Proofpoint: Security, Compliance and the Cloud

Earlier this year our friend Steven Heller, director of IT for New York-based law firm Graubard Miller, kindly sat down with me to explain how his organization uses our hosted email archiving solution, Proofpoint Enterprise Archive, to reduce the size of their Microsoft Exchange email store, simplify (and speed up) electronic discovery and save time and money in the process.

Steven and his firm have been using Proofpoint's email archiving service for several years now (first purchasing the product when it was known as Fortiva, before that company's acquisition by Proofpoint) and he continues to be a very vocal supporter.

In this short video, Steven talks about the issues the firm had with email retention prior to Proofpoint and explains what he likes about Proofpoint's solution:

Steven will be presenting "How to Save Hundreds of Thousands on eDiscovery," an educationalcase study on email archiving and eDiscovery at the MIS Training Institute's upcoming IT Governance, Risk and Compliance event (co-located with Audit World 2011) at the Hilton Boston Back Bay on September 20, 2011.

He'll also be presenting a similar case study at Computerworld's Fall Storage Networking World 2011 event (October 10-13, 2011 in Orlando, Florida). If you're attending either event, make a point of attending his sessions - he's a great presenter and very knowledgeable about these topics.

We also recently published a short PDF case study on Graubard Miller that you can find here:
Proofpoint case study, Graubard Miller.

Thanks again, Steve, for taking the time to chat with us and for your ongoing support!

Tip 'o' the blog to our resident eDiscovery expert, Robert Cruz, who pointed out an interesting Gartner press release from last week — see "Gartner Says by Year-End 2013, Half of All Companies Will Have Been Asked to Produce Material from Social Media Websites for E-Discovery" — that had slipped by me.

Gartner's announcement references a recent piece of Gartner research, authored by analyst Debra Logan, and published during December of 2010.

Not sure why they're just getting around to promoting that report now, but it's an interesting piece (Gartner subscribers can access a full copy of Social Media Governance: An Ounce of Prevention at http://www.gartner.com/resId=1498916). Many of the most interesting points in the full document are actually made in the press release. These include:

1. Social media content isn't special when it comes to eDiscovery: Says analyst Debra Logan, "Social media content is like all other content that is created by companies and individuals and is subject to the same rules, laws and customs." So, just as with email, companies will need to be able to quickly discover and produce social media content in response to legal or regulatory discovery requests.
   
   "In e-discovery, there is no difference between social media and electronic or even paper artifacts. The phrase to remember is 'if it exists, it is discoverable'," says Logan.
   
   
2. Keep social media policies simple and consistent: On the topic of policies, Logan suggests that, "Policymakers need to keep policies simple when it comes to what should and should not be done online. A good rule of thumb is that  whatever the company code of conduct is for in-person encounters, and whatever the rules are for general good behavior and common sense, apply in the online world as well."
   
   Additionally, Logan notes that the "legal landscape" around social media remains in flux due to "overlapping, conflicting and contradictory laws and regulations." Because there is no clear guidance, "the safest option is to have a consistent policy and apply it consistently."
   
   
3.  In the absence of technology controls, banning access might be appropriate: Says Logan, "If... a technology creates content that cannot be captured for archival purposes and that archive is required by law, then the organization must tell employees... not to use the technology, even unofficially." Gartner's press release also notes that Gartner estimates that, by the end of 2012, 50% of companies will attempt to block access to some or all social networking sites.
   
   Proofpoint's own research on this subject (see page 13 of our Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 report) shows that roughly half of large enterprises already have policies that prohibit the use of popular social networking sites such as Facebook (53% ban by policy), YouTube (53% ban by policy) and Twitter (49% ban by policy) — whether they actually attempt to block access to such sites.

Of course, the problem with banning or blocking employee access to social media sites is that one is sacrificing the many benefits of social media in favor of security and compliance. As a result, many employees will attempt to "work around" such blocks and restrictions.  Over time, such situations won't be sustainable.

But the good news is that the technology to monitor, enforce compliance rules and retain/archive social media content actually exists today and is getting easier and less costly to deploy.

We'll be discussing this topic in detail in our upcoming (March 9, 2011) live web seminar, "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers." To register, click the preceding link, or simply fill out the form below:

Three new things to share with you today: First, Proofpoint announced a new partnership with  Clearwell Systems, a leading provider of eDiscovery solutions, to deliver integrated, cloud-based litigation-readiness services for email.

The companies will work together to better integrate the Proofpoint Enterprise Archive SaaS email archiving solution with Clearwell's eDiscovery Platform, delivering a solution that will reduce the time, costs and risks associated with electronic discovery.

You can read more about that partnership in our full press release.

In conjunction with that announcement, we also published a new whitepaper that explains how the adoption of cloud computing applications can complicate electronic discovery if not handled correctly. In What Every Enterprise Should Know about Cloud Computing and eDiscovery we explain these risks and offer practical advice on how to evaluate cloud service providers and the features and service level agreements you should look in cloud-based solutions, so that eDiscovery risks are minimized while meeting your organizations business, legal and IT goals.

As usual, you can get a copy of this whitepaper by clicking the link above... But (and here's the third new thing), you can also get a copy right now, simply by filling out the form below. How's that for efficiency?

Complete this form and click "Submit" to read our new cloud computing and eDiscovery whitepaper:

Keeping with our eDiscovery and archiving theme this week, Proofpoint published a new press release and case study about customer Wedbush Securities, a leading financial services firm. Wedbush uses Proofpoint solutions for email security (Proofpoint Enterprise Protection) as well as email archiving and eDiscovery (Proofpoint Enterprise Archive).

The new case study (click the image at left to view the actual PDF version) focuses on how Wedbush replaced its outdated email archiving solution with Proofpoint's SaaS solution with the goals of making archiving and eDiscovery more user friendly, more efficient and better satisfying SEC/FINRA supervision requirements.

Wedbush's director of IT, Mattias Tornyi, says, "I think the performance around eDiscovery is really a big benefit, and something that we wouldn’t get with an in-house solution. I can do any type of search through the system, and know I am getting a response time within 30 seconds. It’s so easy to use and very efficient for IT, Compliance and Legal to perform discovery searches now."

Regular blog readers will recall that I recently posted a video interview with Jeff Bell, the executive VP of clearing and technology for Wedbush Securities talking about how his organization uses Proofpoint. I've included that video again, below, as well as a new "part 2" of that interview where Jeff discusses some of the other security and IT issues (including phishing, mobility and training) that are most on his mind today. Here's part one:

And here's part two:

Note that you can find more customer case studies in our online learning center and more Proofpoint videos in our YouTube channel.

Our live web seminar series continues on Wednesday, December 8th, 2010 with "What are your Obligations to Retain Email and Other Electronic Content?"

Analyst Michael Osterman of Osterman Research will join us to talk about findings from his recent report on the same topic. He'll discuss the business, litigation and regulatory compliance drivers that require organizations of all sizes and every industry to establish retention policies for email and other types of electronic documents.

Mike's report includes a summary of more than 50 regulations that require archiving of digital content. But as Mike notes in his report, there are still some organizations that are resistant to archiving such information.

"Unlike their regulated counterparts, organizations in so-called 'non-regulated' industries tend to believe that their electronic content retention obligations are minimal at best," he writes. "They believe electronic content should be deleted regularly to reduce the risk of liability in the event of a lawsuit or regulatory audit. They fear such content may contain 'smoking guns' that might reveal poor judgment by organizational decision makers or rogue employees... Contrary to what such decision-makers may think, no organization operating in the United States, regardless of size or industry, is immune from the obligation to retain electronic content in accordance with the Federal Rules of Civil Procedure."

Come learn the facts about why archiving email and other digital content is important for every type of organization.

As an added incentive, attendees who take our short survey at the end of the live event will be entered in a random drawing to win a new Apple iPod Nano... Just in time for the holidays!

Register for "What are your Obligations to Retain Email and Other Electronic Content?" here.

In partnership with Osterman Research, we've just made available a new whitepaper on email archiving and the retention of email  and other types of electronic content.

"What Are Your Obligations to Retain Email and Other Electronic Content?" explains the various litigation readiness and regulatory compliance requirements faced by enterprises in both regulated and non-regulated industries.

One of my favorite features of this new paper is a great appendix that lists and briefly summarizes more than 50 different industry and government regulations that require retention of various forms of electronic content.

Visit the download page for this email archiving whitepaper »

To learn more about Proofpoint's SaaS solution for email archiving, visit our Proofpoint Enterprise Archive product page.

We're excited to announce a new update to Proofpoint Enterprise Archive, our SaaS email archiving solution today, along with several new email archiving resources.

Pictured at left is our updated datasheet about Proofpoint Enterprise Archive, which has been enhanced with information about the latest features. (You can click the image to snag a PDF copy.)

The new version adds full support for Microsoft Exchange Server 2010, including support for Outlook Web Access, access to stubbed attachments and advanced search capabilities.

It also supports organizations that are migrating from earlier versions of Exchange—or that have complex email environments—because it's compatible with environments that use multiple Microsoft Exchange server versions including 2003, 2007 and 2010.

One of the primary benefits of Proofpoint Enterprise Archive is that it helps reduce legal discovery risks and costs. By providing a secure, searchable repository of all email messages, Proofpoint's email archiving solution makes it easy to perform early case assessments, instantly preserve data in active legal holds and enforce email retention policies.

“eDiscovery is critical to our firm, as attorneys must be able to store and search email records quickly during the legal hold stage at the beginning of the litigation process,” says Proofpoint customer Steven Heller, director of technology for law firm Graubard Miller (for more on the benefits Steven and his firm have realized, see this previous blog post). “We continue to trust Proofpoint for our archiving needs and are thrilled with its ability to generate search results in near-real time. New legal hold features will empower our team to track and identify key information faster and easier than ever before.” 

The new release includes a variety of enhancements to help streamline the eDiscovery process:

• Proofpoint Enterprise Archive’s active legal hold capabilities allow attorneys and staff to instantly preserve data in legal holds, in contrast to inefficient, manual, methods that are difficult to track and audit and increase legal risks of data spoliation.
• Enhanced eDiscovery capabilities make it easier for legal teams to search data in near real-time to prepare for HR, regulatory or litigation issues. Proofpoint Enterprise Archive now supports data export to EDRM XML, a standard format used in the legal industry to simplify the movement of archived data to other legal analysis tools. New search capabilities also benefit end-users who can more easily perform complex searches of their own archived email.
• Proofpoint Enterprise Archive includes compliance and supervision features for industry-specific rules and regulations such as FINRA, GLBA and HIPAA, as well as SEC policies for email storage. For organizations with supervisory compliance requirements (such as compliance with FINRA rules) Proofpoint Enterprise Archive now makes it easier to handle larger groups of supervised users, perform supervision searches and randomly sample data for auditing purposes. An enhanced supervision workflow allows records managers and compliance officers to more easily manage multiple supervision queues.

You can learn more about the solution in our complete press release... And see my next blog post for the link to a new Gartner report on email archiving strategies...

Our friend Keith Shaw over at Network World has a great new "Panorama" podcast up today where two email archiving experts—Proofpoint's own Andres Kohn and AppRiver's James Dean—talk about the email archiving challenges that both enterprises and SMBs face.

In "E-mail Archiving Challenges: Two Perspectives", Andres takes the enterprise perspective while James represents the SMB space.

You can have a listen by visiting Network World's site here:

http://www.networkworld.com/podcasts/panorama/2010/060710pan-archiving-twosides.html

Or you can download an mp3 version directly to your local machine here:

http://podcasts.networkworld.com/panorama/2010/060710pan-archiving-twosides.mp3

With eDiscovery, archiving and litigation readiness very much in the headlines these days (see my recent posts about BP and Piper Jaffray), you might want to learn more about the issues discussed in this podcast. In our upcoming live web seminar, "Surviving eDiscovery" we'll discuss initial steps for compliance and litigation readiness as well as provide practical advice for both legal and IT teams. To register, please visit:

http://www.proofpoint.com/id/survive-ediscovery/index.php?id=6

As the latest efforts to contain the huge Gulf oil spill hit another snag, electronic discovery experts have been musing that BP might be faced with not just one of the biggest environmental catastrophes ever, but also the biggest eDiscovery event ever.

Writing for Legal IT Professionals, Burke & Company president Christy Burke posted an extremely comprehensive article about the eDiscovery issues faced by BP in what may turn out to be the largest electronic discovery event in history, with more than 100 lawsuits already filed.

In her article, "Could the BP Oil Spill Lead to an eDiscovery Disaster?" she writes:

"Ever since documents have been stored digitally, electronic discovery has figured into cases. However, many organizations still find themselves stumbling when it comes to legal hold obligations, guarding against spoliation, and electronic redaction.  How can BP avoid becoming another cautionary tale of a Fortune 500 company blundering through its eDiscovery responsibilities?"

Other eDiscovery commentators have also been sharing their perspectives on the legal implications of the BP deepwater drilling platform explosion and subsequent spill. Barry Murphy over at eDiscovery Journal had some good observations as well. In his post, "eDiscovery Lessons Learned from the BP Crisis," he notes:

"This is an example of preservation duties kicking in before a lawsuit is filed. In my mind, the legal hold process should kick in within hours of the BP realizing that an incident occurred. This also shines the light on how important it is to pre-plan for legal hold. When an incident occurs, an organization should aspire to be able to go into one system, set up the legal hold, and feel confident that most sources of information will be automatically preserved."

The type of central control over legal hold is one of the things that today's email archiving technologies can offer to enterprises that are concerned about litigation readiness. With eDiscovery issues like the BP disaster and the recent Piper Jaffray sanction (see my previous blog post) so front-and-center these days, we've made this the topic of our next live web seminar.

Join our resident eDiscovery and litigation readiness expert Rick Dales live on Wednesday, June 16th for "Surviving eDiscovery: IT and Legal Team Up to Meet the Challenge." Rick will provide practical advice for both legal and IT teams on how they can work together to ensure their organizations are ready for discovery events and potential litigation.

To register, visit this link: Surviving eDiscovery: IT and Legal Team Up to Meet the Challenge

Interesting article from the Wall Street Journal online yesterday about brokerage firm Piper Jaffray being fined $700,000 for "alleged shoddy email practices," exposing some of the risks related to email retention and eDiscovery.

The gist of the story is that Finra (the Financial Industry Regulatory Authority) seems to have fined Piper Jaffray for "failing to save 4.3 million emails between 2002 and 2008," according to the Journal article. Apparently, the firm also failed to disclose to Finra that it was having "intermittent trouble with email retention and retrieval during the relevant period."

You can read the full article, "Compliance Watch: Investors Often Stuck when Emails Surface" at the following URL:

http://financialadviserblog.dowjones.com/blog/stay-ahead-of-your-clients/0/0/investors-often-stuck-when-emails-surface

Don't think that this story is just a cautionary tale for financial services firms. Even if your organization isn't regulated by Finra, it's still common to find yourself in a position where you need to quickly, accurately and completely find and hold emails that are relevant to a legal action.

In fact, our most recent annual research on this topic (see Outbound Email and Data Loss Prevention in Today's Enterprise, 2009) found that nearly 25% of large enterprises said that employee email had been subpoenaed by a court or other regulatory body in the past 12 months.

Failing to promptly and comprehensively respond to an eDiscovery request can result in negative inference finding in courts of law that can ultimately lead to a guilt verdict (or the type of regulatory enforcement that seems to be going on in the Piper Jaffray case).

While we see many media reports about "smoking gun" emails, email can also come to a company's defense. That is, if a company is able to rapidly search its historic email, it can better defend itself in a legal action and better analyze the merits of a lawsuit and make better decisions about whether to fight or settle a pending case. (This technique is known as "early case assessment" in the eDiscovery world.) One typically doesn't hear about the many situations where early case assessment is used to settle a lawsuit or defuse a regulatory action before it becomes a news event!

To learn more about these sorts of eDiscovery issues, the Federal Rules of Civil Procedure that affect every company and how email archiving solutions can help lower both email retention costs and related risk exposure, download our whitepaper, Email Archiving: A Proactive Approach to eDiscovery by visiting:

http://www.proofpoint.com/id/email-archiving/index.php