Proofpoint: Security, Compliance and the Cloud

The New York Times reported yesterday that  the names and Social Security Numbers of the entire staff at the General Services Administration (GSA)—more than 12,000 people—were apparently emailed by an agency employee to a private email address. (See, "GSA workers' Social Security numbers e-mailed.")

The Times reports that technicians discovered the email containing the names and SSNs while reviewing logs on September 22, 2010, one week after the message was sent. The GSA explained to employees that a worker had sent the file containing the personal data by accident.

While this is a potentially massive exposure of private information, these sorts of email exposures are far from rare. Proofpoint's latest research in this area found that nearly one third (32%) of large US enterprises had investigated a suspected violation of privacy or data protection regulations involving email in the preceding 12 months. (For this data and many other statistics about similar data loss events see our report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010.)

Given the frequency of this type of exposure, organizations (especially those in regulated sectors such as healthcare, financial services, retail and government) should ideally have technology in place to detect private information. This sort of massive, inadvertent exposure of personal information via email is easily stopped using modern email security solutions.

For example, users of the Proofpoint Enterprise Privacy email data loss prevention and email encryption solution will often have a rule configured to block any outbound email found to contain multiple Social Security Numbers.

Typically, messages with Social Security Numbers should always be sent in encrypted form. Handling personal data in this way is not just a best practice, but is mandated by data protection standards and regulations including HIPAA, GLBA, PCI-DSS and various US state data privacy laws.

For more on why it's so important to protect Social Security Numbers, see this new BankInfoSecurity article, "Incidents Prove Link Between Social Security Numbers, ID Theft." In that article, information privacy expert Mari Frank says that SSNs are, "the key to medical-benefit theft, government-benefit theft, you name it."

Today we released the latest edition of our Outbound Email and Data Loss Prevention in Today's Enterprise report, now in its seventh year. As always, this report contains a huge number of interesting findings. Check out the video preview, above, for just a few of the top findings. This year, IT decision makers from 261 large US enterprises (all with 1000 or more employees) responded to our survey, conducted with the help of Osterman Research.

You can find more highlighted findings about how large enterprises manage data loss risks in our press release. Better yet, download the complete report, by visiting http://www.proofpoint.com/outbound.

I'll be blogging more about this throughout the week, but here are just a few of the most interesting findings:

Proofpoint found that, despite a growing awareness of data loss risks, large enterprises continue to be impacted by data loss at a surprising rate:

• 36% of respondents said their organization was impacted by the exposure of sensitive or embarrassing information in the past 12 months.
• 31% of respondents said their organization was impacted by the improper exposure or theft of customer information in the past 12 months.
• 29% of respondents said their organization was impacted by the improper exposure or theft of intellectual property in the past 12 months.

Enterprise concerns and data loss events from social media continued to rise in the past 12 months:

• Social Networking Sites (such as Facebook and LinkedIn): 20% of companies investigated the exposure of confidential, sensitive or private information via a post to a social networking site. 7% of companies terminated an employee for social networking policy violations. Twenty percent disciplined an employee for such violations. 53% are highly concerned about the risk of information leakage via social networking sites. 53% explicitly prohibit the use of Facebook, while 31% explicitly prohibit use of LinkedIn.
  
• Blog and Message Board Postings: 25% of companies investigated the exposure of confidential, sensitive or private information via a blog or message board posting. 11% of companies terminated an employee for blog or message board posting policy violations. 54% are highly concerned about the risk of information leakage via blogs and message boards.
  
• SMS and Web-Based Short Messaging Services (such as Twitter): 17% of companies investigated the exposure of confidential, sensitive or private information via one of these services. 51% are highly concerned about the risk of information leakage. 49% explicitly prohibit the use of Twitter.
  
• Media Sharing Sites (e.g., YouTube, Vimeo): 18% of companies investigated the exposure of confidential, sensitive or private information via shared video or audio m5edia. 9% of companies terminated an employee for media sharing/posting policy violations. 21 disciplined an employee for such violations. 52% are highly concerned about the risk of information leakage. 53% explicitly prohibit the use of media-sharing sites.

We're excited to announce a new update to Proofpoint Enterprise Archive, our SaaS email archiving solution today, along with several new email archiving resources.

Pictured at left is our updated datasheet about Proofpoint Enterprise Archive, which has been enhanced with information about the latest features. (You can click the image to snag a PDF copy.)

The new version adds full support for Microsoft Exchange Server 2010, including support for Outlook Web Access, access to stubbed attachments and advanced search capabilities.

It also supports organizations that are migrating from earlier versions of Exchange—or that have complex email environments—because it's compatible with environments that use multiple Microsoft Exchange server versions including 2003, 2007 and 2010.

One of the primary benefits of Proofpoint Enterprise Archive is that it helps reduce legal discovery risks and costs. By providing a secure, searchable repository of all email messages, Proofpoint's email archiving solution makes it easy to perform early case assessments, instantly preserve data in active legal holds and enforce email retention policies.

“eDiscovery is critical to our firm, as attorneys must be able to store and search email records quickly during the legal hold stage at the beginning of the litigation process,” says Proofpoint customer Steven Heller, director of technology for law firm Graubard Miller (for more on the benefits Steven and his firm have realized, see this previous blog post). “We continue to trust Proofpoint for our archiving needs and are thrilled with its ability to generate search results in near-real time. New legal hold features will empower our team to track and identify key information faster and easier than ever before.” 

The new release includes a variety of enhancements to help streamline the eDiscovery process:

• Proofpoint Enterprise Archive’s active legal hold capabilities allow attorneys and staff to instantly preserve data in legal holds, in contrast to inefficient, manual, methods that are difficult to track and audit and increase legal risks of data spoliation.
• Enhanced eDiscovery capabilities make it easier for legal teams to search data in near real-time to prepare for HR, regulatory or litigation issues. Proofpoint Enterprise Archive now supports data export to EDRM XML, a standard format used in the legal industry to simplify the movement of archived data to other legal analysis tools. New search capabilities also benefit end-users who can more easily perform complex searches of their own archived email.
• Proofpoint Enterprise Archive includes compliance and supervision features for industry-specific rules and regulations such as FINRA, GLBA and HIPAA, as well as SEC policies for email storage. For organizations with supervisory compliance requirements (such as compliance with FINRA rules) Proofpoint Enterprise Archive now makes it easier to handle larger groups of supervised users, perform supervision searches and randomly sample data for auditing purposes. An enhanced supervision workflow allows records managers and compliance officers to more easily manage multiple supervision queues.

You can learn more about the solution in our complete press release... And see my next blog post for the link to a new Gartner report on email archiving strategies...

Is privacy the new black? Certainly seems that way with a constant stream of news about privacy snafus, data loss/exposure incidents and increasing scrutiny of data privacy policies at all levels.

A couple of the latest sightings:  Yesterday, the FTC issued a decision based on its investigation of Twitter's security practices (text of the FTC's decision on Twitter here), which came under scrutiny after several high-profile compromises of that social media service.

E-commerce Times has a good summary of the situation today, including some commentary from yours truly about what this ruling means for all types of online services, especially those with a messaging component. I also suggest that some of the FTC's prescription for Twitter is generally good advice when it comes to password security. Rather than repeat all of that stuff here, I refer you to Katherine Noyes's excellent article over at ecommercetimes.com for the whole story:

E-Commerce Times: FTC Puts Social Nets on Notice with Twitter Smackdown

On a related tip, I see that the always excellent Healthcare Info Security has posted a new podcast with IT lumiary Guy Kawasaki talking about social media strategies, including security concerns. Taking a bit of a contrarian view, Guy says that security and privacy concerns about social media are, "massively overblown."

Healthcare Info Security podcast: Guy Kawasaki on the Power of Social Media

I get where Guy's coming from - he's really commenting on some individuals over-sensitivity to targeted marketing campaigns and the difference between regulated info like personal healthcare and financial information and info that might be considered "private", but doesn't so much represent something risky or exploitable.

But at the same time, enterprises (especially in regulated industries) need to mindful of the fact that - just as with email - it's fairly easy to run afoul of data protection and privacy regulations over social media.

Regular readers know that I've got a whole raft of facts about that (if you've never seen those before, you can find many of those here in the blog, or download my latest report at http://www.proofpoint.com/outbound.)

Regular readers of this blog know that I've been following the legal proceedings around a text messaging privacy case involving City of Ontario, California police officer Jeff Quon and his employer, the Ontario (California) Police Department. Last year, the 9th Circuit Court sided with several police officers (including Quon) who had sued the department for reading hundreds of personal text messages (many of which were of a sexually explicit nature) that officers had sent and received on department-issued pagers.

The City appealed that ruling to the Supreme Court, which has issued its ruling today in City of Ontario v. Quon, U.S. Supreme Court case No.08-1332. In its ruling, the high court reversed the 9th Circuit's Court finding, ruling that the City's search and audit of Quon's text messages was reasonable. (You can read the full text of the court's decision here: City of Ontario, California, v. Quon (PDF format).)

Business and Legal Reports has a good summary of this case in the article, "Supreme Court Rules on Text Message Privacy Case." And, of course, the court's findings have been reported widely today in other media (for example, this LA Times article). 

Though this particular case involved the privacy of text messages and the privacy of government employees that send them, the outcome of this case will have an impact on workplace monitoring policies in all types of industries – not just government – and for all types of electronic communication mediums.

One of the main take-aways from the Supreme Court’s ruling today is that the employer’s policies, and the clarity with which those policies are communicated, are crucial to establishing what sort of “reasonable expectation of privacy” employees should have.

In this particular case, the court found that the City of Ontario’s search and audit of text transcripts was reasonable, not excessively intrusive and had a clearly work-related purpose (the City was trying to determine if employees’ text messaging limits were too low  and should be increased – during this audit, the content of Quon’s personal messages came to light).

The court also found that Quon did not have a reasonable expectation of privacy, in part because Quon had signed the city’s Computer Usage, Internet and Email Policy, which stated that the City “reserves the right to monitor and log all network activity… with or without notice.”

My advice to employers and employees is as follows:

1. Companies that monitor employees' outbound email and other electronic communications should clearly communicate to them what is being monitored and how. If that includes transmissions to "personal" email accounts via company networks or devices, this should be explicitly stated. If the company feels that employees should not have a reasonable expectation of privacy, this should be clearly communicated in a formal, written policy.
2. Additionally, as part of their electronic communications policies, companies should discourage employees from using personal accounts to conduct company business.
3. Employees should be aware that, even in the absence of a formal policy, their employer may be monitoring or auditing their electronic communications. For example, Proofpoint’s own research (http://www.proofpoint.com/outbound) finds that 46% percent of large US companies perform regular audits of outbound email content.

Of course, employers have many legitimate reasons for monitoring the content of email, web messages and text messages sent from their organizations, not the least of which concerns about compliance with data protection regulations including HIPAA and GLBA.

In our 2009 research on this topic, Proofpoint found that 43% of US companies had investigated a suspected email leak of confidential or proprietary information in the past 12 months and 34% had investigated an email-based violation of privacy or data protection regulations in the past 12 months.

With respect to text messaging, Proofpoint found that 13% of large US companies had investigated the exposure of confidential, sensitive or private information via an SMS text or Web-based short message service (e.g., Twitter). And 41% of those companies said that they are highly concerned about the risk of information leakage via Web-based short messaging.

More such statistics are available in Proofpoint’s 2009 Outbound Email and Data Loss Prevention in Today’s Enterprise report, which is available from http://www.proofpoint.com/outbound. (The 2010 edition of this report will be available in the coming weeks.)

In a news item that won't come as any big surprise to regular readers of this blog, Healthcare InfoSecurity reports that Oceanside California's Tri-City Medical Center will terminate five employees and discipline another for posting discussions about hospital patients via Facebook.

According to the article, "5 to be Fired for Social Media Use," there may not have been (strictly speaking) a violation of HIPAA or HITECH privacy rules, but the CEO of the hospital said that an investigation had, "yielded sufficient information to warrant disciplinary action."

As I've reported on many previous occasions, discipline and termination actions for these sorts of activities are far from rare. In Proofpoint's 2009 survey of more than 200 email decision makers at large enterprises, we found the following:

• 17% of large US companies investigated the exposure of confidential, sensitive or private information via a posting to a social networking site.
• 10% disciplined an employee for violating social networking policies, while 8% had fired an employee for such a violation (and this just within the preceding 12 months).
• Overall, 34% of responding companies (from all industries) had investigated a suspected violation of privacy or data protection regulations in the past 12 months.

In the forthcoming (2010) edition of this report, I expect that we'll see an increase in both the level of concern and the number of disciplinary actions taken by companies with respect to misuse of social media.

eWeek Europe has been doing a good job of following news out of the UK about efforts by the Information Commissioner's Office (ICO) to crack down on breaches of personal data.

In a new story out today, ICO Cracks Down on Data Breaches, But no Fines, writer Sophie Curtis points out that while the ICO has ruled that several large-scale exposures of private healthcare and identity information were violations of the UK's Data Protection Act, it has yet to impose fines. (Earlier this year, the ICO was given authority to levy fines of up to 500,000 pounds.)

Earlier in the week, the ICO published a list of all the data breaches that had been reported to it since 2007, along with some analysis of the causes and sources of those breaches. Click the illustration in this post to view the ICO's breach notification spreadsheet.

A quick look shows that stolen data and hardware are the most common cause, while erroneous disclosures (which I presume includes a healthy number of inadvertent leaks via email and the web) are the second most common cause. eWeek Europe has some additional analysis in their article, "NHS Tops ICO List for Most Data Breaches."

In their article today, eWeek included some Proofpoint statistics about UK data loss concerns that we had collected at the recent Infosecurity Europe 2010 show, along with commentary from our own Ken Yearwood:

...a survey by SaaS email security provider Proofpoint also found that 93 percent of respondents were concerned about the potential for private or personal information to be leaked via email.

This is despite the fact that nearly two thirds of those surveyed said that their company had implemented data protection regulations, and around half had already deployed some kind of email encryption system.

“Enterprises have a pressing need to adhere to regulations that require special handling of sensitive information in emails, and require automatic methods for ensuring compliance,” said Ken Yearwood, director NEMEA at Proofpoint. “It is gratifying to see that passwords are now commonplace and that businesses are embracing security mechanisms such as full disk encryption to ensure that the company is not at risk in the event that a laptop is lost or stolen.”

From the "I told ya so" file: Seems that lost and stolen mobile devices are in the news quite a bit lately. Since this is something I keep tabs on in Proofpoint's annual, Outbound Email and Data Loss Prevention report, I'd be remiss if didn't share these nuggets with you.

First up: Gadget aficionados are probably familiar with the recent flap over what would seem to be a prototype of Apple's next-generation iPhone that the editor of gadget blog Gizmodo (pictured at left) paid to acquire.

The prototype in question was apparently left in a bar here in Silicon Valley (well, really more up the Peninsula) by an Apple employee where it was recovered by another patron and then eventually made its way into the hands of Gizmodo in exchange for $5000.

Of course, the Gizmodo guys dissected the thing to get the scoop on the next great thing from Apple. The latest development in this story is that police have raided Gizmodo editor Jason Chen's home and seized a bunch computers and other devices (including another mobile device, Chen's iPad) as part of an ongoing investigation into the incident. (CBS News has a good blog post and relevant links). Gizmodo's own coverage of the whole story can be found here.

Aside from the fact that this is all just plain interesting and entertaining, why do I mention it here?

Well, your organization's own mobile devices (including laptops, smartphones, iPads, USB drives, etc.) are a common source of data loss. And the people that find or steal them may not be as interested in the hardware as in the confidential data that's on them. Further, whether or not the finders/stealers have any interest in the data found on your mobile devices, if you've got unencrypted data on them, or they provide access to unencrypted data (such as email attachments or files) that represents protected healthcare, identity or financial information, the loss of such devices may put you in a situation where you have to notify regulatory authorities about that loss.

To wit: In an address at the Infosecurity Europe conference today, David Smith, deputy commissioner of the UK's Information Commissioner's Office, revealed that the NHS (Britain's National Health Service) has, to date, reported the largest number of serious data breaches. The most common source of such breaches? Stolen data or hardware, followed by lost data or hardware.

See, "InfoSec: NHS worst culprit for data breaches" at Computerworld UK for details.

Here in the US, lost or stolen mobile devices seem to be the most common source of breaches of private heath care information (PHI). As I've noted previously, the US Department of Health and Human Services now publish breaches on their website as part of enforcement of HIPAA/HITECH. The HHS’s web page with these disclosures is here:

HHS's Posted List of Healthcare Data Breaches

The US HIPAA/HITECH regulations note that loss of suitably encryptedinformation is not something that needs to be reported/disclosed. To avoid this sort of disclosure, you need encryption for both data at rest (i.e., encrypt those laptop hard drives) as well as in motion (i.e., adopt policy-based encryption for email, monitor outbound transmissions for the presence of PHI, PFI, etc. and encrypt or block as warranted).

There's no intention here of beating up on any particular organization. I've been tracking statistics on data loss related to lost or stolen mobile devises and storage media for several years (see our report, Outbound Email and Data Loss Prevention in Today's Enterprise) and these sorts of losses are anything but rare.

To recap from the 2009 data (where we surveyed 220 email decision makers at US enterprises with more than 1000 employees):

"How Common are Data Leaks in General? Via Email? Via Lost or Stolen Devices?

If that darn volcano hasn't interfered with your travel plans and you're in London for this week's Infosecurity Europe 2010 show, do make sure you visit Proofpoint at stand L90 to learn about our latest SaaS solutions for email security, data loss prevention, email encryption and email archiving.

In an announcement we issued yesterday, Proofpoint introduced its Proofpoint 6.1 platform (which powers our flagship Proofpoint ENTERPRISE email security solution) to the European market. New features include multi-protocol (email and Web) DLP capabilities, a new data loss prevention dashboard, an Outlook plug-in for easier access to on-demand email encryption (via Proofpoint Encryption) and other security and performance enhancements. You can read all about it (in English) at the following URL:

http://www.proofpoint.com/InfoSecurity2010News

That release is also available in French and German, as well.

Now today, we've announced a new partnership with Titus Labs, an company that provides email classification and document classification solutions. I have to admit that, before we started working with Titus Labs, I didn't know much about issues such as email classification, protective markings and such, but it turns out that there are a wide variety of regulations that government organizations and other types of enterprises need to comply with that involve the proper classification and marking of both communications (such as email) and documents themselves.

Titus makes some really great solutions in this area and, as you might imagine, there are some terrific synergies between solutions like this and data loss prevention, email encryption and archiving. For example, our press release today describes a couple of use cases:

Titus Labs Message Classification and Document Classification products are widely used by government, military and commercial organizations to classify and protectively mark Microsoft Outlook messages and Office documents. Explicit visual labels and corresponding metadata properties that are applied to email messages and their attachments by Titus Labs solutions can automatically trigger a wide variety of policy enforcement, data loss prevention, encryption and archiving policies applied by Proofpoint solutions.

For example, using Proofpoint ENTERPRISE™ Privacy, protectively marked emails and documents can be automatically encrypted, blocked or quarantined for further review before transmission via email, depending upon what labels have been applied. Similarly, different data retention periods can be enforced based on the classification of a message or its attachments (using Proofpoint ARCHIVE™).

Applications include compliance with a wide variety of regulations including the UK’s GPMS (Government Protective Marking Scheme) and Data Protection Act, the Australian E-Protective Marking standard, ITAR (International Traffic in Arms Regulations), HIPAA and other healthcare privacy rules and GLBA, PCI-DSS and other financial data privacy regulations. 

You can learn more about this partnership by reading our full press release, Titus Labs and Proofpoint Partner to Deliver Interoperable Email Classification, Email Security and DLP Solutions to Enterprise and Government Customers Worldwide. Or, better yet, visit our stands at the Infosecurity Europe exhibition, in London’s Earls Court stand L90 (for Proofpoint) or stand J30 (for Titus Labs).

This is a really interesting new area and Titus Labs will be joining us for an upcoming webinar to explain how their solution works and the benefits of using email classification and email security technology together to better protect data.

When you visit Proofpoint's booth, you can also be entered to win an Apple iPad, just by taking our Infosecurity Europe email security trends survey. We have a couple of the new tablet computers on hand that you can use to take our short survey about email security trends in Europe and one lucky respondent will get to take one home! 

Proofpoint email encryption specialist Ken Liao will be presenting a live web seminar on Thursday, April 29th 2010 on the topic of "A Pragmatic Approach to Compliance with Policy-based Encryption" at 9 a.m. PT / Noon ET.

Ken's a great presenter and if you're at all concerned about email as it relates to compliance with data privacy regulations, you won't want to miss this online event. Here's the brief overview of what Ken will cover:

Email continues to be the number one source of data loss risks. If your organization handles data governed by regulations such as PCI, HIPAA or GLBA, you need to ensure that your email system can protect sensitive information from improper exposure, while also enabling secure communication your customers, clients and business partners. Join this discussion to learn more about requirements for protecting sensitive data in email. You’ll learn how automatic, policy-based email encryption can provide effective protection for sensitive information in email and why it be should be a central part of your approach to compliance. 

To attend, please register by visiting the following URL and clicking the "Register for this event" link:

http://mediazone.brighttalk.com/event/Proofpoint/f87e955fd6-3782-intro