Proofpoint: Security, Compliance and the Cloud

May 30, 2014

Social Media & Regulatory Compliance: Top 20 Questions and Answers

A big thanks to Michael Osterman, Founder and CEO of Osterman Research, who joined us in a very informative webinar on social media last Wednesday. The session generated quite a few questions, which we felt be good to respond to via the blog.

Responses below have been provided by and denoted as either Osterman Research (OR, and ©2014 Osterman Research, Inc.) or Proofpoint (PFPT).

Q1. Is it better to have all inclusive social media policy and risk not complying v. having a more general policy?
(OR): I’m not sure it’s an either-or situation. The goal is to have a policy that will enable management to enforce best practices in order to help the organization remain in compliance with various statutes, legal decisions and corporate best practices.

Q2. Does Live Chat have to comply with the same SEC and FINRA rules as it pertains to record retention and archiving?
(OR): Yes, if the communication is with customers. FINRA rules obligate registered representatives to retain communications with customers regardless of the format or delivery mechanism.

Q3. Can you discuss the effect of Privacy laws  that may constrain a company’s ability to archive social media conversations.
(OR): Some nations have relatively strict privacy laws that will prevent companies from archiving social media or any other content with the expressed permission of individuals who data would be archived. For example, Germany’s Federal Data Protection Act prevents the collection of any PII with permission and requires the data holder, even with permission, to specify for how long the data will be held, how it will be used, etc. US federal and state protections are generally less restrictive, since employers are generally granted more leeway in how work-related content will be retained.

(PFPT): Additionally, FINRA is in the process of lobbying states so that carve out provisions to privacy statutes are implemented. Such carve outs will enable regulated firms to archive employee social media content without the risk of violating state privacy law

Q4. Can you comment on the effect of NLRB as it pertains of social media being accessible to outside Labor relations organizations, such as Unions.
(PFPT): The NLRB has been active in cases where it believes that social media policies are overly broad and restrict the rights of employees. It is important to consult with those knowledgeable regarding labor laws in those industries where the NLRB may have influence

Q5. I can understand an organization archiving internal social media but is it really possible to archive all the different possible use of social media, as you mentioned there are 1000's out there?
(PFPT): Possible yet, practical no. You need to prioritize based upon the channels your employees are using, and chose a platform that provides flexibility to capture additional channels as their use increases

Q6. What were the sites you mentioned for example of data breaches through SM. I captured one "" and missed the other one

Q7. I would think that most companies are concerned over data leakage through social media and how to control it?
(OR): I’m not sure that’s the case. Decision makers may be aware of the potential for data leaks through social media, but most really are not doing much about it, such as monitoring for offensive content, data leaks or other content sent through social media.

Q8. But doesn't not archiving have an upside in legal discovery? What you don't have can't be legally provided. Like email retention.
(PFPT): Actually, courts have become clear that the absence of archiving and retention policy does not necessarily lead to the conclusion that that data does not exist. See our recent blog post on this topic

Q9. Would you see ad based malware as an increasing threat?
(OR): Yes, definitely. The Online Trust Alliance has some good resources here.

Q10. How do you deal with access to social media is through personal accounts so their use is through those accounts and no real corporate governance.
(PFPT): The monitoring and control of personal accounts that are used for business purposes should be addressed in policy to outline acceptable and prohibited uses. Alternatively, setup “business” social media accounts for your employees to use and have them sign semi-annual letters of attestation, stating that they will not use their "personal social" media accounts for business purposes.

Q11. What do you do about access to social media through personally owned devices like cell phones where you can't monitor the communications
(PFPT): Many technologies do exist – such as Proofpoint’s Social Platform for Archiving - that allow employee social media content to be captured and archived not just from the office PC, but from any PC and mobile devices as well.

Q12. Do you have a suggested approach to reduce/eliminate the liability of a company incurred by an employee's use (abuse?) of social media?
(OR): First and foremost, establish detailed and thorough policies focused on social media use by employees when using corporate resources, as well as when employees are at work. A company may be able to extend this to an employee’s personal time, as well, as employers are able to do with morals clauses in work contracts. Clear and detailed policies are essential in order to give the employer the ability to discipline employees for policy violations and insist that they follow corporate policies, even when personal devices are used.

Q13. Is there any guidance for social media in regards to SOC1/2 or SOX?
(PFPT): Nothing explicitly defined within SOX, other than to have defined policies in place and procedures to demonstrate that they are followed. In the case of SSAE SOC1/2, no guidance, but something that can be added to the list of documented policies for annual audit if it is determined that would be meaningful to your specific stakeholders.

Q14. Employers use social media to screen applicants - what are their reasonable archiving options in light of EEOC/FTC requirements to keep documents relied upon for specified time spans?
(PFPT): As you are likely aware, there are a number of state actions pending regarding the ability to access social media as an employment screening tool. Best to monitor court decisions and pending legislation on this topic in your specific state. Some useful guidance is available here.

Q15. Has there been any corporate lawsuits at this time involving evidence from social networking sites?
(OR): There are a growing number. Here are a couple of recent examples:

  • In Armstrong v. Shirvell, the defendant requested "[a] complete copy of all communications between you and the following individuals… whether it be on Facebook, in a blog, via e-mail, text message, voicemail, letter, facsimile, or anywhere else…”
  • In Calvert v. Red Robin International, Inc., the plaintiff ordered by the court to “bring all materials, electronic or otherwise, including e-mails, Facebook messages, and any other communications he has had with putative class members in this action”.

Q16. Any good templates for sm policies for IT Security side?
(PFPT): There are a variety of good resources for social media policies that can be extended to address security issues as well. An excellent resource is here.

Q17. Are these different archivers an extra cost to us if we are using Proofpoint email archiver already?
(PFPT): Yes, the Social Platform for Archiving are priced as individual modules that are provided at an additional per seat cost, but as an existing Proofpoint Archive customer you are entitled to a discounted rate. Contact your account manager for more details.

Q18. Will Proofpoint’s social solution capture email and chat in Facebook?
(PFPT): Yes. Archiver for Facebook, which is part of the Proofpoint Social Platform for Archiving, captures and archives both Facebook Messages and Email.

Q19. Do you offer a reseller program or white label?
(PFPT): Not at this time, but always open to discuss possibilities here. Please contact me at

Q20. I only see platforms like chatter/yammer, have you considered other social platforms like Jive, Socialcast, Telligent etc.
(PFPT): We are constantly looking at market uptake for various social channels. One of the benefits of the model we have built is its modularity – we will be able to evolve and add new channels in the future very rapidly.

Thanks again to Michael Osterman for sharing his time and insights.

 - Chris Ricciuti and Robert Cruz



Christopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

Linkedin_icon Twitter-icon1


Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.




Michael.osterman Michael is the president and founder of Osterman Research. He has more than 27 years experience in the high-tech research industry and has spent nearly 16 years following the messaging and collaboration industries. Prior to founding Osterman Research in 2001, Michael was the Vice President of Market Research for Creative Networks, and has held senior analyst positions with SRI International and Ryan Hankin Kent.


May 23, 2014

Key Social Media Compliance Takeaways from the 2014 FINRA Annual Conference

This week, Proofpoint attended the 2014 FINRA Annual Conference. As always, the conference was jam-packed with sessions, exhibitors and compliance / legal folks from the Financial Services industry. This year, it was particularly busy, as the conference had its highest number of attendees ever!

While at the conference, we had the opportunity to sit in on many of the information sessions as well as the opportunity to interact with many of the brightest minds in the industry. With our schedule tightly packed and so much new information to process, it’s often important to jot down important takeaways on paper before they’re forgotten, and that’s what we’ve done for you here.

In this two part series, we’ll focus on the top social media compliance takeaways from the 2014 FINRA Annual Conference. The first few are below.

Social media compliance is definitely top-of-mind

The topic of social media compliance seemed to pop up in the majority of information sessions - even in sessions that did not explicitly focus on that topic. This is evidence that it’s clear regulated firms are very interested in leveraging the power of social media to market, sell and to provide support to their customers, but, of course and rightfully so, they’re worried about noncompliance. As a result, they seek guidance from FINRA. After all, there are an increasing number of examples whereby firms, their principals and their registered reps have been fined for lack of social media compliance and folks simply do not want to get want to make the next headline in this area.

So FINRA made it a point to thoroughly discuss all matters related to social media compliance and even went so far as to give examples of how real firms have been able to maintain regulatory compliance while using social media. AXA, Vanguard, LPL and Commonwealth were among the few firms kind enough to share their stories with us. We’ll highlight some common social media use cases in Part II.

Archive everything, including social media
All forms of electronic business communications must be archived, but don’t take my word for it. FINRA said exactly that in one of the information sessions. So, while you’re most likely already archiving email for long-term retention, eDiscovery and supervision (you are, right?), you’d be better prepared to respond to FINRA examinations if you, in addition to email, archive every form of electronic business communication that’s bouncing around at your firm. That’s right everything.

This means that you need to archive business communications from mobile (txt, sms), public social (Linkedin, Facebook, Twitter), enterprise social (Chatter, Yammer) and blogs, to name a few. Ideally, content from these sources should seamlessly integrate into your information archive so that you can employ eDiscovery and Supervision tools that make it easy to respond to a FINRA examination, should one arise.

Employee privacy vs. social media compliance
The need to archive everything brings us to the next point, what if you can’t?

I should clarify, by “can’t,” I don’t mean that it’s not technically possible to capture social media, because it certainly is possible (solutions exist that enable the capture of social media content). Rather, the problem is that it could be illegal to capture employee generated social media content.

Dissecting employee privacy law in exhaustive detail is outside of the scope of this blog post, but, generally speaking, employee privacy law is determined at the state level and states have different statutes in place. 14 states, Arkansas, for example, indicate that an employer cannot request the credentials of employee’s “personal" social media accounts for any reason (requesting credentials is sometimes necessary to supervise and archive employee social media activity). So, you should check with your legal council before requesting such information from employees.

Unfortunately, such statutes are in direct conflict with what FINRA requires: archive all forms of electronic business communications.

But don’t fret, FINRA understands that this is a current problem in some states and has provided the following guidance, plus it’s also working to remediate the situation:

  • Semi-annual attestations - if you can’t archive and monitor employee social media content, them have them attest to the fact that they are not using their personal social media accounts for employer-related business communications. Have them do this at least semi-annually.
  • Follow-up on red flags immediately - Even with semi-annual attestations, you may learn of instances when employees are in fact using social media for business communications. You should investigate such matters immediately.
  • FINRA, the lobbyist - FINRA did indicate that it is “aggressively lobbying” states with “much success” to remediate the conflict between FINRA rules and employee privacy. Most likely the results of FINRA’s lobbying effort will come in the form of carve outs within the state statutes that enable only regulated firms to request access to employee social media accounts, thereby satisfying FINRA rules while not violating laws at the state level. One such example is Maryland, which has a carve-out for “self regulatory companies” and explicitly references FINRA and NASD.

In summary, there was a lot of buzz about social media compliance at the 2014 FINRA Annual Conference. In this first post in the blog series, we’ve highlighted that social media compliance was top-of-mind at this year’s conference, discussed the need to archive everything and examined the conflict between employee privacy and the need to comply. We’ll follow up with Part II of this blog series, shortly.

 - Christopher Ricciuti


ChrisRicciutiNewChristopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 


Linkedin_icon Twitter-icon1


May 12, 2014

The Lack of Effective Information Management

Continuing on the subject of retention policy from the earlier Semper Gumby post - now very timely in light of pending changes to FRCP rule 37(e) that will provide greater guidance in determining what are reasonable and proportional preservation efforts.

Before turning to the topic of retention policy enforcement, thought it would be appropriate to address a question submitted: What are the consequences of not managing retention policy? For those within regulated industries, that answer is often clearly spelled out in industry mandates, but what about for everyone else? And, where has the lack of retention policy directly led to a bad outcome in the area of eDiscovery and litigation?















To answer that question, it may be useful to break the potential consequences into 3 categories:

1) Cases where the absence of policy was directly referenced in the court ruling:

  • Keithley v Homestore, Inc, 2008 WL 3833384 (N.D. Cal. Aug. 12, 2008) – $650K in in sanctions for the lack of a written document retention and litigation hold policy, leading to failure to preserve required electronic evidence. Court disregarded Keithley's argument that nothing had been destroyed as reports “were not captured” and did not exist. 2 months later, 480,000 reports appeared via a hard drive. Court: “The facts that Defendants have no written document retention policy nor was there a specific litigation hold put in place… that at least some evidence was destroyed… sanctions were appropriate”.
  • Phillip M. Adams & Assoc., LLC v. Dell, 2009 WL 910801 (D. Utah Mar. 30, 2009) – patent dispute, plaintiff produced little evidence, claiming it did not retain records. Court ruled that plaintiff’s “lack of a retention policy and irresponsible data retention practices…” violated rights. Culpability was “founded in questionable information management practices”.
  • Peter Kiewit Sons’, Inc. v. Wall Street Equity Group, Inc., No. 8:10CV365, 2012 WL 1852048 (D. Neb. May 18, 2012) - Court: “Essentially non-existent document retention policy” renders defendants an “unreliable source of discovery;” Court grants sanctions for false statements, discovery violations
  • Scentsy Inc. v. B.R. Chase LLC, No. 1:11-cv-00249-BLW, 2012 WL 4523112 (D. Idaho Oct. 2, 2012) – copyright case: “The Court has serious concerns with Scentsy’s retention policy and litigation hold process. It is very risky – to such an extent that it borders on recklessness”

2) Situations where the lack of a retention policy is a contributing factor toward the bad outcome of data spoliation – e.g. a court rules that data that should have been preserved for litigation was disposed of. Those with a stated and enforced retention policy are in a stronger position to defend their actions to dispose of data if it is in accordance with policy. Here are some of the cases that center on spoliation:

  • Broadcom v Qualcomm- patent litigation, court orders $8.5M in sanctions and investigation of ethics violations for large quantity of withheld documents when a simple search revealed missing documents
  • Rambus v Micron Technology – Rambus aggressive document deletion policy destroyed documents that court had ruled it had duty to preserve. Impacted court decision that patents were not enforceable against Micron
  • Dish Network v Cablevision – Dish sanctioned by court for “systematically destroyed email evidence in direct violation of the law.” Dish policy was to store email for a month and notify users if email was to be preserved for discovery. Judge rules that behavior, at minimum, was gross negligence.

3) Instances when a company lacks both policy as well as the system to manage retention. For those with archiving or comparable system in place, it will typically rely upon that as its primary source of data for Discovery. The absence of that system to manage policy has not lead courts to the conclusion that the data does not exist. This often leads to data being collected via sources designed for other purposes (back-up tapes, shared drives, PST files, etc.) – where the possibility that material data can be missed escalates. Cases of this type include:

  • Morgan Stanley – $604M in damages after they had claimed that all material information was accounted for via back-up tape restoration. Additional material data continued to turn up.
  • Harkabi v SanDisk – sanctions of $150K against SanDisk for not being able to produce laptop data
  • Pippins v KPMG, LLC  – court orders KPMG to preserve 2,500 hard drives at cost of $2.5M – as no alternative source was available to evaluate plaintiff claim


Organizations now employing a keep everything forever policy should take note that effectively managing retention policy is not just a matter of satisfying regulatory or internal records mandates. The lack of effective policy management has implications beyond added storage cost and data management burdens;  the risk of bad outcomes in eDiscovery being one that is expensive both monetarily and to damaged corporate reputation. 

- Robert Cruz



Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.


May 12, 2014

How to defend against malvertising

Click-hereCybercriminals are increasingly turning to malvertising as a way to infect unsuspecting end users, and enterprises need to adopt the dedicated protection solutions from Proofpoint to help defend themselves against this growing threat.

Malvertising, a portmanteau of malicious advertising, is when a seemingly innocent ad on a website directs someone to a Web page that causes malware to be downloaded on the browsing device being used. According to eSecurity Planet, malvertising is becoming increasingly prevalent because it is a relatively easy way to infect visitors to some of the biggest sites online. Cybercriminals have become quite adept at disguising their true intentions from ad networks, thus providing them with an easy backdoor onto the targeted paged.

"Crafty hackers do not even need to implant any malicious code into the ad itself, ensuring that it clears any scanning by the advertising network," eSecurity Planet contributor Aaron Weiss wrote. "Instead, the ad can simply lure people to a website. The site may contain only clean content when the ad is submitted to the network, but once ad impressions begin the hackers plant malware on the site, which they already control."

Due to this ease and the effectiveness of malvertising, there were approximately 10 billion malicious ad impressions in 2012, according to statistics cited by eSecurity Planet. That number is likely to rise in the coming years too, especially as the tactic proves fruitful to cybercriminals and as more We browsing happens from unsecured smartphones and tablets. A March 2014 report from Blue Coat Systems showed that 20 percent of all mobile device users had encountered malvertising. In comparison, 5.7 percent of all mobile malware in 2012 started with bad ads, Infosecurity reported.

Perhaps the best known example of the power and prevalence of malvertising happened at the end of 2013. Approximately 300,000 people were affected by malvertising on, as a bad ad on the site led unsuspecting users to a page that covertly installed code on the device that allowed it to be controlled remotely, eSecurity Planet reported.

Can malvertising be stopped?
While the threat posed by malvertising is great and only growing, organizations can take steps to mitigate this problem. In particular, by adopting solutions from Proofpoint, companies will be able to ensure that employees and safely browsing the Web and are not causing malware to be inadvertently downloaded onto corporate-owned assets.

For the majority of organizations, Proofpoint Targeted Attack Protection is the ideal safeguard to deal with malvertising. What makes this solution unique is that it uses advanced statistical modeling and analytics to more accurately determine if a link clicked is malicious or not, thus helping to prevent malware from ever being accidentally downloaded. It also comes with real-time monitoring capabilities to help organizations more effectively track and note malvertising and potentially destructive end-user behavior.

Proofpoint also helps ad networks and other organizations from ever hosting malicious ads in the first place. Proofpoint Malvertising Protection takes the ad's creative, actual impressions served and ad tags into account when scanning hosting requests to see if it is a legitimate advertisement or if it is malicious in nature. By taking such a comprehensive approach to ad scanning, organizations can help to make sure their brand is not tarnished by malvertising.

"For enterprises who publish ads on their own websites, the risks of malvertising can threaten both your users and your reputation," Weiss wrote. "Becoming the source of an infection that can infect thousands, or even millions, is not an ideal customer relations strategy. Businesses who accept direct advertising – that is, you accept ads directly from advertisers – need to have a well-crafted vetting strategy."

As the threat posed by malvertising rises to new heights, the benefits that Proofpoint Targeted Attack Protection and Proofpoint Malvertising Protection provide become more critical to the safeguarding of important information and networks than ever before.

May 09, 2014

FINRA Fines Morgan Stanley $5M for Supervisory Failures: Here's What You need to Know

On May 6, 2014, the Financial Industry Regulatory Authority (FINRA) announced that it had fined Morgan Stanley Smith Barney $5M for supervisory failures related to the solicitation of retail customers to invest in initial public offerings (IPOs). 

FINRA found that from February 16, 2012 to May 1, 2013, Morgan Stanley sold shares of 83 IPOs, including Facebook and Yelp shares, to retail customers without having proper procedures in place to ensure that its financial advisors - and ultimately its customers - fully understood what type of commitment was being solicited.

This is clearly big news and it underscores the importance of establishing adequate supervisory oversight.

The Problem

Here’s the events that ultimately led to the $5M fine levied by FINRA:

  • On February 16, 2012, Morgan Stanley adopted a policy that used the terms “indication of interest” and “conditional offers” interchangeably, without proper regard for whether interest reconfirmation was required prior to execution. 
  • This led to ambiguity around customer obligations to purchase shares and Morgan Stanley did not have proper training materials in place to clarify the policy.
  • FINRA also found that Morgan Stanley failed to adequately monitor compliance with its policy and did not have procedures in place to ensure that such offers were being made in accordance with requirements of Federal securities laws and FINRA rules.

The Analysis

The case highlights the importance of clear communications to customers via unique, documented procedures. As importantly, lack of proper supervisory monitoring and oversight directly violate Federal securities laws as well as FINRA rules.

So, how could Morgan Stanley have avoided the $5M fine?

Clearly, Morgan Stanley erred with respect to the creation of explicit, non-ambiguous policy - this simply did not happen. But had proper supervisory controls been leveraged, customer (mis)communications could have been highlighted and action could have been taken.

A Solution

NASD Rule 3010, which Morgan Stanley may have violated, states that a firm must establish and maintain a system to supervise the activities of each registered representative. This type of supervisory system would sample employee email communications, and, either randomly or via policies that search for specific keywords (e.g. - indication of interest or conditional offer), place those messages into queues for review by compliance staff. Compliance officers can then take action to clarify communication or remediate other potential policy violations.

This case serves as yet another example that a small investment in adequate supervisory tools can save large dollars down the road.

About the Proofpoint Enterprise Archive

Proofpoint Enterprise Archive makes it easy to meet even the most stringent regulatory compliance demands by archiving information according to SEC-compliant policies. Supervisory review capabilities ensure that broker-dealer communications are monitored and managed to assist in meeting requirements of FINRA Rules 8210 and 11-39, SEC Rule 17a-4, and NASD Rule 3010.

- Christopher Ricciuti



Christopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 


Linkedin_icon Twitter-icon1

May 07, 2014

Effective Information Retention Policy: Flexibility is Key

We’ve been working with a growing number of organizations that have finally (finally!) arrived at the decision that keeping everything forever is no longer a sustainable business strategy. Yes, they recognize that information growth continues unabated and, yes, more of this information is appearing in unmanaged locations such as social media. But, arriving at a shared perspective on how long information has value, what process could be utilized to rid oneself of junk, how to account for the information needs of users, and how one can gauge the incremental eDiscovery risks associated with preservation and disposition can often appear to be insurmountable obstacles.

Motivated by the search for a simple answer to the complex infogov question of “what information should I keep, and for how long”, these discussions have inspired me to advance a new approach to proactive information governance that are probably best described as Semper Gumby.


As you probably know, Semper Gumby is an unofficial motto of the United States Marine Corp, adopted to convey the imperative to be “Always Flexible”. The importance and direct relevance to retention management is clear, where policies need to be sensitive to:

1) At the on-going operational level, setting policy reflects the fluid needs to deliver consistent access to business-critical information to end users, balanced against the IT need to cost effectively manage data storage cost and hassle;

2) Increasingly complex regulatory requirements that have now established themselves as the top litigation concern for many corporations

3) Litigation patterns and trends, along with deep-seeded notions of how information management impacts preservation risk

4) Internal communication patterns, and the increased traffic that is occurring outside of sanctioned communication channels

Suffice it to say, these variables will continue to evolve and intermingle to ultimately produce a set of policies that map to each organizations unique situation. But, as Semper Gumby would dictate, a premium is placed on flexibility. Conditions, including use of specific communication channels, storage cost, and regulatory drivers, will inevitably evolve. Policies must be flexible to evolve with these conditions.’

This fact can be highlighted via a survey that we recently conducted, looking at the existing retention policies of information archiving customers (horizontal axis representing retention policy length in years, vertical axis counting the number of companies with that policy).


Some of the findings from the survey include the following:

  • 65% of the companies sampled had more than 1 active retention policy, averaging 3 policies over-all
  • The default retention period for all companies surveyed was averaged slightly more than 4 years
  • As expected, policies varied widely by industry. Health care, for example had default policies that ranged from 1 to 8 years
  • Most common reasons for multiple policies were geographic drivers, policies driven by existing records class definition, and policies reflecting legal discovery definition
  • Policies are trending toward longer retention periods, mostly likely due to storage becoming less of a driver in setting policy given falling storage costs

As demonstrated by the survey, there is no one policy size that fits all (except those things driven by industry mandate). But it is also true that answering the question of “what information should I keep, and for how long” does not need to stop with “it depends“. Effective policies are not static and require granularity to reflect the unique needs of users, as well as legal and compliance stakeholders.

Equally important, effective policy management needs to address not just the challenges faced today by many companies in defining retention policies, but also ensuring that policies can be enforced. Policy enforcement that relies solely on actions of end users is rarely effective. Therefore, end users should be engaged as stakeholders based upon their knowledge and business expertise – not as records managers. The topic of policy enforcement will be covered in a post to follow..

For more information on how Proofpoint Enterprise Archive follows the Semper Gumby mantra in enabling robust – yet flexible – retention policy management, please visit And, if you are planning to attend the MER conference in Chicago, would love to meet with you then. Please schedule a session at:



Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.



April 30, 2014

Survey shows dramatic jump in concern over regulatory investigation

In its just released 10th Annual Litigation Trend Survey, law firm Norton Rose Fulbright offered its usual rich, data-intensive insights into litigation spend patterns and other cause of concern for legal departments captured via survey of over 400 senior corporate counsel. But, one meta concern clearly emerged in this report – concern over regulatory/investigation. Some key stats:

  • 41% of respondents list regulatory as a top concern, up from 23% in 2012
  • Amongst all sectors, Technology (from 16% to 50%), Financial Services (from 24% to 57%), and Health Care (from 24% to 52%) showed the most dramatic increases
  • In terms of categories of litigation, regulatory/investigation grew from 9% to 19% in the most recent survey
  • 61% of health care respondents indicated that it had one of more regulatory proceedings opened against it, more than any other vertical market
  • 52% of surveyed firms indicated that they are spending more time addressing regulatory requests
  • 62% of health care respondents indicated they are involved in issues pertaining to data privacy protection, while all verticals showing an increase from 31% to 43% in the most recent survey


This survey has always been a useful data source to report the ebbs and flows of litigation across different categories and market segments, but this year’s dramatic spotlight on regulatory appears to be the beginning of a longer-term pattern that is a function not only of new regulations (e.g. within HIPAA, FINRA, FFIEC, etc.), but more fundamental consequences of 1) unfettered information growth, 2) proliferation of important data being located outside of IT managed environments, and 3) the increased frequency and severity of targeted threats. Those looking for the motivators behind internal Initiatives targeted at data privacy, data security, and information governance should read no further.

What is also clear from this analysis is the increased premium that can be placed on proactive, pre-trigger readiness. Relying on antiquated internal systems or manual efforts to identify and collect information amidst an increasingly complex – and costly – regulatory environment is simply not sustainable.  The 45% of respondents currently engaged in one or more regulatory proceedings would almost certainly attest to this.

The survey also highlights the importance of legal and compliance teams to be active participants in the due diligence of new methods and technologies to address these regulatory complexities. As noted, 47% of organizations are now actively utilizing cloud computing approaches – and many tools are simply not designed for large scale usability by legal or compliance teams. 52% of respondents are spending more time addressing regulatory concerns, but no doubt the vast majority of respondents would like to spend less – while also delivering on the goal of reducing the over-all concern surrounding regulatory and investigative demands.

- Robert Cruz 



Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.


April 21, 2014

Social Media Compliance with Facebook and Twitter

Increasingly, organizations are turning to social media to market, sell, and maintain brand. But how can a regulated organization take advantage of social media while maintaining regulatory compliance? The SEC, FINRA, the FFIEC, HIPAA, and other regulatory bodies have either issued guidance covering the use of social media or have interpreted existing rules so that they can be applied to social media.

This post will discuss how to use Facebook and Twitter while maintaining regulatory compliance.

Given that social media is only recently seeing broad enterprise adoption, it has taken some time for regulators to catch up, but that situation is changing rapidly:

So, how best to avoid the potential sanctions and fines that could stem from improper use of social media?

Facebook, Twitter and how to Maintain Regulatory Compliance

The examples above illustrate the importance of crafting a solid social media policy that outlines exactly what employees should and shouldn't do when it comes to social media. There are many steps in this process that will be subject to future posts, but (here is a great resource that lists the social media policies) 

Once an airtight social media policy is in place and your employees are properly trained, you can turn your attention to the common regulator investigative task of determining “who did what when”.

Which brings us to the critical importance of archiving your employees' social media content in its native format so that you can answer the "who said what and when” question when the regulators ask.

Given the differences in each social media channel, it is important to consider each site's features, in order to determine what needs to be archived.

Take Facebook, for starters. Facebook contains wall posts, your comments / likes and 3rd party comments / likes, personal profiles, business pages, group pages, messages and Email, Photos and galleries, and Notes—all of which need to be captured and archived Moreover, it's important to note that you should capture Facebook content not only for your employees, but also for external folks that communicate with your employees on Facebook.

Take, for example, a wall post that an employee creates on Facebook. As 3rd parties comment on or like that post, it's critical that you capture and archive that content as well- preserving the full context of a Facebook communication.

As another example, Facebook has built-in messaging capabilities that allow the employee to communicate in a method akin to email or instant messaging. This communications should be captured and archived as well.

How about Twitter? Twitter includes Tweets, Re-tweets, Your tweets re-tweeted by others, Mentions of you by others, Direct Messages, Backgrounds and Bios—once again, all of which should be captured and archived.Like Facebook, this is true of employee-generated content as well as for 3rd party content.

For example, if an employee tweets to his or her followers, it’s necessary to capture and archive 3rd party replies to those tweets. And in addition to replying to your tweets, 3rd parties can re-tweet your tweet to their followers. These 3rd party re-tweets should be captured and archived as well.

Twitter also provides the user with the ability to send direct messages to other users on Twitter’s site. Similar to email, these communications should be captured.

In Summary

Regulators are catching up with organizations that are using social for a variety of business-related purposes. They’ve issued proper use guidelines and have levied sanctions and fines for misuse. In addition to proper social media policy, capturing and archiving social media content to answer the “who said what and when” question is critical. The need to respond to regulatory requests in a timely and complete manner is no different with social media that it is for email, so be sure to have a comprehensive solution in place before you embark on you rollout social media to your employees.

The Proofpoint Social Platform for Archiving

Proofpoint Social Platform for Archiving allows organizations to employ policy-based controls to capture social content so that it can be managed as any other critical information asset. Proofpoint captures social conversational content, by converting user content to email form in real-time, ensuring you remain compliant with your regulatory obligations.

To learn more, visit:

- Christopher Ricciuti 



Christopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 


Linkedin_icon Twitter-icon1

April 18, 2014

Q. How can a financial services firm comply with SEC 17a3-4 using Office 365?



A. Hold Everything

I received a number of follow-up questions to the post focused on Office 365 and its ability to address complex regulatory and eDiscovery needs  - several focused on the following:

“First, a simple question – do you work for a financial services provider? If yes, stop here. Office 365 and Exchange 2013 do not address requirements outlined by SEC 17a3-4 that outline how data must be stored immutably, or supervisory review requirements under FINRA. You should be engaging with archiving or data storage providers to address these requirements.”

It was pointed out to me that there is a way to achieve immutability (as required under 17a3-4) - simply use the Rolling Hold feature and place the entire organization on hold. Yes that's right, the entire organization and all of their data. Call me old fashioned, but this approach takes me back to the good ol' days when organizations did not need to be concerned about the unbounded data growth, when information was easy to find, and FRCP, FINRA, FFIEC were meaningless acronyms. Ah, the good ol' days!

There is a long list of reasons that this is neither an effective information governance nor compliance strategy, but let me attempt to summarize the Top 5 Reasons why financial services organizations should consider other strategies.

1. Information is doubling every 2-3 years, resulting in a gynormous volume of preserved data over time. Office 365 can partially address the storage cost explosion (although it would be interesting to see how this approach would impact licensing cost), but the task of searching and retrieving specific information amongst a large volume of information that should not be preserved grows exponentially. This will not bode well for timely response to a regulatory inquiry.

2. Preservation obligations are not uniform - multinational corporations must deal with a patchwork of data privacy and eDisclosure frameworks, so it is unclear how preserving all information from Germany-based users, as example, would work. Additionally, many legal teams have a well developed posture regarding risk stemming from over-preservation. This will not be an easy sell with many.

3. Financial service mandated retention rules are complex, granular, and evolving - With over 250 new rule sets mandated under Dodd-Frank, plus new rules issued by FINRA and FFIEC, regulatory complexity has never been higher. Consequently, most firms have multiple policies, and those policies are likely be change in the not too distant future. Simply attaining 'immutability' by preserving everything will only further complicate compliance processes that are already stretched to keep up.

4. Disposition complexity - information that reaches the end of its retention period, say 6 years, would need to be manually removed from rolling holds, unless they were subject to any other legitimate preservation order. For financial organization with an average of 20 active litigations per year, this would be an incredibly complex task to manage, even if Microsoft eventually develops some command line scripts to help manage this task.

5. SEC 17a-3-4 is only the beginning. Holding everything is a simple, brute force method to address some very specific provisions of 17a3-4 ( - for example, use of spinning media, processes to maintain integral data values, separation of primary and secondary data copies, etc.). Ultimately, only a financial regulator can determine if the “hold everything” approach is adequate. But it is just one set of requirements. Broker dealers need to provide capabilities for supervisory review under FINRA, firms using social media need to preserve that content under guidelines established by FFIEC... the list goes on and on. Immutable storage is one verse of the financial services compliance ballad.

All of which lead to the conclusion that financial services are better served by using technology in conjunction with Office 365 that was designed to deliver to these rigorous regulatory and legal demands. It's time to move past the good ol' days of Hold Everything and ensure that your compliance teams are active participants in the evaluation of new communication platforms.

- Robert Cruz


Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.



April 16, 2014

Proofpoint DNS Issues - RESOLVED

UPDATE:  Effective 3:00PM PDT, full DNS resolution of has been restored. No further changes to customer systems should be necessary to resolve or domains.

Again, no actions are needed by customers at this time – and if workaround changes to MX records were made by customers in the interim per Proofpoint guidance, those changes can remain in place, no action is needed to undo.

Proofpoint will also continue to proactively reach out to customers to ensure that they're currently able to access all Proofpoint services, and will be releasing a RCA shortly providing more details on the incident, follow-up, and structural changes being made to safeguard against any similar potential situations going forward.

Thank you for your understanding.


--- Original Post ---

Just before midnight Eastern Daylight Time on April 15th, 2014, the Domain Name Registrar who holds Proofpoint's Domain Name Server information (an external agency to Proofpoint) changed the Internet's DNS records so that any internet request seeking any URL containing "" in it was redirected to a "blackhole" DNS entry; eg, the request did not complete.

Proofpoint was immediately aware of this issue and worked with the Domain Name Registrar to reverse their change.

Unfortunately, the nature of internet DNS is such that such central changes propagate through servers at various speeds -- some systems reflect changes immediately; others can take hours to do so.  As a result, some customers may have experienced transient communications errors.

 Again, while at no point was Proofpoint's set of core services down, traffic was unable to find the services if it used DNS lookup rather than direct IP addressing – and thus customers may have suffered varying degrees of service interruption, driven by changes made to core internet DNS systems, outside of Proofpoint’s control – and similar DNS issues have been faced by other major SaaS providers and major brands on the internet as recently as within the last few months.

At this time, Proofpoint is proactively reaching out to customers to ensure that they're currently able to access all Proofpoint services, and in cases where the DNS changes have not yet propagated, to provide alternative DNS or direct IP routing.

We will continue to post status updates as DNS records are restored.


Blog Search

Email Security Gateways, 2012

Magic Quadrant


What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption