Proofpoint: Security, Compliance and the Cloud

46 posts categorized "Privacy"

September 06, 2011

Email Encryption: New Osterman Research Whitepaper Says Encryption Investments "Pay for Themselves"

Download this Email Encryption White Paper from Osterman Research

Our friends at Osterman Research recently published a new white paper - How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization- about email encryption and similar topics. You can get a free copy, compliments of Proofpoint, by following the link or by filling out the form at the bottom of this post.

In this new report, Osterman Research notes that investments in encryption "pay for themselves" through a number of different avenues. As regular readers of this blog are aware, encryption technologies can play a crucial role in regulatory compliance and regulatory fine avoidance. But email encryption and other types of encryption can also enable secure business and deliver other forms of business value, as described in this new paper.

If you're looking for help in creating a business case for deploying an encryption solution (such as the Proofpoint Encryption email encryption solution), this 15-page report can be extremely helpful. It includes a good summary of the various US state laws that govern security breach notification (or that may require or imply encryption) as well as the many US and international regulatory obligations (such as GLBA, PCI-DSS, FINRA, HIPAA, the UK DPA, Canada's PIPEDA) that imply similar requirements.

To read a copy of the complete Osterman Research report, register at the following link — How Encrypting Content in Transit and at Rest Reduces Liabilities and Costs for any Organization — or simply complete the form below:


June 27, 2011

Microsoft Data on Phone Phishing Scams: No, Security Engineers from Legitimate Companies Won't Call & Request Your Credit Card Number

Our partner Microsoft recently published results of a survey revealing a new kind of internet scam that involves criminals calling people at home to tell them their computers are not fully protected from security threats.  The callers request remote access to users’ computers and credit card information by posing as computer security engineers from legitimate companies.

And, of course, once granted access to that information they "run through a range of deception techniques designed to steal money," according to Microsoft's announcement.

Out of 7,000 users surveyed in the U.K., Ireland, U.S. and Canada, 15 percent received a call from scammers and 3 percent fell for the scam.  The average amount of money stolen was $875 and the average cost of repairing damaged computers was $1,730.

Richard Saunders of Microsoft says, “Criminals have proved once again that their ability to innovate new scams is matched by their ruthless pursuit of our money.” 

The line between legitimate calls and malicious schemes can be blurry at times as we often give out credit card information over the phone to pay for bills and order products.  This is especially true with older generations that may not be technically savvy enough to distinguish the difference. 

Microsoft offers some tips on how to protect yourself:

  • Be suspicious of unsolicited calls related to a security problem, even if they claim to represent a respected company.
  • Never provide personal information, such as credit card or bank details, to an unsolicited caller.
  • Do not go to a website, type anything into a computer, install software or follow any other instruction from someone who calls out of the blue.

You can also protect yourself online by following Proofpoint's “seven simple rules for staying safe online.”


June 16, 2011

Was Your Email Address Leaked by LulzSec?

LulzSec recently released 62,000 emails and passwords to the public through the group’s Twitter account.  The tweet was shortly deleted but many have already downloaded the list. developed a simple tool that allows you to check whether your email was part of the leak. 

Our friend at F-Secure, Mikko H. Hypponen, tweeted that the emails and passwords might have originated from

"Why Well, the most common passwords include these: mystery, bookworm, reader, romance, library, booklover and..writerspace."

As a friendly reminder, change your passwords often and use passwords with special characters and numbers.

See my previous blog post on LulzSec.

May 04, 2011

Learn About 2011's Top Five Email Security and Collaboration Risks in Healthcare in Our May Webinar

Proofpoint's live web seminar series continues on Wednesday, May 18th with "Healthcare Privacy 2011: Top 5 Messaging and Collaboration Risks." Proofpoint data loss prevention expert Rami Habal will discuss:

  • How hospitals, HMOs and other medical providers can manage email and social media content in compliance with privacy regulations
  • How advances in policy-based email encryption can greatly simplify administration, reduce costs and improve usability for both desktop and mobile email recipients
  • The impact of regulations—including HIPAA/HITECH—on data privacy and retention policies in the healthcare industry
  • Recommendations for taking a proactive approach to archiving email and other communications in the event of litigation or regulatory investigation
  • Trends in inbound threats that could compromise your email and messaging infrastructure, and expose private data
  • How other leading healthcare organizations have tackled today’s critical messaging and collaboration challenges, while improving patient care.

To register, follow the link above, or simply fill out the form in this blog post.

April 14, 2011

Video: Password Security Tips from Proofpoint Customer Tony Hildesheim, Redwood Credit Union

Recently, Proofpoint customer Redwood Credit Union was kind enough to host me at their headquarters in sunny Santa Rosa, California, where Senior Vice President of IT, Tony Hildesheim took time out of his busy schedule to talk with me about how his organization uses Proofpoint to keep both employees and credit union members secure.

As part of that interview, Tony talked about some of the most serious threats that he sees to his members' security. In this excerpt, Tony gave some terrific advice about one of the most important things that web users can do to protect their safety: Use best practices for passwords.

 Check out this short video and feel free to share it with your friends, staff, users, etc.

In this short video, Tony explains how phishing attacks (and variations like vishing and smishing) attempt to get users to give up account credentials by appealing to greed, fear and/or charity.

Using best practices for your passwords can help protect you from these attacks. Tony recommends the following: Use strong passwords (that combine alpha, numeric and special characters), change them often and always use different passwords for different accounts.

Great advice, especially in light of some of the big security breaches we've seen in 2011 (for more on this topic, see my posts State of Texas Exposes Personal Information on 3.5 Million Residents - More Serious than Epsilon Breach? and Stay Safe from Email Threats in the Wake of Epsilon Email List Breach).

I've got more video with Tony talking about how his organization uses Proofpoint, too. Will post those to the blog shortly, but you can also go see them right now at with many other interesting Proofpoint videos).

April 12, 2011

State of Texas Exposes Personal Information on 3.5 Million Residents - More Serious than Epsilon Breach?

Regular readers of this blog realize that inadvertent exposures of personal and/or confidential data and violations of regulations (and best practices) for data protection are far from rare (see our annual statistics about data loss, for example), but lately we've seen some huge ones.

In the wake of the recent Epsilon data breach — which exposed only email addresses — comes news of a potential data exposure at the State of Texas involving the email addresses, physical mailing addresses, Social Security Numbers and possibly dates of birth and driver's license numbers of 3.5 million residents.

Kevin Fogarty over at ITworld has a great summary in a blog post from late yesterday (see, "Texas Security Gaffe Dwarfs Epsilon Data Breach"). In short, the Texas state comptroller's office discovered that the records in question had been inadvertently placed on a publicly-accessible server — completely unencrypted — and had been there for as long as a year before being discovered.

As Fogarty notes in his post, this exposure is potentially much more serious than the Epsilon breach, since so much more personally identifiable information was exposed — potentially making those residents prime targets for identity theft, phishing attacks or other forms of fraud. He writes:

"Lost data is often, as with Epsilon, only partial - emails, street addresses or whatever.

Putting full employment and retirement records on a public server, with all the relevant data an identity thief would need to clone and reuse you, and leaving them there for a year?

Texas wins this one hands down over Epsilon. (Although, serendipitously, Epsilon is based in Irving, Texas.)"

As reported by Reuters (see "Private Records of 3.5 Million People Exposed by Texas"), Texas State Comptroller Susan Combs said that there was no indication that any of the information had yet been misused. However, all affected people are being sent letters this week, notifying them of the potential breach.

"I deeply regret the exposure of the personal information that occurred and am angry that it happened," said Combs. "I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered, and was then moved to a secure location."

See my previous post on the Epsilon breach for a recap of Proofpoint's "Seven Simple Rules for Staying Safe Online."

February 24, 2011

Kids, Privacy and SSNs: Why Children are a Top Target for Identity Theft

Over at the Huffington Post this week, there have been a couple of posts about Google having collected partial Social Security Numbers of children as part of the entry requirements for the company's "Doodle-4-Google" contest. (Helpful to start with Larry Magid's post today, "Why Google Stopped Collecting the Last 4 Digits of Kids' Social Security Numbers" which is a follow-up to Bob Bowdon's article, "Why Has Google Been Collecting Kids' Social Security Numbers Under the Guise of an Art Contest?").

As Bob Bowdon pointed out, collecting even partial SSNs can be a pretty big data security and privacy issue since the complete, accurate SSN can often be guessed based on other data such as the person's city and year of birth (which, apparently, Google was also requesting). See this Datamation article, "Social Security Numbers Easy to Hack", which talks about some really interesting research about predicting social security numbers from publicly-available data.

Apparently what the Google contest organizers were trying to do is use partial SSNs as a way of uniquely identifying contest entrants and "de-duplicating" duplicate/multiple entries. Yeah, probably a bad idea on several levels and I won't belabor that point.

Of course, there are many organizations that do have to collect and ensure the security of private identity, healthcare and financial information about children. Recently, I had the chance to interview Proofpoint customer Matt Johnston,who is the senior security analyst for Children's National Medical Center, a leading pediatric hospital based in the metro Washington DC area.

One of the most interesting things that he told me is that children are one of the top targets for identity theft. I hadn't really thought about this before, but it makes sense.

As Matt told me, children have new or "clean" records. They don't have established credit histories and outside of core identifiers like a social security number and birth record, there aren't many other public records associated with a child's identity. This makes that data easier to use in identity theft/fraud and, as a result, personal identity information about children fetches a premium on the black market.

So organizations like Children's National Medical Center have to take privacy protection and data security extremely seriously. As a healthcare organization, CNMC has to comply with HIPAA healthcare privacy regulations, but as Matt explained to me, they go to great lengths to protect their patients' data not just because its required by law but because its part of their core mission of protecting and caring for children.

Matt talks about these issues, how his organization uses Proofpoint's SaaS email security and email encryption solutionsand why he chose Proofpoint (and why deploying those solutions in the cloud was the right decision for CNMC) in this short video:

My thanks once again to Matt for graciously taking the time to share his insights with us!

February 22, 2011

Email Security & Compliance for Healthcare: Customer Case Studies, HIMSS 2011 Conference

Proofpoint-Email-Security-and-Compliance-Healthcare-Case-Study-Scottsdale-HealthcareRegular Proofpoint followers and readers of this blog are familiar with the many email security and compliance concerns around private healthcare information ("PHI").

Ensuring compliance with the data security and privacy rules of HIPAA (and the more recent "HITECH" updates to the HIPAA regulation) is critical for healthcare organizations, obviously, but these rules also apply to many other organizations that also handle healthcare information.

Today's Proofpoint press release, "Demand for Proofpoint’s Security and Compliance Cloud Solutions Grows in Healthcare" highlights three healthcare industry customers who use Proofpoint's SaaS security and compliance solutions to secure inbound email, detect and protect (or encrypt) private healthcare information in outbound email and archive email to meet compliance and eDiscovery requirements.

Proofpoint is (not coincidentally) also exhibiting this week at the HIMSS 2011 conference (the leading healthcare IT conference and exhibition) in Orlando, Florida. If you're attending that event, do visit the friendly and knowledgeable staff at Proofpoint's booth (#4001) to learn more about how Proofpoint can help your organization with HIPAA/HITECH compliance and data security.

For example, our announcement today explains how Scottsdale Healthcare, a not-for-profit healthcare system based in Arizona, uses Proofpoint's SaaS solutions for anti-spam as well as for email encryption, ensuring that HIPAA-regulated healthcare information is protected in outgoing email. Scottsdale Healthcare is also the subject of a new case study (PDF format), which you can download via this link: "Case Study: Scottsdale Healthcare Relies on Proofpoint to Cure Spam and Email Encryption Challenges."

Mike Gleason, director of information services at Scottsdale Healthcare, explains, “For our organization, if any information in the body of an email or an attachment contains a social security number, a credit card number, patient identifier, or other sensitive data, it will be captured and secured. These types of data are automatically encrypted, and then forwarded on, which helps us avoid sending out emails that contain sensitive information or patient privacy data to domains outside our organization.”

Another organization, Kelsey Seybold Clinic of Houston, Texas, is moving its deployment of the Proofpoint Enterprise Protection email security solution from an on-premises deployment to Proofpoint's cloud-based (SaaS) offering.

Martin Littmann, director IT systems for Kelsey Seybold Clinic, says, “After comparing costs between different deployment types, we were convinced that moving Proofpoint’s protection solution to the cloud would save us time and money, and that our resources would no longer be stretched.”

And at Community Memorial Health System (Ventura County, California), Proofpoint's entire suite of SaaS security and compliance solutions guards against inbound threats, ensures patient privacy and  archives email for 2000 mailboxes.

Explaining his organization chose Proofpoint, Thomas Kniss, CMHS's director of clinical information systems, noted that, “Proofpoint has a very impressive list of current healthcare customers, and it was important that our vendor have experience and a successful track record of providing security solutions to healthcare organizations. Proofpoint’s knowledge and capabilities of smart identifiers and HIPAA dictionaries was a key deciding factor as well.”

Another good resource for healthcare organizations is the Proofpoint whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email (click the link to register).

February 16, 2011

Live Webinar: Social Media Risks in the Enterprise - Mitigating Data Loss, Compliance and Discovery Dangers

Social-media-risks Our live web seminar series continues on Wednesday, March 9th at 11 AM Pacific Time, 2 PM Eastern Time, with "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers."

We post here about social media risks, policies and trends fairly regularly here (see the social media category), and our annual research on data loss issues shows that social media channels (including Facebook, LinkedIn, Twitter and other sites) are increasingly the source of data breaches (see this post for a video overview of our 2010 findings).

In response, about half of organizations simply prohibit access to popular social media sites. But over the long term, that approach will be less effective as social media becomes more and more ingrained into how companies do business. So our feeling is that companies need to address social media risks in the same way that most of them address email security risks—via a combination of policy and technology.

In addition to data loss and compliance issues, one very new area of concern is the archiving, retention and discovery of social media content. In many cases, social media communications such as corporate tweets, Facebook posts/messages, etc. can be considered business records and could be subject to the same sorts of discovery rules as corporate emails.  (See this recent CIO article for an interesting overview and introduction to this topic, "Why Your Records Retention Policy Should Include Social Media").

Our upcoming webinar will have both Robert Cruz, our director of eDiscovery solutions, and Rami Habal, our director of product management and expert on all things DLP, on hand to talk about the many dimensions of social media risk and how you can apply today's security technologies (including cloud-based security solutions) to address these issues.

To register, visit this link—Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers—or simply fill out the form below:

January 13, 2011

Top Ten Privacy Predictions 2011: Follow-up and Links from Yesterday's Live Web Seminar

Crystal-Ball-2011-iStock_000014994170SmallThanks to the hundreds of you that tuned in for our first live web seminar of the new year, "2011 Predictions: Top 10 Privacy Issues" where co-presenter Ken Liao and I looked into the crystal ball to expose the cultural, policy, technology and regulatory trends that will dominate privacy discussions this year! My thanks especially for all of the great questions and feedback on the seminar.

If you missed it, or if you'd like to refer back to the web seminar, it's now available as a replay. For those of you who registered for the live event, a direct link to the replay file has been sent to you via email, as usual.

In our presentation, Ken and I shared quite a few links to various privacy-related resources that I promised to share with you here as clickable links, so here they are, by prediction:

Intro: Why Privacy Matters Today's running list of data breaches can be found here:

Proofpoint's 2010 research on data loss events was referenced multiple times during the presentation. You can download a copy of our full report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 here:

Proofpoint-Top-Ten-Privacy-Webinar-2011-Slide-1 Prediction 1: Mobility & Location-based Info Becomes a Major Concern

We had a little extra comedy in yesterday's webinar as our slide on this first prediction had mysteriously disappeared. Click the image at left to see the slide we had intended to display!

Predictions 2-4: At Least One Major Social Media Site Will Experience a Serious Breach, Evolution of Social Media Policies, More Organizations will Formalize Acceptable Use Policies

The data/charts in these slides on social media data loss events, social media/web services that large organizations prohibit access to, and acceptable use policy adoption are all from the aforementioned Proofpoint research at

Prediction 5: Blended Threats Will Continue to Increase

For more on the VBMania outbreak and other recent blended threats, see my blog post about "Blended Threats Old and New." On the topic of spam's holiday vacation and subsequent return, see "Spam Volume Makes a Comeback After Holiday Hiatus."

Prediction 6: New, Stricter Privacy Regulations Will be Adopted Worldwide

Not mentioned in the slide, but here's a good article explaining the European reactions to privacy implications of Google Street View.

Prediction 7: Expect a US National Data Breach Notification Law

Here's the link to the Federal Trade Commission's report on Protecting Consumer Privacy. And here's information on the new White House "Enhancing Online Trust and Privacy" initiative.

Prediction 8: At Least One Enforcement Action Under Massachusetts 201 CMR 17

Links for the State of Massachusetts FAQ on 201 CMR 17, and interesting ThreatPost article about a possible 201 CMR 17 test case in 2011.

Prediction 9: More Organizations Will Encrypt More Data

Find more product information about Proofpoint Encryption here. Also, is referenced again (data on adoption of data loss prevention technologies).

Prediction 10: Increased Adoption of Secure/Managed File Transfer

Statistic about level of concern around FTP as a source of data loss risk is, once again, from And visit this link for information on the Proofpoint Secure File Transfer solution

Q&A Session

In my comments, I mentioned recent email breach of personal information of all GSA personnel.

Thanks again to everyone who joined us for this web seminar. If you missed it and would like to see the replay, please visit:


Blog Search

Email Security Gateways, 2012

Magic Quadrant


What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption