Proofpoint: Security, Compliance and the Cloud

May 07, 2014

Effective Information Retention Policy: Flexibility is Key

We’ve been working with a growing number of organizations that have finally (finally!) arrived at the decision that keeping everything forever is no longer a sustainable business strategy. Yes, they recognize that information growth continues unabated and, yes, more of this information is appearing in unmanaged locations such as social media. But, arriving at a shared perspective on how long information has value, what process could be utilized to rid oneself of junk, how to account for the information needs of users, and how one can gauge the incremental eDiscovery risks associated with preservation and disposition can often appear to be insurmountable obstacles.

Motivated by the search for a simple answer to the complex infogov question of “what information should I keep, and for how long”, these discussions have inspired me to advance a new approach to proactive information governance that are probably best described as Semper Gumby.

Semper-gumby

As you probably know, Semper Gumby is an unofficial motto of the United States Marine Corp, adopted to convey the imperative to be “Always Flexible”. The importance and direct relevance to retention management is clear, where policies need to be sensitive to:

1) At the on-going operational level, setting policy reflects the fluid needs to deliver consistent access to business-critical information to end users, balanced against the IT need to cost effectively manage data storage cost and hassle;

2) Increasingly complex regulatory requirements that have now established themselves as the top litigation concern for many corporations

3) Litigation patterns and trends, along with deep-seeded notions of how information management impacts preservation risk

4) Internal communication patterns, and the increased traffic that is occurring outside of sanctioned communication channels

Suffice it to say, these variables will continue to evolve and intermingle to ultimately produce a set of policies that map to each organizations unique situation. But, as Semper Gumby would dictate, a premium is placed on flexibility. Conditions, including use of specific communication channels, storage cost, and regulatory drivers, will inevitably evolve. Policies must be flexible to evolve with these conditions.’

This fact can be highlighted via a survey that we recently conducted, looking at the existing retention policies of information archiving customers (horizontal axis representing retention policy length in years, vertical axis counting the number of companies with that policy).

Retention-policy-sample

Some of the findings from the survey include the following:

  • 65% of the companies sampled had more than 1 active retention policy, averaging 3 policies over-all
  • The default retention period for all companies surveyed was averaged slightly more than 4 years
  • As expected, policies varied widely by industry. Health care, for example had default policies that ranged from 1 to 8 years
  • Most common reasons for multiple policies were geographic drivers, policies driven by existing records class definition, and policies reflecting legal discovery definition
  • Policies are trending toward longer retention periods, mostly likely due to storage becoming less of a driver in setting policy given falling storage costs

As demonstrated by the survey, there is no one policy size that fits all (except those things driven by industry mandate). But it is also true that answering the question of “what information should I keep, and for how long” does not need to stop with “it depends“. Effective policies are not static and require granularity to reflect the unique needs of users, as well as legal and compliance stakeholders.

Equally important, effective policy management needs to address not just the challenges faced today by many companies in defining retention policies, but also ensuring that policies can be enforced. Policy enforcement that relies solely on actions of end users is rarely effective. Therefore, end users should be engaged as stakeholders based upon their knowledge and business expertise – not as records managers. The topic of policy enforcement will be covered in a post to follow..

For more information on how Proofpoint Enterprise Archive follows the Semper Gumby mantra in enabling robust – yet flexible – retention policy management, please visit http://www.proofpoint.com/products/archive-governance/by-role/compliance-officer.php#main. And, if you are planning to attend the MER conference in Chicago, would love to meet with you then. Please schedule a session at: http://www.merconference.com/mymer/.

---

Robert.Cruz150x175 

Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

 

April 30, 2014

Survey shows dramatic jump in concern over regulatory investigation

In its just released 10th Annual Litigation Trend Survey, law firm Norton Rose Fulbright offered its usual rich, data-intensive insights into litigation spend patterns and other cause of concern for legal departments captured via survey of over 400 senior corporate counsel. But, one meta concern clearly emerged in this report – concern over regulatory/investigation. Some key stats:

  • 41% of respondents list regulatory as a top concern, up from 23% in 2012
  • Amongst all sectors, Technology (from 16% to 50%), Financial Services (from 24% to 57%), and Health Care (from 24% to 52%) showed the most dramatic increases
  • In terms of categories of litigation, regulatory/investigation grew from 9% to 19% in the most recent survey
  • 61% of health care respondents indicated that it had one of more regulatory proceedings opened against it, more than any other vertical market
  • 52% of surveyed firms indicated that they are spending more time addressing regulatory requests
  • 62% of health care respondents indicated they are involved in issues pertaining to data privacy protection, while all verticals showing an increase from 31% to 43% in the most recent survey

Implications

This survey has always been a useful data source to report the ebbs and flows of litigation across different categories and market segments, but this year’s dramatic spotlight on regulatory appears to be the beginning of a longer-term pattern that is a function not only of new regulations (e.g. within HIPAA, FINRA, FFIEC, etc.), but more fundamental consequences of 1) unfettered information growth, 2) proliferation of important data being located outside of IT managed environments, and 3) the increased frequency and severity of targeted threats. Those looking for the motivators behind internal Initiatives targeted at data privacy, data security, and information governance should read no further.

What is also clear from this analysis is the increased premium that can be placed on proactive, pre-trigger readiness. Relying on antiquated internal systems or manual efforts to identify and collect information amidst an increasingly complex – and costly – regulatory environment is simply not sustainable.  The 45% of respondents currently engaged in one or more regulatory proceedings would almost certainly attest to this.

The survey also highlights the importance of legal and compliance teams to be active participants in the due diligence of new methods and technologies to address these regulatory complexities. As noted, 47% of organizations are now actively utilizing cloud computing approaches – and many tools are simply not designed for large scale usability by legal or compliance teams. 52% of respondents are spending more time addressing regulatory concerns, but no doubt the vast majority of respondents would like to spend less – while also delivering on the goal of reducing the over-all concern surrounding regulatory and investigative demands.

- Robert Cruz 

---

Robert.Cruz150x175

Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

April 21, 2014

Social Media Compliance with Facebook and Twitter

Increasingly, organizations are turning to social media to market, sell, and maintain brand. But how can a regulated organization take advantage of social media while maintaining regulatory compliance? The SEC, FINRA, the FFIEC, HIPAA, and other regulatory bodies have either issued guidance covering the use of social media or have interpreted existing rules so that they can be applied to social media.

This post will discuss how to use Facebook and Twitter while maintaining regulatory compliance.

Given that social media is only recently seeing broad enterprise adoption, it has taken some time for regulators to catch up, but that situation is changing rapidly:

So, how best to avoid the potential sanctions and fines that could stem from improper use of social media?

Facebook, Twitter and how to Maintain Regulatory Compliance

The examples above illustrate the importance of crafting a solid social media policy that outlines exactly what employees should and shouldn't do when it comes to social media. There are many steps in this process that will be subject to future posts, but (here is a great resource that lists the social media policies) 

Once an airtight social media policy is in place and your employees are properly trained, you can turn your attention to the common regulator investigative task of determining “who did what when”.

Which brings us to the critical importance of archiving your employees' social media content in its native format so that you can answer the "who said what and when” question when the regulators ask.

Given the differences in each social media channel, it is important to consider each site's features, in order to determine what needs to be archived.

Take Facebook, for starters. Facebook contains wall posts, your comments / likes and 3rd party comments / likes, personal profiles, business pages, group pages, messages and Email, Photos and galleries, and Notes—all of which need to be captured and archived Moreover, it's important to note that you should capture Facebook content not only for your employees, but also for external folks that communicate with your employees on Facebook.

Take, for example, a wall post that an employee creates on Facebook. As 3rd parties comment on or like that post, it's critical that you capture and archive that content as well- preserving the full context of a Facebook communication.

As another example, Facebook has built-in messaging capabilities that allow the employee to communicate in a method akin to email or instant messaging. This communications should be captured and archived as well.

How about Twitter? Twitter includes Tweets, Re-tweets, Your tweets re-tweeted by others, Mentions of you by others, Direct Messages, Backgrounds and Bios—once again, all of which should be captured and archived.Like Facebook, this is true of employee-generated content as well as for 3rd party content.

For example, if an employee tweets to his or her followers, it’s necessary to capture and archive 3rd party replies to those tweets. And in addition to replying to your tweets, 3rd parties can re-tweet your tweet to their followers. These 3rd party re-tweets should be captured and archived as well.

Twitter also provides the user with the ability to send direct messages to other users on Twitter’s site. Similar to email, these communications should be captured.

In Summary

Regulators are catching up with organizations that are using social for a variety of business-related purposes. They’ve issued proper use guidelines and have levied sanctions and fines for misuse. In addition to proper social media policy, capturing and archiving social media content to answer the “who said what and when” question is critical. The need to respond to regulatory requests in a timely and complete manner is no different with social media that it is for email, so be sure to have a comprehensive solution in place before you embark on you rollout social media to your employees.

The Proofpoint Social Platform for Archiving

Proofpoint Social Platform for Archiving allows organizations to employ policy-based controls to capture social content so that it can be managed as any other critical information asset. Proofpoint captures social conversational content, by converting user content to email form in real-time, ensuring you remain compliant with your regulatory obligations.

To learn more, visit: http://www.proofpoint.com/products/archive-governance/social-platform/index.php

- Christopher Ricciuti 

---

ChrisRicciutiNew

Christopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

 

Linkedin_icon Twitter-icon1

April 18, 2014

Q. How can a financial services firm comply with SEC 17a3-4 using Office 365?

Hold-everything

 

A. Hold Everything

I received a number of follow-up questions to the post focused on Office 365 and its ability to address complex regulatory and eDiscovery needs  - several focused on the following:

“First, a simple question – do you work for a financial services provider? If yes, stop here. Office 365 and Exchange 2013 do not address requirements outlined by SEC 17a3-4 that outline how data must be stored immutably, or supervisory review requirements under FINRA. You should be engaging with archiving or data storage providers to address these requirements.”

It was pointed out to me that there is a way to achieve immutability (as required under 17a3-4) - simply use the Rolling Hold feature and place the entire organization on hold. Yes that's right, the entire organization and all of their data. Call me old fashioned, but this approach takes me back to the good ol' days when organizations did not need to be concerned about the unbounded data growth, when information was easy to find, and FRCP, FINRA, FFIEC were meaningless acronyms. Ah, the good ol' days!

There is a long list of reasons that this is neither an effective information governance nor compliance strategy, but let me attempt to summarize the Top 5 Reasons why financial services organizations should consider other strategies.

1. Information is doubling every 2-3 years, resulting in a gynormous volume of preserved data over time. Office 365 can partially address the storage cost explosion (although it would be interesting to see how this approach would impact licensing cost), but the task of searching and retrieving specific information amongst a large volume of information that should not be preserved grows exponentially. This will not bode well for timely response to a regulatory inquiry.

2. Preservation obligations are not uniform - multinational corporations must deal with a patchwork of data privacy and eDisclosure frameworks, so it is unclear how preserving all information from Germany-based users, as example, would work. Additionally, many legal teams have a well developed posture regarding risk stemming from over-preservation. This will not be an easy sell with many.

3. Financial service mandated retention rules are complex, granular, and evolving - With over 250 new rule sets mandated under Dodd-Frank, plus new rules issued by FINRA and FFIEC, regulatory complexity has never been higher. Consequently, most firms have multiple policies, and those policies are likely be change in the not too distant future. Simply attaining 'immutability' by preserving everything will only further complicate compliance processes that are already stretched to keep up.

4. Disposition complexity - information that reaches the end of its retention period, say 6 years, would need to be manually removed from rolling holds, unless they were subject to any other legitimate preservation order. For financial organization with an average of 20 active litigations per year, this would be an incredibly complex task to manage, even if Microsoft eventually develops some command line scripts to help manage this task.

5. SEC 17a-3-4 is only the beginning. Holding everything is a simple, brute force method to address some very specific provisions of 17a3-4 (http://www.sec.gov/rules/final/34-44992.htm) - for example, use of spinning media, processes to maintain integral data values, separation of primary and secondary data copies, etc.). Ultimately, only a financial regulator can determine if the “hold everything” approach is adequate. But it is just one set of requirements. Broker dealers need to provide capabilities for supervisory review under FINRA, firms using social media need to preserve that content under guidelines established by FFIEC... the list goes on and on. Immutable storage is one verse of the financial services compliance ballad.

All of which lead to the conclusion that financial services are better served by using technology in conjunction with Office 365 that was designed to deliver to these rigorous regulatory and legal demands. It's time to move past the good ol' days of Hold Everything and ensure that your compliance teams are active participants in the evaluation of new communication platforms.

- Robert Cruz

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

 

April 16, 2014

Proofpoint DNS Issues - RESOLVED

UPDATE:  Effective 3:00PM PDT, full DNS resolution of proofpoint.com has been restored. No further changes to customer systems should be necessary to resolve proofpoint.com or pphosted.com domains.

Again, no actions are needed by customers at this time – and if workaround changes to MX records were made by customers in the interim per Proofpoint guidance, those changes can remain in place, no action is needed to undo.

Proofpoint will also continue to proactively reach out to customers to ensure that they're currently able to access all Proofpoint services, and will be releasing a RCA shortly providing more details on the incident, follow-up, and structural changes being made to safeguard against any similar potential situations going forward.

Thank you for your understanding.

 

--- Original Post ---

Just before midnight Eastern Daylight Time on April 15th, 2014, the Domain Name Registrar who holds Proofpoint's Domain Name Server information (an external agency to Proofpoint) changed the Internet's DNS records so that any internet request seeking any URL containing "proofpoint.com" in it was redirected to a "blackhole" DNS entry; eg, the request did not complete.

Proofpoint was immediately aware of this issue and worked with the Domain Name Registrar to reverse their change.

Unfortunately, the nature of internet DNS is such that such central changes propagate through servers at various speeds -- some systems reflect changes immediately; others can take hours to do so.  As a result, some customers may have experienced transient communications errors.

 Again, while at no point was Proofpoint's set of core services down, traffic was unable to find the services if it used DNS lookup rather than direct IP addressing – and thus customers may have suffered varying degrees of service interruption, driven by changes made to core internet DNS systems, outside of Proofpoint’s control – and similar DNS issues have been faced by other major SaaS providers and major brands on the internet as recently as within the last few months.

At this time, Proofpoint is proactively reaching out to customers to ensure that they're currently able to access all Proofpoint services, and in cases where the DNS changes have not yet propagated, to provide alternative DNS or direct IP routing.

We will continue to post status updates as DNS records are restored.

April 14, 2014

Heartbleed Issue Security Update

On Monday April 7, 2014, a security vulnerability in Open SSL was disclosed on various internet channels. This vulnerability has been identified as CVE-2014-0160 in the Common Vulnerabilities and Exposure database. OpenSSL cryptographic software library (a defacto standard for TLS) is widely used in internet infrastructures, and this vulnerability was introduced into OpenSSL in December 2011. The vulnerability allows an attacker to read an arbitrary 64KB chunk of memory from the servers, and that chunk of memory could potentially contain information such as certificate private keys or passwords that could be compromised. More information can be found here:  http://heartbleed.com/.

Proofpoint immediately began to assess which products use the impacted Open SSL version and has applied emergency patches to secure them against this vulnerability. The following Proofpoint services and products were patched on April 8th by upgrading the affected Open SSL software package and they are no longer vulnerable:

  • Proofpoint Enterprise Protection and Privacy (PPS) version 7.5 with patch 1837
  • Proofpoint On Demand (PoD) services
  • Proofpoint Targeted Attack Protection (TAP) services
  • Proofpoint Essentials services

Earlier versions of PPS (6.3, 7.0.2, 7.1, 7.2, and 7.5 without patch 1837) use a different version of OpenSSL and do not have this vulnerability. Proofpoint Enterprise Archive, Governance, and Sentrion are not impacted.

Following the internet security industry’s recommended procedures to safeguard against the possibility of having had our keys compromised by this vulnerability, Proofpoint has regenerated and applied new SSL certificates in our cloud services. We have also investigated and found no evidence of any breach. Nevertheless, we highly recommend that customers take the following precautionary steps. We believe these steps are in our customers' best interests.

  • Customers with hardware appliances, virtual appliances or software deployments of PPS 7.5 with patch 1837 on their premises:  For customers with PPS 7.5 systems with patch 1837 deployed in their data centers, we recommend the following:
    • Regenerate SSL certificates and revoke the old certificates:  You will need to follow the process outlined by your certificate provider to re-issue your certificate using a new private key. After you have re-generated your key and certificate, you must update the certificate on all affected systems by clicking on System > Certificates > Certificates page. For more information, refer to the Context help within the Certificates page.
    • Change PPS admin UI passwords by logging into your PPS system and clicking on Administrator->Account and Password.
    • We strongly recommend that you advise your end users to reset passwords for the End User Web portal, Secure Reader and Secure Share services.
  • Customers using Proofpoint on Demand services:  We are in the process of applying new SSL certificates for all our customers in the PoD. Once the activity is complete, we will notify our PoD customers with the next steps which includes resetting PPS Admin passwords, End User Web portal, Secure Reader and Secure Share services.
  • Customers using Proofpoint Essentials:  We recommend that all customers change their passwords on our Essentials platforms. In order to change your password please follow the steps below:
    • Log into the site. In the top right corner you will see your name. Move the mouse pointer over your name and a drop-down list will appear. Click Profile. Enter your new password in the Password field. Retype your new password in the field below. Click Save.
    • We would also advise that you communicate this information to all your customers.

We have also audited all of our partner integrations and working with them to change their certificates and passwords for any partner that was potentially vulnerable.

Keeping your data secure is our top priority. We are continuing to monitor the situation and will provide updates as needed. 

If you have any additional questions or concerns, please feel free to contact us by calling our Support or open a case.

Sincerely,
Proofpoint Inc.

April 04, 2014

Loss Prevention Re-Invented

Loss Prevention Re-Invented

CATASTROPHIC EXPOSURE

Based on articles from Reuters and Krebs, massive security breaches such as the theft of 40 million credit cards from Target in the heart of the holiday season last year highlighted concerns that businesses have on data loss and network attacks. 90 lawsuits, over $60 million dollars spent in response, and a 46% drop in holiday profit later, Target is still reeling. In fact, according to Gartner’s fraud analyst, Avivah Litan, “Target could be facing losses of up to $420 million as a result of the breach." Understandably, companies, in the interest of protecting financial and brand value, have actively implemented various technologies to do so, from Data Loss Prevention (DLP), encryption, network security, and Advanced Threat Protection (ATP).

Surprisingly, the difficulty for many businesses has not been a lack of security and control, but rather too much of it. Parsing through the signal and the noise has proven to be the greatest challenge. Despite heavy spending on technology, infrastructure, and resources, many companies are finding that their security solutions are better at inhibiting their businesses than helping them. 

LESS IS MORE

Take the example of older generation DLP solutions. Legacy providers like Symantec and RSA when fully deployed, require teams of administrators to monitor and maintain the mountain of onsite server hardware as well as corporate wide endpoint agents deployed to lockdown users’ desktops and laptops.

These systems function by the creation of fairly elaborate rules and policies specific to each business. The expressions, terms, and information that define a customer’s most sensitive data such as Protected Health Information (PHI) or Personal Identification Information (PII) include many types of files and formats. Building this set of rules is complex and typically requires the dedicated efforts of the company’s security team, compliance and governance groups together with outside consultants and vendors.

This process is a major investment in time and money because the accuracy of the rules determines the effectiveness of the solution, particularly in the number of hits received and the accuracy of security alerts. Because of this, it can take many months or more to finalize these policies, dramatically increasing deployment time.

THE CLOUD

The cloud has shown to be a better enterprise platform, providing businesses with superior scalability, ease of deployment, and predictable costs. Even so, many technology vendors have failed to evolve to the cloud, continuing instead to build solutions with imposing management needs and heavy, on premise infrastructure requirements. The concept of the cloud focuses on the following fundamental advantages:

        1. Reducing infrastructure costs within corporate data centers by pushing as much application             infrastructure into a secure, highly scalable cloud-based infrastructure.
        2. Freeing customers to focus on using applications instead of managing them by driving as             much infrastructure management to cloud providers.
        3. Paying only for what is used and eliminating massive capital outlays by transforming             customer costs into operational expenses.

IDEAL LOSS PREVENTION

Clearly, the subject of corporate privacy is critical in many of the same ways that corporate security breaches are. Both disciplines attempt to ensure that sensitive data does not leave the company in an unauthorized manner, and both expose significant brand and financial risk if not addressed properly.

The fact that a significant number of companies deactivate the lockdown portion of their loss prevention solutions even after spending millions in hardware and software is telling. Instead of restricting access outright, these businesses can leverage next-generation tools to identify where sensitive information exists and utilize insight and reporting capabilities to highlight areas of risk. Many of these same firms could instead elect to build a practice around information classification and discovery with manual remediation instead of automated lockdown. Coupled with a variety of channel based loss prevention technologies, this would be a more realistic way to approach the same problem.

Current surveys follow a pattern- that the chief weaknesses of older generation loss prevention solutions are diametric to the advantages of the cloud, including:

        1. Large on premise infrastructures that are costly to buy and operate.
        2. Expensive, expert headcount to manage and monitor systems.
        3. Solutions that disrupt business and information flow due to automated access restrictions.
        4. Solutions filled with components that many customers pay for but never use.

Ideally, next generation loss prevention technologies would address the majority of issues companies face today by:

        1. Utilizing as much cloud-based infrastructure needed and eliminating on premise elements as             much as possible.
        2. Requiring minimal headcount to maintain and monitor.
        3. Leveraging existing rules and policies without the need to recreate or redesign new ones.
        4. Providing insight and reporting against information at risk without disrupting business.
        5. Addressing critical channels for data in motion such as email and for data at rest such as files             and documents where ever they reside.
        6. Significantly lowering overall cost, while providing equivalent or better coverage on critical             areas.

LOOKING AHEAD

Customers grow tired of addressing privacy and security issues with dated technologies and architectures that are costly across multiple axes. They seek a next generation solution, one that leverages the latest architectures and techniques to provide a solution that is simpler to manage and easier and more cost effective to deploy. 

- Stephen Chan

 ---

Stephen Chan Blue Bckgnd

Stephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry and has advised the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of the University of California at Davis and Harvard University.

Linkedin_icon Twitter-icon1  

 

March 28, 2014

What does an average company spend on legal preservation?

What does an average company spend on legal preservation?

In case you missed it, the Civil Justice Reform Group (or CJRG), a group of in-house counsel from large US corporations) published a very informative study of the economic impact of current legal hold practices (yes, I had been waiting patiently for such a study). The survey covers practices of 128 companies of all sizes - and claims to be different in terms of measuring the actual costs as "quantified in empirical studies". Some of the results are stunning:

  • 79% of organizations describe a "great extent" or "moderate extent" of burdens imposed by preservation activities
  • On a scale of 1 ("very rarely") to 5 ("very often"), email represents the content type most often creating preservation-related problems (with a score of 4.05)
  • For large organizations (greater than 100,000 employees), fixed costs of a preservation system averages $2.5M per year (cost of technology, staffing, maintenance, etc.)
  • Variable cost including employee time spent on preservation tasks: for companies between 10,000-100,000 employees: $13.8M; for companies greater than 100,000 employees: $38.7M. Wow.
  • On average, only 59% of preserved data is collected, while only 49% is processed and reviewed. Arguments that vague preservation requirements lead to over-preservation validated strongly.

And, to answer the opening question: the average spent annually by large organizations in managing preservation duties: in excess of $40 million per company per year!!.

Great data to support the investment in tools to automate legal preservation tasks - and remove multiple points of failure in the process. As noted in the survey, these points of failure rest not only in the hold notification process, but in ensuring that the data itself is managed securely with automated workflows that reduce the high variable expense of IT and legal professionals in managing preservation tasks.

The days of managing preservation tasks on excel spreadsheets and burning preservation copies of data onto DVDs cannot end soon enough.

March 24, 2014

Google, Microsoft and Data Privacy - why you need encryption and control of encryption keys

Shutterstock_110861327Last week saw two interesting events impacting the privacy of your information stored in the cloud.

First was news from Google, who indicated that they would be enhancing the data security by utilizing the HTTPS protocol. They tout the fact that now "no one can listen in on your messages as they move from your computer to Google's servers" - then later state that Google experts are "looking after" the service 24x7. Call me paranoid, but adding the 2 points does not give me comfort on who might have access to my readable information while it is at rest in the Googlesphere.

The Microsoft news centered on an internal investigation involving a former employee who allegedly used a Hotmail account to leak sensitive information. What was newsworthy here was Microsoft's justification to access the information without court approval, with its Deputy General Counsel stating that:

1. In this instance, Microsoft did not need a search warrant as servers containing the information "are located on its property" (per CNN's account), and

2. Microsoft is allowed to make such unilateral decisions as they are outlined in Microsoft terms of service (for Hotmail, Exchange, Office365, etc.)

Microsoft also used the investigation as an opportunity to further clarify its position on conducting investigations, emphasizing that it continues to "value customer data privacy", and envisions that similar actions in the future would occur only under very unusual circumstances.

Personally, I am not surprised by Microsoft's action, but am somewhat surprised by the subsequent response, in particular stating that the location of servers allows Microsoft to unilaterally determine if data privacy can be compromised. Hiring a former judge to referee future decisions is helpful, but still leaves me with questions as to what types of events (e.g. other internal investigations, third party information requests, etc.) could arise in the future where this decision to trade-off of data privacy is being made in Redmond.

Both cases reinforce what some have been emphasizing about data protection in the cloud for years:

1. Utilize an archive that never leaves information in the clear - encrypt information in transit and at rest while in possession of a cloud storage provider

2. Work with providers that allow you to maintain exclusive control over your encryption keys - exclusive key control is a function of 1) the technologies used by the provider, 2) the processes documented with SSAE-16 certification, and 3) the contractual provisions outlining the rights of the provider to obtain readable access to customer-specific information. All are necessary.

It is important to emphasize that working with a provider that has open access to information not only creates risks stemming from the provider's access to your information for litigation purposes that can be justified - it also makes data more accessible to 3rd parties and the provider's employees whose intent may be to do harm.

Those seeking to meet rigorous data security and privacy standards as driven by regulatory compliance or frequent eDiscovery should monitor the on-going reaction to these events closely.

March 20, 2014

What LinkedIn Content Is Important to Capture for Regulatory Compliance?

LinkedIn use is on the rise and it’s no longer simply an online resume or a means to connect with colleagues. In fact, a recent Osterman Research survey found that official use of LinkedIn by the enterprise has grown to 33% in 2013, and is expected to grow to 64% in the next 12 months. But for regulated organizations, care must be taken so that regulations around electronic communications retention are not violated.

So, what will FINRA, the SEC, the FFIEC, HIPAA, the FTC or any other regulatory bodies care about your use of social?  While each regulatory agency outlines somewhat different rules around social media use (some more clearly than others), proactive organizations are recognizing that social media should be controlled like any other form of electronic communication and, as such, archiving social content in immutable form, enabling quick response to regulatory requests for information are likewise critical. Fines could be levied for failure to do so and, in fact, our blog post on the topic discusses exactly that.

This leads us to a few considerations about what information is important to capture. Let’s consider LinkedIn specifically.

What LinkedIn Content Is Important to Capture for Regulatory Compliance?

Addressing this question in terms of regulatory compliance requires an exploration of the key LinkedIn communication features. This is important as searching for specific content is not only difficult with LinkedIn, but content on LinkedIn is not stored in immutable form, meaning, the posting user can easily delete or alter sensitive content. Here are some considerations for specific LinkedIn features:

1. Status Updates and Shares

Let's say your organization is subject to examination by FINRA and your Compliance team must produce all electronic content created in the past 3 months on the ticker symbol AAPL. Typically, this type of request would likely not explicitly exclude Status Updates and Shares.

2. 3rd Party Comments on your Content

Responding to a regulator by simply capturing your post may not be sufficient - 3rd party likes and comments on that post may also be equally important to capture full context. So, if Jane Smith is the user whose LinkedIn content is archived, it may be important that the 3rd party "like" on that content is captured as well.

3. Recommendations

A LinkedIn recommendation is a hotly debated topic in Financial Services due to the question of whether a LinkedIn recommendation constitutes a testimonial, per the Investment Advisors Act of 1940 (IAA). A LinkedIn recommendation seems innocent enough, but when viewed in the lens of the IAA, it's something that could potentially be a rule violation.

4. Profiles

A LinkedIn profile may sound innocent enough, but can also be considered an advertisement, particularly if you are a financial advisor. This, in itself, may be a violation of regulations. When capturing and storing a LinkedIn profile due to regulatory considerations, it can be important to capture everything. Ideally, a full text snapshot of the profile should be captured whenever a user makes a change to his or her profile.

LinkedIn Archiving and Compliance

When considering social and regulatory compliance, it’s important to ensure that employee LinkedIn content is archived, journaled and retained on immutable storage, similar to what you may have in place today for email. It’s equally important to remember that LinkedIn content, when stored on LinkedIn servers, is not immutable - meaning one can modify or delete that content even after a wide audience may have seen the original post - so simply searching LinkedIn's website for employee content is not sufficient. The best option, short of building a solution yourself, is leveraging a 3rd party LinkedIn archiving and compliance application to ensure adequate capture occurs.

Here are some critical features to look for, when researching a LinkedIn archiving application:

  • Integration with your existing archive - A good LinkedIn archiving solution should be able to integrate with the eDiscovery and Supervision toolset of the archive that you already have in place today. No one wants to learn and use an entirely new set of tools solely for LinkedIn content.
  • Full Conversation Context - The threaded nature of LinkedIn communications - posts and comments - mean that your archiving solution should support the capability to capture and reconstruct those communications so that they are viewable in their native state. A comment that stands alone with any related elements of the conversation does not exhibit its full context.
  • Conversation Participants - All conversation participants should be visible in the archived LinkedIn conversation. Participants should include not only the employees of your organization (those for which you are explicitly archiving), but also external participants not necessarily related to your firm.
  • Capture Anywhere - The ideal archiving solution should have the ability to capture LinkedIn content regardless of where the user creates that content. Whether or not a user creates content from the office, at home, on an iPhone, iPad, Android or Blackberry, shouldn’t matter - the content should be captured and archived in all cases.

The Proofpoint Social Platform for Archiving

Proofpoint Social Platform for Archiving allows organizations to employ policy-based controls to capture social content so that it can be managed as any other critical information asset. Proofpoint captures social conversational content, by converting user content to email form in real-time, ensuring you remain compliant with your regulatory obligations.

To learn more, visit: http://www.proofpoint.com/products/archive-governance/social-platform/index.php

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption