pagers.

The City appealed that ruling to the Supreme Court, which has issued its ruling today in City of Ontario v. Quon, U.S. Supreme Court case No.08-1332. In its ruling, the high court reversed the 9th Circuit's Court finding, ruling that the City's search and audit of Quon's text messages was reasonable. (You can read the full text of the court's decision here: City of Ontario, California, v. Quon (PDF format).)

Business and Legal Reports has a good summary of this case in the article, "Supreme Court Rules on Text Message Privacy Case." And, of course, the court's findings have been reported widely today in other media (for example, this LA Times article). 

Though this particular case involved the privacy of text messages and the privacy of government employees that send them, the outcome of this case will have an impact on workplace monitoring policies in all types of industries – not just government – and for all types of electronic communication mediums.

One of the main take-aways from the Supreme Court’s ruling today is that the employer’s policies, and the clarity with which those policies are communicated, are crucial to establishing what sort of “reasonable expectation of privacy” employees should have.

In this particular case, the court found that the City of Ontario’s search and audit of text transcripts was reasonable, not excessively intrusive and had a clearly work-related purpose (the City was trying to determine if employees’ text messaging limits were too low  and should be increased – during this audit, the content of Quon’s personal messages came to light).

The court also found that Quon did not have a reasonable expectation of privacy, in part because Quon had signed the city’s Computer Usage, Internet and Email Policy, which stated that the City “reserves the right to monitor and log all network activity… with or without notice.”

My advice to employers and employees is as follows:

1. Companies that monitor employees' outbound email and other electronic communications should clearly communicate to them what is being monitored and how. If that includes transmissions to "personal" email accounts via company networks or devices, this should be explicitly stated. If the company feels that employees should not have a reasonable expectation of privacy, this should be clearly communicated in a formal, written policy.
2. Additionally, as part of their electronic communications policies, companies should discourage employees from using personal accounts to conduct company business.
3. Employees should be aware that, even in the absence of a formal policy, their employer may be monitoring or auditing their electronic communications. For example, Proofpoint’s own research (http://www.proofpoint.com/outbound) finds that 46% percent of large US companies perform regular audits of outbound email content.

Of course, employers have many legitimate reasons for monitoring the content of email, web messages and text messages sent from their organizations, not the least of which concerns about compliance with data protection regulations including HIPAA and GLBA.

In our 2009 research on this topic, Proofpoint found that 43% of US companies had investigated a suspected email leak of confidential or proprietary information in the past 12 months and 34% had investigated an email-based violation of privacy or data protection regulations in the past 12 months.

With respect to text messaging, Proofpoint found that 13% of large US companies had investigated the exposure of confidential, sensitive or private information via an SMS text or Web-based short message service (e.g., Twitter). And 41% of those companies said that they are highly concerned about the risk of information leakage via Web-based short messaging.

More such statistics are available in Proofpoint’s 2009 Outbound Email and Data Loss Prevention in Today’s Enterprise report, which is available from http://www.proofpoint.com/outbound. (The 2010 edition of this report will be available in the coming weeks.)

Once again, I am quoted giving a variation on my golden rule of email, "Don't put anything in writing that you don't want the whole world to see." This time, the venue is FINS (a finance careers site that's part of the Wall Street Journal's online network). In, "Email Best Practices for the Workplace," reporter Toddi Gutner quotes me and Proofpoint's oft-repeated statistics on email discovery and email monitoring.

In light of recent exposures of internal emails at firms like Goldman Sachs, this article aims to answer the question, "Are there times when an email shouldn't have been sent?" While aimed at financial services professionals, this article provides some great advice that workers in any industry should consider when using email at work.

To summarize the guidelines presented in the article for using email at work:

• Keep work email for work matters. If you are using your company computer and your company email, it shouldn't be used for personal matters.
• Communicate clearly and carefully. Finance professionals, such as traders and portfolio managers who use email to verify prices of stocks and bonds, need to ensure that the information they send is accurate.
• Be professional. Don't write or send an email when you're angry or emotional. If you're upset, consider waiting 24 hours.
• Consider the telephone. When considering writing an email on a sensitive topic, consider picking up the phone instead.

There's a lot more detail in the full article, which can be found here:

Email Best Practices for the Workplace

Quick follow-up on a story I blogged about late last year (in Supreme Court to Hear Ontario Police SMS Text Message Privacy Case): The US Supreme Court is due to hear a case (Ontario vs. Quon) involving the privacy of text messages sent from employer-supplied devices next week.

National Public Radio's "Morning Edition" show aired a really good segment on this case this morning that really helps explain the facts of the case and the potential ramifications for employers (especially government organizations including police departments) that monitor electronic communications - such as text messages, email, and social media communications.

You can listen to that story or read a transcript here:

NPR: Should Personal Texts From Work Devices Be Private?

Though this particular case involves the privacy of text messages, the (government) employees that send them and the privacy of recipients (who may or may not be employees of the organization providing the messaging device in question), it's likely that the outcome of this case will have an impact on workplace monitoring policies in all types of industries (not just government) and for all types of electronic communication mediums.

Of course, employers have many legitimate reasons for monitoring the content of email, web messages and text messages sent from their organizations, not the least of which concerns about compliance with data protection regulations including HIPAA and GLBA.

Forgive me if you've heard this one before, but in our latest research on outbound email and data loss prevention, Proofpoint found that 13% of large US companies had investigated the exposure of confidential, sensitive or private information via an SMS text or Web-based short message service (e.g., Twitter). And 41% of those companies said that they are highly concerned about the risk of information leakage via Web-based short messaging.

You can find more such statistics in our full report.

I write about issues surrounding enterprises monitoring employee email fairly regularly and wanted to note this interesting legal development related to employee email privacy. In a case involving a discrimination and harassment lawsuit filed by an employee of the "Loving Care Agency" home health care company during 2008, the New Jersey high court has ruled that an employer cannot read email messages that employees have sent via a third-party email service provider, even if those emails are accessed by the employee during work hours and from a company-provided computer.

Dark Reading has a good write-up of this story here:

N.J. Supreme Court Rules Employers Can't Always Read Personal Email

Within that article is a link to an interesting analysis of the case (Stengart vs. Loving Care) at Workplace Privacy Report. That analysis says that the NJ supreme court ruling has two important implications for employers:

First, the court stated that even with a clearly written and unambiguous policy regarding employer monitoring of email, the employee had a reasonable expectation that her email communications with her lawyer - conducted via the employee's personal, password-protected webmail account - would be private.

Second, that the Court's opinion suggests that employers cannot discipline employees for spending some time at work receiving personal, confidential legal advice from a private lawyer.

In a previous blog post (see "Reading Employee Email: Do Workers Have an Expectation of Privacy?"), I noted several other cases where courts were increasingly siding with employees in cases involving privacy and employer monitoring of email.

It will be interesting to see if this trend is reflected in our 2010 research on outbound email and data loss prevention issues. In our 2009 research, we found (among many other interesting facts) that 38% of large US companies employ staff to read or analyze the contents of outbound email messages. 

If you're interested in this topic and have not read Proofpoint's 2009 survey report, you should check it out. Download your copy here.

According to a new article out today at Inc. Magazine (see, "Would You Suspend an Employee Over a Status Update?"), an associate professor of sociology at Est Stroudsburg University (Pennsylvania) has been put on indefinite paid leave for posting Facebook status updates that the university is investigating as potentially threatening.

The posts in question from January and February of this year - which reportedly read "Does anyone know where I can find a very discrete hitman?" and "Had a good day today. DIDN'T want to kill even one student. Now Friday was a different story." - set off alarm bells for university officials. Inc. reports that the university does not have a social media monitoring policy, but a spokesperson said, "Given the climate of security concerns in academia, the university has an obligation to take all threats seriously and act accordingly."

As is common in article of this type these days, the Inc. story quotes Proofpoint's statistics about social media monitoring and related risks (download a copy of our complete DLP statistics here), saying:

Type "Facebook" and "fired" into any search engine and you'll get an ever-growing list of people who've stuck a foot into the wide-open mouth that is Facebook – and it's cost them dearly. A 2009 study by Proofpoint, an Internet security firm, found that 17 percent of companies report having issues with employees' use of social media, and 8 percent have actually dismissed someone for their behavior on those sites. In the previous year's study, just 4 percent were fired for their social media sins.

Interesting news out today that the US Supreme Court has agreed to review a ruling by the Ninth Circuit Court of Appeals that sided with several several police officers who sued their employer, the Ontario (California) Police Department, for reading hundreds of personal text messages (supposedly some of them were of a sexually explicit nature) that the officers had sent and received on pagers issued to them by the department.

The finding by the 9th Circuit Court was cited in a recent Wall Street Journal article (see my earlier post "Reading Employee Email: Do Workers Have an Expectation of Privacy?") as evidence that courts are increasingly siding with employees in cases of electronic privacy violation.

CRN's ChannelWeb has a really good summary of the Ontario Police Department case that includes a lot of detail. See "Supreme Court to Weigh in on Employee Text Messaging Privacy." Writer Stefanie Hoffman notes that the City of Ontario appealed the ruling to the Supreme Court on the grounds that it's customary for employers to have policies that give them access to electronic communications sent by employees on employer-owned devices.

The Supreme Court is slated to rule on this issue in June 2010 and, should they find for the City of Ontario, it could set a new standard for employee privacy vis-a-vis employer-provided devices.

NetworkWorld also has some good coverage of this case (see "Supreme Court to Rule on Employee Privacy"), noting that the Supreme Court's decision could have repercussions that will impact compliance efforts. Writer Tony Bradley notes:

"Regulatory mandates such as SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), and GLBA (Gramm-Leach-Bliley Act) contain guidelines requiring that companies ensure certain information is protected, and that communications be archived for a certain period of time.

Companies can't meet some of these compliance requirements if the courts uphold an employee's right to privacy while using company equipment."

This tension between employee privacy and regulatory mandates that more-or-less require monitoring of outbound electronic communications is a theme that comes up regularly when I discuss findings from Proofpoint's own research on outbound email monitoring and data loss prevention (download a copy of our 2009 survey findings here).

It would seem that racy text messages are fully in the zeitgeist these days. Between Tiger Woods's travails, media hype around "sexting" and court cases like this one, it's impossible not to be aware of the privacy, policy and cultural issues around electronic messaging.

 
A quick check of BlogPulse's trend search (see illustration above) confirms that, indeed, there's a lot more chatter about these topics in recent weeks.

Links:

• ChannelWeb: Supreme Court to Weigh in on Employee Text Messaging Privacy
• NetworkWorld: Supreme Court to Rule on Employee Privacy
• Proofpoint: Outbound Email and Data Loss Prevention in Today's Enterprise, 2009