Proofpoint: Security, Compliance and the Cloud

June 29, 2014

Office 365 and Investigations: Counsel, Where's My ESI?

Further on the topic of new Office 365 capabilities, thought it would be useful to dig deeper into the use case of eDiscovery. Not just to look at newly unveiled features, but to address the practical question: Will Office365 really address my use case?

Building on earlier posts on this topic (see: http://blog.proofpoint.com/2014/03/office365-and-ediscovery-the-confusion-continues.html), consider the following case study:

You are a member of the legal team for a high tech organization with 10,000 employees in 50 countries worldwide. Litigation is not unusual, and your team is currently managing 5 active matters in the US and EU involving intellectual property and a variety involving contracts, employee matters and others. You are leading the response to a formal inquiry, and must conduct a search with 20 keyword terms that may be contained with email, 15 different attachment types commonly used by product and engineering teams, PDF files, plus company sanctioned social media and IM channels. Timing in completing the search is critical to recommend a strategy to General Counsel, and you have found in similar investigations that 5-10 mailboxes were searched in order to yield a single custodian.

So, let’s play Will Office365 Really Address My Use Case?

The comparison between Office 365 and a purpose-built solution such as Proofpoint Enterprise Archive is not only a matter of features – it is how can those features be used to address a task you face on a regular basis. Those difference can be summarized as follows:

Investigation

Implications

In this case study, differences can be measured, not only in terms of legal team productivity and process efficiency, but also quantifiably. Conducting investigations by waiting for IT to split searches into batches, then manually aggregating results – while search tasks for other matters wait – is not optimal. Limiting the scope of search in Office365 to only Microsoft file types requires companies to rely to manual collection, or dependence on service providers that typically bill at $250 per GB for such efforts. Having limited ability to segregate non-US data to ensure that local data privacy requirements are adhered to raises both legal and regulatory risk. With Office 365, IT administrators can utilize command line tools to execute these tasks, but this is far from enabling legal teams to serve themselves with proven tools that were explicitly built for this purpose.

With 71% of corporations spending more than $1M in litigation in 2013 (per Norton Fulbright), and with regulatory investigation being named as a significant concern by 41% of corporations (again, per Norton Fulbright), companies are well served to dive deep into their specific use cases and investigative patterns to determine if Office 365 is equipped to meet their needs.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

June 19, 2014

All Industries Must Prioritize Privacy Protection

All too often companies don't devote the necessary energy to data loss prevention until a problem stares them in the face. Unfortunately by that time it's already too late. Just ask eBay, whose recent breach resulted in the potential exposure of information for 233 million customers, according to The Motley Fool. 

Statistics like these should be a wakeup call and a cry to action for all businesses that lack a robust privacy protection infrastructure. Yet administrative laziness about enterprise cybersecurity still abounds. The reason for this, according to a recent infographic, is that many companies simply aren't picking up on the potency of the virtual threat landscape. This avoidance has to change.

Study points to lack of cybersecurity concerns among businesses
A study carried out by Robert Half and Proviti found that weak enterprise protective measures are almost as big a problem as cybercrime itself. The study - whose findings come from a poll of UK IT executives - revealed that of those surveyed, a full one third admitted that cybersecurity is not on the senior management list of priorities. Yet in seemingly direct opposition to this figure is the acknowledgment, among 50 percent of respondents, that cybercrime incidents are on the rise.

So what accounts for this disparity? The answer boils down to the simple issue of reality versus perceived reality. As the study revealed, many IT executives have merely convinced themselves that because their company has not been attacked yet, that somehow means it won't be attacked. In fact, this reasoning accounted for 38 percent of those who said cybersecurity was not on the immediate agenda. 

Yet in reality, that reasoning is simply invalid. Just because a company is safe one minute doesn't mean it won't be attacked. After all, criminal hackers are operating with a measure of sophistication and stealth that they never have before. In this environment, a complacent company presents the best target. And far from fading away, attackers are not disappearing from the scene any time soon.

Security expert explains that hackers are experiencing "breakthrough"
There's no denying the damage wrought by the Target and eBay debacles, but if security expert Patrick Peterson's projections are true, infringements like these will not only continue, but become commonplace

The founder of an email security company located in California, Peterson said that the failure of companies to properly defend themselves is actively exacerbating an already thriving criminal network. A report conducted by Peterson's company found that of 133 businesses it analyzed, 100 of those had weak enough protective measures to qualify them as "easy targets" for hackers.

Speaking to Inc, Peterson said that not only are businesses behaving without proper protective strategies, but that hacking is also mounting both in scale and in the virulence of individual attacks.

"We are seeing breakthrough levels of success by criminals in foreign states that have not ever been seen before. The phenomenon of criminals from foreign states getting access to data is not new, [but] their success in doing it and what they do when they have that data is truly revolutionary," he said. "In the past, they would hit Target and steal some encrypted credit card information. Now they are getting to a point-of-sale terminal and getting the credit card information in the 10 milliseconds before it's encrypted permanently and irrevocably."

But a large part of the reason such criminals are operating with such success is because of the widespread indifference toward data loss prevention on the part of businesses. As long as such inactivity persists, so too will devastating hacks, and it will only be a matter of time before the next eBay or Target.

June 13, 2014

Office 365 Archiving: Dude, Where’s My Email?

There’s no question that Office 365 is a fantastic platform. It’s an excellent means of offloading commodity services to a vendor you can trust that will assure you of around-the-clock availability. But some services are best left to folks who focus on value-added services as its core competency. For us here at Proofpoint, we would argue that this specialized focus must rest in security, threat response and remediation, and information governance.

In the case of archiving, for example, Exchange Online Archiving (EOA) is included with many Office 365 packages to varying degrees. This serves as an online PST in most incarnations, although more expensive packages also include basic multi-mailbox search capabilities for eDiscovery.

One of the secondary functions of an archive is to ensure end users have access to archived email for anywhere, anytime access. The issue with EOA in this case is that there’s no guarantee that the email will be retained in the archive. In other words, imagine a scenario in which a user is attempting to find a 6-month-old email that’s needed to conduct business, but poof it’s gone. What this means is that the email had been unintentionally (or perhaps intentionally) deleted by the end user and subsequently there’s no copy of it whatsoever. An administrator can surely chase down a copy in the Recoverable Items folder, but that defeats the purpose. And most importantly, it’s polar opposite of expected behavior for a true-blue archive.

Microsoft’s answer to this will undoubtedly be that the customer should create a legal hold across the organization to ensure retention. If that’s the solution, how are we addressing the disposition problem? Legal hold, by definition, is designed to provide data immutability in the case of active, ongoing litigation. So now you’ve gone from not ensuring content is retained, to unnecessarily retaining content for an indefinite period of time lest you keep tabs on disposition.

Needless to say, when an end user attempts to find an email in Office 365, it just might not be there.

Let’s not forget what problems enterprises look toward information archiving vendors to solve.

The archive should be:

  • Simple to use
  • Ensure defensible capture and retention of all communications, be it email, social, IM, files, etc.
  • Flexible, policy-based retention and disposition

- Joe Diamond

---

Joe-diamondJoe has more than a decade of engineering, product management, product marketing and software leadership expertise in both the consumer and enterprise markets. In his role at Proofpoint, Joe is responsible for defining and bringing to market Proofpoint’s next generation information governance products. Prior to Proofpoint, Joe was the Head of Product Management & Marketing for RiskIQ, led enterprise product management for Symantec's Emerging Products and Technologies and served in product management and marketing roles for hosted email archiving vendor LiveOffice, which was acquired by Symantec

 

 

 

June 11, 2014

(More) Key Social Media Compliance Takeaways from the 2014 FINRA Annual Conference: Part 2

[This is Part II of a two part blog series on the 2014 FINRA Annual Conference]

A few weeks back, Proofpoint attended the 2014 FINRA Annual Conference and we summarized some key takeaways in the blog post here.

As promised, we're following up to that post with a second installment in this series. In this post, we'll explore the various stages of social media adoption through which a regulated organization pass during their quest to achieve full social media adoption. As folks struggle with ironing out the best ways to leverage social media, these stages will be helpful in both identifying your current state and determining how to advance to the next stage.

Let's start by defining what we call the Social Media Adoption Lifecycle. The lifecycle is broken down into 3 distinct groups, as follows:

Social-media-adoption-lifecycle

Crawl - Crawl is step 1 in that you're unsure how to best employ social media at your firm. An example of Crawl state is that you block access to social for most of your employees because of concern over the impact on compliance obligations. You might operate in a "read-only" mode; perhaps having a handful of employees monitor social media websites for information pertaining to your brand or to view customer complaints. But, at this stage, posting content to social media sites usually does not occur.

Walk - Walk defines step 2 in that you've yet to fully leverage all of the benefits that social has to offer. Perhaps you have a branded, marketing-owned social media page on each of the major sites. These pages are most likely controlled by a handful of employees, blocking access for the remainder of the firm, with any changes to content posts being manually reviewed by compliance prior to submission. After submission, you may be satisfying requirements to archive social content by taking screenshots of content directly from the social media websites, pasting the screenshots into an email and sending the email off to your archive for long-term retention and eDiscovery. Not the most efficient solution, but, hey, you've got to start somewhere.

Run - With Run, you've fully embraced social media at your firm, no longer blocking access for all employees, and you've deployed social use cases for sales, marketing, customer support and others. You've put in place an automated means through which pre-approved, "static" content can be stored and subsequently drawn from. For "interactive" content, you may have a means to supervise / pre-review employee generated posts before they reach their final destination. And most importantly, you have an automated means by which to archive and retain an immutable copy of all posted social media content and related comments- including third party comments.

So how to best get from crawl to run? Start by defining the business use cases for social media at your firm, describe how each use case will be employed and ensure that you build compliance controls and acceptable use policy around those use cases before putting them into practice. Involve your compliance team from the start - the last thing you'd want to do is have your compliance group find out about your social media non-compliance after the fact.

To help you along, below is a cheat sheet containing items extracted from FINRA's annual conference. All of the topics listed below arose in one or more of the conference's social media sessions and they answer common questions that regulated organizations often have regarding compliant social media use.

  • Supervision on social media is important, but...
    • Pre-review vs. Post-review: Interactive content need not be pre-reviewed
    • Pre-approval: Static content must be pre-approved
    • Supervision is not one-size-fits-all. You may want a "mix" of the above based on functional group
  • Archiving is an absolute must
    • This includes any form of electronic business communication (email, social, IM, etc.)
    • Be prepared to produce content during FINRA spot checks
  • Privacy: employer access to employee social media accounts still an issue
    • Controlled via statutes at the State level; FINRA is successfully lobbying for carve-outs for regulated firms
    • Until then, have employees sign semi-annual letters of attestation stating that they are not using personal social media accounts for business purposes
  • Prospectuses and tombstones can be sent via a limited space communication channel, like Twitter
  • Hyperlinks issue: are you responsible for 3rd party content behind hyperlinks that you've shared on social media?
    • Use disclosures on social media pages that indicates that your firm is not responsible for 3rd party content
  • You are not responsible for shares and retweets of your content by 3rd parties
  • Be wary of any social media features that can be interpreted as a recommendation or an endorsement
    • But, the "like" button is not an endorsement, so long as the "like" is not in relation to performance

In summary, there were many key social media compliance takeaways from this year's FINRA Annual Conference. Whether you're crawling, walking or running, be sure to take note of the above points when crafting your overall social media use and compliance strategy. As always, it's better to be well informed and compliant, than not. 

 - Christopher Ricciuti

---

ChrisRicciutiNewChristopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

 

Linkedin_icon Twitter-icon1

 

June 04, 2014

New cybercrime survey highlights need for data loss prevention

06042014_keyThe amount of information companies store online increases everyday and its leading to an surge in cybersecurity incidents, creating a need for stronger data loss prevention solutions. A recent PricewaterhouseCoopers survey underscored the rising discrepancies between the number of cyber incidents and the extent of the data loss prevention techniques put in place by vulnerable organizations.

"Despite substantial investments in cybersecurity technologies, cyber criminals continue to find ways to circumvent these technologies in order to obtain sensitive information that they can monetize," said U.S. Secret Service Criminal Investigative Division special agent in charge Ed Lowery.

Fifty-nine percent of those surveyed said that cybersecurity was more of a concern this year than it had been in the past, but less than half of all respondents had implemented a plan for responding to threats.

Perhaps because of a lack of preparedness, 77 percent of participants said they experienced a security incident in the last 12 months, and 34 percent said this year brought an increase in the number of security events from the previous year. According to the report, organizations experienced an average of 135 security events in the past year. Not all of those surveyed were able to estimate the cost of a security breach on their organization, but for those who could, the average annual monetary loss was $415,000.

According to PwC's Annual Global CEO Survey, 69 percent of U.S. executives are concerned that cybersecurity issues could curtail their organizations' growth. Despite the fear, many businesses still don't take steps to secure many new types of technology.

"Cybersecurity for disruptive technologies remains inadequate when considering Bring Your Own Device, cloud, [and] Software Defined Networking are always put in place first and then secured later," said vice president and publisher of CSO Magazine Bob Bragdon.

Three thousand organizations reported that they were not aware of any breach of their cybersecurity until they were notified by the FBI, according to the cybercrime survey.

"The United States faces real [cybersecurity] threats from criminals, terrorists, spies and malicious cyber actors," said FBI director James Comey. "The playground is a very dangerous place right now."

Protecting enterprise documents
There are a variety of data loss prevention solutions that companies can employ to better protect against cyberthreats. Proofpoint's digital asset security provides document fingerprinting that allows unstructured data to be accurately detected. Specific folders containing sensitive enterprise documents can be monitored and managed. The documents within the selected folders are fingerprinted and can be recognized either partially or fully by the program, whether in the original file format or not.

May 30, 2014

Social Media & Regulatory Compliance: Top 20 Questions and Answers

A big thanks to Michael Osterman, Founder and CEO of Osterman Research, who joined us in a very informative webinar on social media last Wednesday. The session generated quite a few questions, which we felt be good to respond to via the blog.

Responses below have been provided by and denoted as either Osterman Research (OR, and ©2014 Osterman Research, Inc.) or Proofpoint (PFPT).

Q1. Is it better to have all inclusive social media policy and risk not complying v. having a more general policy?
(OR): I’m not sure it’s an either-or situation. The goal is to have a policy that will enable management to enforce best practices in order to help the organization remain in compliance with various statutes, legal decisions and corporate best practices.

Q2. Does Live Chat have to comply with the same SEC and FINRA rules as it pertains to record retention and archiving?
(OR): Yes, if the communication is with customers. FINRA rules obligate registered representatives to retain communications with customers regardless of the format or delivery mechanism.

Q3. Can you discuss the effect of Privacy laws  that may constrain a company’s ability to archive social media conversations.
(OR): Some nations have relatively strict privacy laws that will prevent companies from archiving social media or any other content with the expressed permission of individuals who data would be archived. For example, Germany’s Federal Data Protection Act prevents the collection of any PII with permission and requires the data holder, even with permission, to specify for how long the data will be held, how it will be used, etc. US federal and state protections are generally less restrictive, since employers are generally granted more leeway in how work-related content will be retained.

(PFPT): Additionally, FINRA is in the process of lobbying states so that carve out provisions to privacy statutes are implemented. Such carve outs will enable regulated firms to archive employee social media content without the risk of violating state privacy law

Q4. Can you comment on the effect of NLRB as it pertains of social media being accessible to outside Labor relations organizations, such as Unions.
(PFPT): The NLRB has been active in cases where it believes that social media policies are overly broad and restrict the rights of employees. It is important to consult with those knowledgeable regarding labor laws in those industries where the NLRB may have influence

Q5. I can understand an organization archiving internal social media but is it really possible to archive all the different possible use of social media, as you mentioned there are 1000's out there?
(PFPT): Possible yet, practical no. You need to prioritize based upon the channels your employees are using, and chose a platform that provides flexibility to capture additional channels as their use increases

Q6. What were the sites you mentioned for example of data breaches through SM. I captured one "databreaches.net" and missed the other one
(OR): Privacyrights.org

Q7. I would think that most companies are concerned over data leakage through social media and how to control it?
(OR): I’m not sure that’s the case. Decision makers may be aware of the potential for data leaks through social media, but most really are not doing much about it, such as monitoring for offensive content, data leaks or other content sent through social media.

Q8. But doesn't not archiving have an upside in legal discovery? What you don't have can't be legally provided. Like email retention.
(PFPT): Actually, courts have become clear that the absence of archiving and retention policy does not necessarily lead to the conclusion that that data does not exist. See our recent blog post on this topic

Q9. Would you see ad based malware as an increasing threat?
(OR): Yes, definitely. The Online Trust Alliance has some good resources here.

Q10. How do you deal with access to social media is through personal accounts so their use is through those accounts and no real corporate governance.
(PFPT): The monitoring and control of personal accounts that are used for business purposes should be addressed in policy to outline acceptable and prohibited uses. Alternatively, setup “business” social media accounts for your employees to use and have them sign semi-annual letters of attestation, stating that they will not use their "personal social" media accounts for business purposes.

Q11. What do you do about access to social media through personally owned devices like cell phones where you can't monitor the communications
(PFPT): Many technologies do exist – such as Proofpoint’s Social Platform for Archiving - that allow employee social media content to be captured and archived not just from the office PC, but from any PC and mobile devices as well.

Q12. Do you have a suggested approach to reduce/eliminate the liability of a company incurred by an employee's use (abuse?) of social media?
(OR): First and foremost, establish detailed and thorough policies focused on social media use by employees when using corporate resources, as well as when employees are at work. A company may be able to extend this to an employee’s personal time, as well, as employers are able to do with morals clauses in work contracts. Clear and detailed policies are essential in order to give the employer the ability to discipline employees for policy violations and insist that they follow corporate policies, even when personal devices are used.

Q13. Is there any guidance for social media in regards to SOC1/2 or SOX?
(PFPT): Nothing explicitly defined within SOX, other than to have defined policies in place and procedures to demonstrate that they are followed. In the case of SSAE SOC1/2, no guidance, but something that can be added to the list of documented policies for annual audit if it is determined that would be meaningful to your specific stakeholders.

Q14. Employers use social media to screen applicants - what are their reasonable archiving options in light of EEOC/FTC requirements to keep documents relied upon for specified time spans?
(PFPT): As you are likely aware, there are a number of state actions pending regarding the ability to access social media as an employment screening tool. Best to monitor court decisions and pending legislation on this topic in your specific state. Some useful guidance is available here.

Q15. Has there been any corporate lawsuits at this time involving evidence from social networking sites?
(OR): There are a growing number. Here are a couple of recent examples:

  • In Armstrong v. Shirvell, the defendant requested "[a] complete copy of all communications between you and the following individuals… whether it be on Facebook, in a blog, via e-mail, text message, voicemail, letter, facsimile, or anywhere else…”
  • In Calvert v. Red Robin International, Inc., the plaintiff ordered by the court to “bring all materials, electronic or otherwise, including e-mails, Facebook messages, and any other communications he has had with putative class members in this action”.

Q16. Any good templates for sm policies for IT Security side?
(PFPT): There are a variety of good resources for social media policies that can be extended to address security issues as well. An excellent resource is here.

Q17. Are these different archivers an extra cost to us if we are using Proofpoint email archiver already?
(PFPT): Yes, the Social Platform for Archiving are priced as individual modules that are provided at an additional per seat cost, but as an existing Proofpoint Archive customer you are entitled to a discounted rate. Contact your account manager for more details.

Q18. Will Proofpoint’s social solution capture email and chat in Facebook?
(PFPT): Yes. Archiver for Facebook, which is part of the Proofpoint Social Platform for Archiving, captures and archives both Facebook Messages and Email.

Q19. Do you offer a reseller program or white label?
(PFPT): Not at this time, but always open to discuss possibilities here. Please contact me at robertcruz@proofpoint.com

Q20. I only see platforms like chatter/yammer, have you considered other social platforms like Jive, Socialcast, Telligent etc.
(PFPT): We are constantly looking at market uptake for various social channels. One of the benefits of the model we have built is its modularity – we will be able to evolve and add new channels in the future very rapidly.

Thanks again to Michael Osterman for sharing his time and insights.

 - Chris Ricciuti and Robert Cruz

---

ChrisRicciutiNew

Christopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 
 

Linkedin_icon Twitter-icon1

Robert.Cruz150x175 

Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

 

 

Michael.osterman Michael is the president and founder of Osterman Research. He has more than 27 years experience in the high-tech research industry and has spent nearly 16 years following the messaging and collaboration industries. Prior to founding Osterman Research in 2001, Michael was the Vice President of Market Research for Creative Networks, and has held senior analyst positions with SRI International and Ryan Hankin Kent.

 

May 23, 2014

Key Social Media Compliance Takeaways from the 2014 FINRA Annual Conference

This week, Proofpoint attended the 2014 FINRA Annual Conference. As always, the conference was jam-packed with sessions, exhibitors and compliance / legal folks from the Financial Services industry. This year, it was particularly busy, as the conference had its highest number of attendees ever!

While at the conference, we had the opportunity to sit in on many of the information sessions as well as the opportunity to interact with many of the brightest minds in the industry. With our schedule tightly packed and so much new information to process, it’s often important to jot down important takeaways on paper before they’re forgotten, and that’s what we’ve done for you here.

In this two part series, we’ll focus on the top social media compliance takeaways from the 2014 FINRA Annual Conference. The first few are below.

Social media compliance is definitely top-of-mind

The topic of social media compliance seemed to pop up in the majority of information sessions - even in sessions that did not explicitly focus on that topic. This is evidence that it’s clear regulated firms are very interested in leveraging the power of social media to market, sell and to provide support to their customers, but, of course and rightfully so, they’re worried about noncompliance. As a result, they seek guidance from FINRA. After all, there are an increasing number of examples whereby firms, their principals and their registered reps have been fined for lack of social media compliance and folks simply do not want to get want to make the next headline in this area.

So FINRA made it a point to thoroughly discuss all matters related to social media compliance and even went so far as to give examples of how real firms have been able to maintain regulatory compliance while using social media. AXA, Vanguard, LPL and Commonwealth were among the few firms kind enough to share their stories with us. We’ll highlight some common social media use cases in Part II.

Archive everything, including social media
All forms of electronic business communications must be archived, but don’t take my word for it. FINRA said exactly that in one of the information sessions. So, while you’re most likely already archiving email for long-term retention, eDiscovery and supervision (you are, right?), you’d be better prepared to respond to FINRA examinations if you, in addition to email, archive every form of electronic business communication that’s bouncing around at your firm. That’s right everything.

This means that you need to archive business communications from mobile (txt, sms), public social (Linkedin, Facebook, Twitter), enterprise social (Chatter, Yammer) and blogs, to name a few. Ideally, content from these sources should seamlessly integrate into your information archive so that you can employ eDiscovery and Supervision tools that make it easy to respond to a FINRA examination, should one arise.

Employee privacy vs. social media compliance
The need to archive everything brings us to the next point, what if you can’t?

I should clarify, by “can’t,” I don’t mean that it’s not technically possible to capture social media, because it certainly is possible (solutions exist that enable the capture of social media content). Rather, the problem is that it could be illegal to capture employee generated social media content.

Dissecting employee privacy law in exhaustive detail is outside of the scope of this blog post, but, generally speaking, employee privacy law is determined at the state level and states have different statutes in place. 14 states, Arkansas, for example, indicate that an employer cannot request the credentials of employee’s “personal" social media accounts for any reason (requesting credentials is sometimes necessary to supervise and archive employee social media activity). So, you should check with your legal council before requesting such information from employees.

Unfortunately, such statutes are in direct conflict with what FINRA requires: archive all forms of electronic business communications.

But don’t fret, FINRA understands that this is a current problem in some states and has provided the following guidance, plus it’s also working to remediate the situation:

  • Semi-annual attestations - if you can’t archive and monitor employee social media content, them have them attest to the fact that they are not using their personal social media accounts for employer-related business communications. Have them do this at least semi-annually.
  • Follow-up on red flags immediately - Even with semi-annual attestations, you may learn of instances when employees are in fact using social media for business communications. You should investigate such matters immediately.
  • FINRA, the lobbyist - FINRA did indicate that it is “aggressively lobbying” states with “much success” to remediate the conflict between FINRA rules and employee privacy. Most likely the results of FINRA’s lobbying effort will come in the form of carve outs within the state statutes that enable only regulated firms to request access to employee social media accounts, thereby satisfying FINRA rules while not violating laws at the state level. One such example is Maryland, which has a carve-out for “self regulatory companies” and explicitly references FINRA and NASD.

In summary, there was a lot of buzz about social media compliance at the 2014 FINRA Annual Conference. In this first post in the blog series, we’ve highlighted that social media compliance was top-of-mind at this year’s conference, discussed the need to archive everything and examined the conflict between employee privacy and the need to comply. We’ll follow up with Part II of this blog series, shortly.

 - Christopher Ricciuti

---

ChrisRicciutiNewChristopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

 

Linkedin_icon Twitter-icon1

 

May 12, 2014

The Lack of Effective Information Management

Continuing on the subject of retention policy from the earlier Semper Gumby post - now very timely in light of pending changes to FRCP rule 37(e) that will provide greater guidance in determining what are reasonable and proportional preservation efforts.

Before turning to the topic of retention policy enforcement, thought it would be appropriate to address a question submitted: What are the consequences of not managing retention policy? For those within regulated industries, that answer is often clearly spelled out in industry mandates, but what about for everyone else? And, where has the lack of retention policy directly led to a bad outcome in the area of eDiscovery and litigation?

Ediscovery-cartoon

 

 

 

 

 

 

 

 

 

 

 

 

 

To answer that question, it may be useful to break the potential consequences into 3 categories:

1) Cases where the absence of policy was directly referenced in the court ruling:

  • Keithley v Homestore, Inc, 2008 WL 3833384 (N.D. Cal. Aug. 12, 2008) – $650K in in sanctions for the lack of a written document retention and litigation hold policy, leading to failure to preserve required electronic evidence. Court disregarded Keithley's argument that nothing had been destroyed as reports “were not captured” and did not exist. 2 months later, 480,000 reports appeared via a hard drive. Court: “The facts that Defendants have no written document retention policy nor was there a specific litigation hold put in place… that at least some evidence was destroyed… sanctions were appropriate”.
  • Phillip M. Adams & Assoc., LLC v. Dell, 2009 WL 910801 (D. Utah Mar. 30, 2009) – patent dispute, plaintiff produced little evidence, claiming it did not retain records. Court ruled that plaintiff’s “lack of a retention policy and irresponsible data retention practices…” violated rights. Culpability was “founded in questionable information management practices”.
  • Peter Kiewit Sons’, Inc. v. Wall Street Equity Group, Inc., No. 8:10CV365, 2012 WL 1852048 (D. Neb. May 18, 2012) - Court: “Essentially non-existent document retention policy” renders defendants an “unreliable source of discovery;” Court grants sanctions for false statements, discovery violations
  • Scentsy Inc. v. B.R. Chase LLC, No. 1:11-cv-00249-BLW, 2012 WL 4523112 (D. Idaho Oct. 2, 2012) – copyright case: “The Court has serious concerns with Scentsy’s retention policy and litigation hold process. It is very risky – to such an extent that it borders on recklessness”

2) Situations where the lack of a retention policy is a contributing factor toward the bad outcome of data spoliation – e.g. a court rules that data that should have been preserved for litigation was disposed of. Those with a stated and enforced retention policy are in a stronger position to defend their actions to dispose of data if it is in accordance with policy. Here are some of the cases that center on spoliation:

  • Broadcom v Qualcomm- patent litigation, court orders $8.5M in sanctions and investigation of ethics violations for large quantity of withheld documents when a simple search revealed missing documents
  • Rambus v Micron Technology – Rambus aggressive document deletion policy destroyed documents that court had ruled it had duty to preserve. Impacted court decision that patents were not enforceable against Micron
  • Dish Network v Cablevision – Dish sanctioned by court for “systematically destroyed email evidence in direct violation of the law.” Dish policy was to store email for a month and notify users if email was to be preserved for discovery. Judge rules that behavior, at minimum, was gross negligence.

3) Instances when a company lacks both policy as well as the system to manage retention. For those with archiving or comparable system in place, it will typically rely upon that as its primary source of data for Discovery. The absence of that system to manage policy has not lead courts to the conclusion that the data does not exist. This often leads to data being collected via sources designed for other purposes (back-up tapes, shared drives, PST files, etc.) – where the possibility that material data can be missed escalates. Cases of this type include:

  • Morgan Stanley – $604M in damages after they had claimed that all material information was accounted for via back-up tape restoration. Additional material data continued to turn up.
  • Harkabi v SanDisk – sanctions of $150K against SanDisk for not being able to produce laptop data
  • Pippins v KPMG, LLC  – court orders KPMG to preserve 2,500 hard drives at cost of $2.5M – as no alternative source was available to evaluate plaintiff claim

Implications

Organizations now employing a keep everything forever policy should take note that effectively managing retention policy is not just a matter of satisfying regulatory or internal records mandates. The lack of effective policy management has implications beyond added storage cost and data management burdens;  the risk of bad outcomes in eDiscovery being one that is expensive both monetarily and to damaged corporate reputation. 

- Robert Cruz

---

Robert.Cruz150x175

Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

May 12, 2014

How to defend against malvertising

Click-hereCybercriminals are increasingly turning to malvertising as a way to infect unsuspecting end users, and enterprises need to adopt the dedicated protection solutions from Proofpoint to help defend themselves against this growing threat.

Malvertising, a portmanteau of malicious advertising, is when a seemingly innocent ad on a website directs someone to a Web page that causes malware to be downloaded on the browsing device being used. According to eSecurity Planet, malvertising is becoming increasingly prevalent because it is a relatively easy way to infect visitors to some of the biggest sites online. Cybercriminals have become quite adept at disguising their true intentions from ad networks, thus providing them with an easy backdoor onto the targeted paged.

"Crafty hackers do not even need to implant any malicious code into the ad itself, ensuring that it clears any scanning by the advertising network," eSecurity Planet contributor Aaron Weiss wrote. "Instead, the ad can simply lure people to a website. The site may contain only clean content when the ad is submitted to the network, but once ad impressions begin the hackers plant malware on the site, which they already control."

Due to this ease and the effectiveness of malvertising, there were approximately 10 billion malicious ad impressions in 2012, according to statistics cited by eSecurity Planet. That number is likely to rise in the coming years too, especially as the tactic proves fruitful to cybercriminals and as more We browsing happens from unsecured smartphones and tablets. A March 2014 report from Blue Coat Systems showed that 20 percent of all mobile device users had encountered malvertising. In comparison, 5.7 percent of all mobile malware in 2012 started with bad ads, Infosecurity reported.

Perhaps the best known example of the power and prevalence of malvertising happened at the end of 2013. Approximately 300,000 people were affected by malvertising on Yahoo.com, as a bad ad on the site led unsuspecting users to a page that covertly installed code on the device that allowed it to be controlled remotely, eSecurity Planet reported.

Can malvertising be stopped?
While the threat posed by malvertising is great and only growing, organizations can take steps to mitigate this problem. In particular, by adopting solutions from Proofpoint, companies will be able to ensure that employees and safely browsing the Web and are not causing malware to be inadvertently downloaded onto corporate-owned assets.

For the majority of organizations, Proofpoint Targeted Attack Protection is the ideal safeguard to deal with malvertising. What makes this solution unique is that it uses advanced statistical modeling and analytics to more accurately determine if a link clicked is malicious or not, thus helping to prevent malware from ever being accidentally downloaded. It also comes with real-time monitoring capabilities to help organizations more effectively track and note malvertising and potentially destructive end-user behavior.

Proofpoint also helps ad networks and other organizations from ever hosting malicious ads in the first place. Proofpoint Malvertising Protection takes the ad's creative, actual impressions served and ad tags into account when scanning hosting requests to see if it is a legitimate advertisement or if it is malicious in nature. By taking such a comprehensive approach to ad scanning, organizations can help to make sure their brand is not tarnished by malvertising.

"For enterprises who publish ads on their own websites, the risks of malvertising can threaten both your users and your reputation," Weiss wrote. "Becoming the source of an infection that can infect thousands, or even millions, is not an ideal customer relations strategy. Businesses who accept direct advertising – that is, you accept ads directly from advertisers – need to have a well-crafted vetting strategy."

As the threat posed by malvertising rises to new heights, the benefits that Proofpoint Targeted Attack Protection and Proofpoint Malvertising Protection provide become more critical to the safeguarding of important information and networks than ever before.

May 09, 2014

FINRA Fines Morgan Stanley $5M for Supervisory Failures: Here's What You need to Know

On May 6, 2014, the Financial Industry Regulatory Authority (FINRA) announced that it had fined Morgan Stanley Smith Barney $5M for supervisory failures related to the solicitation of retail customers to invest in initial public offerings (IPOs). 

FINRA found that from February 16, 2012 to May 1, 2013, Morgan Stanley sold shares of 83 IPOs, including Facebook and Yelp shares, to retail customers without having proper procedures in place to ensure that its financial advisors - and ultimately its customers - fully understood what type of commitment was being solicited.

This is clearly big news and it underscores the importance of establishing adequate supervisory oversight.

The Problem

Here’s the events that ultimately led to the $5M fine levied by FINRA:

  • On February 16, 2012, Morgan Stanley adopted a policy that used the terms “indication of interest” and “conditional offers” interchangeably, without proper regard for whether interest reconfirmation was required prior to execution. 
  • This led to ambiguity around customer obligations to purchase shares and Morgan Stanley did not have proper training materials in place to clarify the policy.
  • FINRA also found that Morgan Stanley failed to adequately monitor compliance with its policy and did not have procedures in place to ensure that such offers were being made in accordance with requirements of Federal securities laws and FINRA rules.

The Analysis

The case highlights the importance of clear communications to customers via unique, documented procedures. As importantly, lack of proper supervisory monitoring and oversight directly violate Federal securities laws as well as FINRA rules.

So, how could Morgan Stanley have avoided the $5M fine?

Clearly, Morgan Stanley erred with respect to the creation of explicit, non-ambiguous policy - this simply did not happen. But had proper supervisory controls been leveraged, customer (mis)communications could have been highlighted and action could have been taken.

A Solution

NASD Rule 3010, which Morgan Stanley may have violated, states that a firm must establish and maintain a system to supervise the activities of each registered representative. This type of supervisory system would sample employee email communications, and, either randomly or via policies that search for specific keywords (e.g. - indication of interest or conditional offer), place those messages into queues for review by compliance staff. Compliance officers can then take action to clarify communication or remediate other potential policy violations.

This case serves as yet another example that a small investment in adequate supervisory tools can save large dollars down the road.

About the Proofpoint Enterprise Archive

Proofpoint Enterprise Archive makes it easy to meet even the most stringent regulatory compliance demands by archiving information according to SEC-compliant policies. Supervisory review capabilities ensure that broker-dealer communications are monitored and managed to assist in meeting requirements of FINRA Rules 8210 and 11-39, SEC Rule 17a-4, and NASD Rule 3010.

- Christopher Ricciuti

---

ChrisRicciutiNew

Christopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

 

Linkedin_icon Twitter-icon1

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption