Proofpoint: Security, Compliance and the Cloud

Regular Proofpoint followers and readers of this blog are familiar with the many email security and compliance concerns around private healthcare information ("PHI").

Ensuring compliance with the data security and privacy rules of HIPAA (and the more recent "HITECH" updates to the HIPAA regulation) is critical for healthcare organizations, obviously, but these rules also apply to many other organizations that also handle healthcare information.

Today's Proofpoint press release, "Demand for Proofpoint’s Security and Compliance Cloud Solutions Grows in Healthcare" highlights three healthcare industry customers who use Proofpoint's SaaS security and compliance solutions to secure inbound email, detect and protect (or encrypt) private healthcare information in outbound email and archive email to meet compliance and eDiscovery requirements.

Proofpoint is (not coincidentally) also exhibiting this week at the HIMSS 2011 conference (the leading healthcare IT conference and exhibition) in Orlando, Florida. If you're attending that event, do visit the friendly and knowledgeable staff at Proofpoint's booth (#4001) to learn more about how Proofpoint can help your organization with HIPAA/HITECH compliance and data security.

For example, our announcement today explains how Scottsdale Healthcare, a not-for-profit healthcare system based in Arizona, uses Proofpoint's SaaS solutions for anti-spam as well as for email encryption, ensuring that HIPAA-regulated healthcare information is protected in outgoing email. Scottsdale Healthcare is also the subject of a new case study (PDF format), which you can download via this link: "Case Study: Scottsdale Healthcare Relies on Proofpoint to Cure Spam and Email Encryption Challenges."

Mike Gleason, director of information services at Scottsdale Healthcare, explains, “For our organization, if any information in the body of an email or an attachment contains a social security number, a credit card number, patient identifier, or other sensitive data, it will be captured and secured. These types of data are automatically encrypted, and then forwarded on, which helps us avoid sending out emails that contain sensitive information or patient privacy data to domains outside our organization.”

Another organization, Kelsey Seybold Clinic of Houston, Texas, is moving its deployment of the Proofpoint Enterprise Protection email security solution from an on-premises deployment to Proofpoint's cloud-based (SaaS) offering.

Martin Littmann, director IT systems for Kelsey Seybold Clinic, says, “After comparing costs between different deployment types, we were convinced that moving Proofpoint’s protection solution to the cloud would save us time and money, and that our resources would no longer be stretched.”

And at Community Memorial Health System (Ventura County, California), Proofpoint's entire suite of SaaS security and compliance solutions guards against inbound threats, ensures patient privacy and  archives email for 2000 mailboxes.

Explaining his organization chose Proofpoint, Thomas Kniss, CMHS's director of clinical information systems, noted that, “Proofpoint has a very impressive list of current healthcare customers, and it was important that our vendor have experience and a successful track record of providing security solutions to healthcare organizations. Proofpoint’s knowledge and capabilities of smart identifiers and HIPAA dictionaries was a key deciding factor as well.”

Another good resource for healthcare organizations is the Proofpoint whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email (click the link to register).

Our live web seminar series continues on Wednesday, March 9th at 11 AM Pacific Time, 2 PM Eastern Time, with "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers."

We post here about social media risks, policies and trends fairly regularly here (see the social media category), and our annual research on data loss issues shows that social media channels (including Facebook, LinkedIn, Twitter and other sites) are increasingly the source of data breaches (see this post for a video overview of our 2010 findings).

In response, about half of organizations simply prohibit access to popular social media sites. But over the long term, that approach will be less effective as social media becomes more and more ingrained into how companies do business. So our feeling is that companies need to address social media risks in the same way that most of them address email security risks—via a combination of policy and technology.

In addition to data loss and compliance issues, one very new area of concern is the archiving, retention and discovery of social media content. In many cases, social media communications such as corporate tweets, Facebook posts/messages, etc. can be considered business records and could be subject to the same sorts of discovery rules as corporate emails.  (See this recent CIO article for an interesting overview and introduction to this topic, "Why Your Records Retention Policy Should Include Social Media").

Our upcoming webinar will have both Robert Cruz, our director of eDiscovery solutions, and Rami Habal, our director of product management and expert on all things DLP, on hand to talk about the many dimensions of social media risk and how you can apply today's security technologies (including cloud-based security solutions) to address these issues.

To register, visit this link—Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers—or simply fill out the form below:

Thanks to the hundreds of you that tuned in for our first live web seminar of the new year, "2011 Predictions: Top 10 Privacy Issues" where co-presenter Ken Liao and I looked into the crystal ball to expose the cultural, policy, technology and regulatory trends that will dominate privacy discussions this year! My thanks especially for all of the great questions and feedback on the seminar.

If you missed it, or if you'd like to refer back to the web seminar, it's now available as a replay. For those of you who registered for the live event, a direct link to the replay file has been sent to you via email, as usual.

In our presentation, Ken and I shared quite a few links to various privacy-related resources that I promised to share with you here as clickable links, so here they are, by prediction:

Intro: Why Privacy Matters Today

Privacyrights.org's running list of data breaches can be found here:
http://www.privacyrights.org/data-breach

Proofpoint's 2010 research on data loss events was referenced multiple times during the presentation. You can download a copy of our full report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 here:
http://www.proofpoint.com/outbound

Prediction 1: Mobility & Location-based Info Becomes a Major Concern

We had a little extra comedy in yesterday's webinar as our slide on this first prediction had mysteriously disappeared. Click the image at left to see the slide we had intended to display!

Predictions 2-4: At Least One Major Social Media Site Will Experience a Serious Breach, Evolution of Social Media Policies, More Organizations will Formalize Acceptable Use Policies

The data/charts in these slides on social media data loss events, social media/web services that large organizations prohibit access to, and acceptable use policy adoption are all from the aforementioned Proofpoint research at http://www.proofpoint.com/outbound.

Prediction 5: Blended Threats Will Continue to Increase

For more on the VBMania outbreak and other recent blended threats, see my blog post about "Blended Threats Old and New." On the topic of spam's holiday vacation and subsequent return, see "Spam Volume Makes a Comeback After Holiday Hiatus."

Prediction 6: New, Stricter Privacy Regulations Will be Adopted Worldwide

Not mentioned in the slide, but here's a good article explaining the European reactions to privacy implications of Google Street View.

Prediction 7: Expect a US National Data Breach Notification Law

Here's the link to the Federal Trade Commission's report on Protecting Consumer Privacy. And here's information on the new White House "Enhancing Online Trust and Privacy" initiative.

Prediction 8: At Least One Enforcement Action Under Massachusetts 201 CMR 17

Links for the State of Massachusetts FAQ on 201 CMR 17, and interesting ThreatPost article about a possible 201 CMR 17 test case in 2011.

Prediction 9: More Organizations Will Encrypt More Data

Find more product information about Proofpoint Encryption here. Also, http://www.proofpoint.com/outbound is referenced again (data on adoption of data loss prevention technologies).

Prediction 10: Increased Adoption of Secure/Managed File Transfer

Statistic about level of concern around FTP as a source of data loss risk is, once again, from http://www.proofpoint.com/outbound. And visit this link for information on the Proofpoint Secure File Transfer solution. 

Q&A Session

In my comments, I mentioned recent email breach of personal information of all GSA personnel.

Thanks again to everyone who joined us for this web seminar. If you missed it and would like to see the replay, please visit:

 http://www.proofpoint.com/id/top10privacy/index.php?id=6

Over at Baseline magazine this week, writer Nick Wreden has a good article on "Social Media Policy Development," summarizing that organizations need to develop firmly written, clearly communicated policies around all types of electronic communications, including those conducted via social media channels.

This is still a sometimes-overlooked area of policy development and, if your organization hasn't yet communicated specific policies around keeping confidential (or regulated) information secure over social media channels, I'd suggest you put this on your "to do" list for the new year.

Nick quotes our oft-cited statistics about data loss and social media in large enterprises, noting that our 2009 research found that "34 percent reported that a loss of sensitive information had affected business. The same study found that 13 percent had investigated troublesome Twitter usage, and 15 percent had disciplined employees for unauthorized posting of videos on YouTube and similar sites."

Note that these numbers increased in 2010 (and you can get a copy of our latest report, "Outbound Email and Data Loss Prevention in Today's Enterprise, 2010" at http://www.proofpoint.com/outbound. Our report also shows that, while acceptable use policies for email are almost universally adopted, there are still a substantial number of organizations that do not yet have formal policies in place around the use of social media sites (including blogs, message boards, social networks, short message services like Twitter and media sharing sites like YouTube).

As I always suggest when considering acceptable use policies for email, when creating these sorts of policies for social media, I'd encourage organizations to focus on the data loss and compliance risks associated with social media sites, not just the "time wasted" aspects of same.

Keep in mind that the cost of a single low-performing employee (who, for example, spends too much time at work engaged in non-work-related social media) is completely bounded by that employee's salary (and such problems are fairly easily addressed). However, a single data loss/breach incident can cost hundreds of thousands or even millions of dollars in remediation costs, potential fines, brand damage and lost business.

The article over at Baseline has some other good suggestions around social media policy development and some real-world examples of what enterprises such as EMC, Xerox and Mel-O-Cream are doing to address the risks associated with social media.

Note also that I'll be touching on this topic a bit in our next live web seminar (January 12th), "Top 10 Privacy Issues for 2011." Do join me! You can register here: http://www.proofpoint.com/id/top10privacy/index.php

Analyst Rich Mogull (follow him on Twitter as @rmogull) of Securosis has an interesting byline in DarkReading's "Hacked Off" blog today, commenting on several of the latest info security incidents including Wikileaks exposures, McDonalds mailing list exposure, Gawker password theft, "cyberwar" and a lot more.

Check out Rich's post, "Take a Deep Breath: In the midst of the recent surge of security hype and angst, a dose of perspective"

The net-net of Rich's argument is that "security isn't failing." Yes, there have been some high-profile IT security incidents lately, and security as a concept and concern is getting a huge amount of exposure in both business and popular media lately, but the sky's not falling (which one might think, if one read every article that's been published lately involving security risks).

I especially agree with his points about eliminating incidents like WikiLeaks... "Yes, the DoD made Bradley Manning's crime easier than it should have been due to some lax controls, but even with the best security in place leaks like this will happen."

Of course, this doesn't argue against deploying data loss prevention and related technology—the vast majority of breaches could be described as non-malicious, inadvertent or the result of careless but well-intentioned actions (see for example, this email-related breach of healthcare information at Connecticut's Department of Public Health, which should have been blocked by a gateway DLP solution)—but reminds us that improving IT security involves policy, technology and human factors.

Rather than cribbing Rich's entire article, I encourage you to read it here.

The EFF (Electronic Frontier Foundation) claimed a victory today as the US Sixth Circuit Court of Appeals ruled on the so-called Warshak case (United States of America versus Steven Warshak, Harriet Warshak and TCI Media, Inc.) finding in essence that the government must have a search warrant before it can seize and search email messages stored by email service providers.

The court ruled that, in the absence of a search warrant, email users have a reasonable expectation of privacy of their email messages (similar to that afforded to postal email and telephone calls) when it comes to government/law enforcement scrutiny. The EFF's announcement excerpted this part of the court's opinion:

"Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection.... It follows that email requires strong protection under the Fourth Amendment; otherwise the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve.... [T]he police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call--unless they get a warrant, that is. It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber's emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement..."

Somewhat ironically, this ruling stems from  the criminal case of Steven Warshak, founder of a company best-known for its Enzyte "male enhancement" pills, widely advertised using the "Smilin' Bob" character pictured here.

The Six Circuit Court's ruling doesn't vacate Warshak's conviction on 93 counts of fraud, conspiracy and money laundering, but other reports say that the finding may reduce the 25-year prison sentence he previously received.

The full text of the court's ruling contains a rather extensive summary of the fraudulent activities in which Warshak was engaged including false advertising, phony testimonials and scientific studies, etc.

Note that the court's ruling applies to government search and seizure of email. It doesn't change other expectations of privacy around email, such as the privacy of one's email sent from or through an employer's computer systems. Neither does the ruling impact the efficacy of "male enhancement" products. Caveat emptor.

Hard to believe another year has almost come to a close... Proofpoint's live web seminar series will kick off another terrific year of programming on Wednesday, January 12th, 2011 with:

2011 Predictions: Top 10 Privacy Issues »

I'll be making one of my occasional webinar appearances, discussing the top policy, technology and regulatory trends that will dominate privacy discussions in the coming year with our resident email security and data loss prevention expert, Ken Liao.

In addition to our top 10 privacy predictions for 2010, we'll also be sharing some actionable advice about what organizations should do today, to better protect sensitive information in the coming year.

As regular readers of this blog know, data loss risks are generally on the upswing and your customers and business partners are more concerned than ever about how you handle their private data. I'm sure this will be a lively presentation — touching on diverse topics including social media, email, encryption regulations, acceptable use policies and a lot more — and as always, we'll answer your questions during the live Q&A period. 

Register here (and, as usual, all registered attendees will receive a link to the webinar replay).

I hope you'll join me... In the meantime, have a happy and safe holiday season!

In this first of a series of videos about security and compliance issues in today's enterprise, Proofpoint CEO Gary Steele talks about why consumer privacy is such a hot-button issue, some of the implications for enterprises and gives several tips for how companies can better protect confidential and private information.

As Gary notes, "Today's consumer expects, when they give their information to you, that you'll properly control and manage that."

Viewers concerned about protecting private data may also find the following Proofpoint resources useful:

Gartner 2010 Content-Aware Data Loss Prevention FAQs: This complimentary Gartner report shares best practices for preventing data loss.

Outbound Email and Data Loss Prevention in Today's Enterprise: Proofpoint's 2010 statistics on enterprise data loss events, policies and much more.

Protecting Enterprise Data with Proofpoint Encryption: This whitepaper provides information on how enterprises can better protect confidential data using email encryption and how Proofpoint's SaaS-powered email encryption technology works. 

As is traditional during the fourth quarter, IT vendors begin putting out predictions for the coming year and Proofpoint issued a press release today predicting the top 10 privacy issues for 2011 and how enterprises will respond. 

Both consumer privacy concerns and an increasing number of regulations will encourage many organizations to review the way that they handle private information in 2011. As a result, many will deploy new data protection policies, procedures and technology solutions to better protect private and confidential information.

Here are Proofpoint's predictions for the top 10 privacy issues in 2011:

1. The privacy and confidentiality of location-based information will become a major concern for both consumers and corporations. With the rise in mobile GPS information, companies will have to protect both personally identifiable information (PII) of employees, customers and partners, and also create new policies for handling location-based information. Not only will real-time information about location be a vulnerability, but companies will have access to information about where people (or their devices) spend much of their time.

2. At least one major social media site will experience a major breach. According to Neilsen, nearly a quarter (22.7%) of all online time is spent social networking. With more people on social networks and more personal information available via those networks, the potential for exposure of that data is likely.

3. Stricter data privacy regulations will be passed worldwide. Privacy regulations in the healthcare, financial services and critical infrastructure industries like energy and telecommunications will likely see new regulations dictating what needs to be protected and what to do when data loss occurs.

4. Expect a US national data breach notification law. Notification laws like California’s SB 1386 exist in 46 of 50 states today. A federal law is imminent.

5. Blended threats will increase. While email is still the number one threat vector for personal information loss, threats from newer communications channels is increasing, especially in the form of blended threats where the target is first attacked through email, then directed to Web or social media.

6. At least one company will be prosecuted under the broad-reaching Massachusetts Privacy Law (201 CMR 17.00). In March of this year, the Massachusetts Privacy Law went into effect, mandating that any company that “owns or licenses” personal information—whether stored in electronic or paper form—about Massachusetts residents must comply with its privacy requirements, including notification of breaches and encryption of stored or transmitted personal data. Although the state has yet to enforce the law, 2011 will likely be the year that companies begin seeing penalties. In addition, we may see more laws of this type passed in 2011. Nevada also has a similar law.

To deal with these threats, the following additional trends will emerge among businesses:

7. Companies will move away from outright bans on social networks, IM or web mail to allowing those services, but applying stricter corporate policies on these new services as well as investing in secure web gateways to monitor use. New innovations such as Facebook mail give enterprises yet another good reason to put better policy and technology controls around the corporate email system.

8. More companies will create policy around acceptable use. Email leaks such as the recent Google corporate memo exposure are heightening awareness in companies that policies need to be created about what content is considered sensitive and enforce them both through technology and through training.

9. More companies will encrypt more data. Three factors are converging to make 2011 the year of encryption adoption: (1) More regulations today require encryption. (2) It’s become a best practice in many industries. (3) It’s easier to implement and less confusing for users. With processing power increasing and companies like Proofpoint innovating, encryption has become faster and easier to implement and use.

10. More interest in secure managed file transfer. Driven by privacy considerations and security flaws in FTP, more companies will be implementing reliable ways to send files securely. With data breach notification laws in place in nearly every state, companies cannot risk losing data through FTP security issues.

Related Resource

For some actionable advice about improving privacy protection and guarding against data loss, see Gartner's 2010 Content-Aware Data Loss Prevention FAQs report, which you can download compliments of Proofpoint at the following URL:

 http://www.proofpoint.com/id/gartner-data-loss-prevention-dlp-faq-report/index.php?id=6

This 8-page report describes Gartner's advice about the best approaches and benefits of deploying data loss prevention (DLP) solutions. It lists many of the typical questions asked by Gartner clients and provides answers that are applicable to the most common DLP scenarios.

While we regularly post notes here about upcoming web seminars, I also wanted to mention that Proofpoint holds regularly-scheduled live online demonstrations of our Proofpoint Enterprise email security and data loss prevention solution.

In fact, the next one is coming up tomorrow, November 18th at 11:00 a.m. PT / 2:00 p.m. ET.  There's still time to register by visiting the following link:

Register for an upcoming Proofpoint Enterprise live demo

Even if you're seeing this post after that time, you can always register for a future demonstration via that page. These demos are a great opportunity to get a comprehensive overview of Proofpoint Enterprise Protection's email security features, Proofpoint Enterprise Privacy's DLP and email encryption features, and to get your questions answered by Proofpoint experts.

For a brief preview of what these demos cover, check out this short video (which you can also find in the left hand column of most pages in the Proofpoint website):