Proofpoint: Security, Compliance and the Cloud

36 posts categorized "Security"

August 22, 2014

ILTA14 Highlights the Importance of CTRL

#ILTA14 Marks Debut of CTRL: The Coalition of Technology Resources for Lawyers

http://www.businesswire.com/news/home/20140820005167/en/ILTA-Marks-Debut-CTRL-Coalition-Technology-Resources#.U_TJ1GMx5i8

End of another great ILTA conference, with plenty of interest around information, cloud - and a significant increase in interest around data privacy and security. ILTA also provided a good forum to launch an interesting new initiative - the Coalition of Technology Resources for Lawyers (CTRL) - aiming to address the challenges created by the lack of standards and shared cross-functional vocabulary to describe the intersection of technology and daily needs of those in the legal profession. The challenge the coalition expects to tackle is well stated on the CTRL website (http://ctrlinitiative.com/) :

The availability of technology—even within the practice of law—has increased just as has the volume and complexity of discoverable information. But instead of the discovery process benefiting directly from these advances, technological unease has resulted largely in an e-discovery culture of bare-bones compliance, where technology remains a necessary evil and little more than a tactical means-to-an-end within a deadline-intensive environment

We believe the initiative is directly in line with our history and strategy of helping our clients to proactively control and protect critical information. Our involvement is driven by several factors:

  • The unchecked growth of data volume and proliferation: as stated many times here, information doubling in the next 2.5 years, more of it uniquely in mobile + social + cloud. The challenge of controlling information will never get any easier - and the need for standards to drive greater data leverage and re-use never greater
  • The collision of InfoGov and eDiscovery: moving away from the tactical, event-driven model of Discovery start with arriving at a cross-functional view of data value and risk - efforts such as CTRL can help drive the vocabulary
  • The trend toward converged InfoGov and InfoSec priorities: as soon as the eDiscovery world begins to embrace the InfoGov concepts and stakeholders, we are seeing another set of stakeholders join the discussion representing information security and data privacy. The reasons are obvious given the frequency and repercussions of data breach. The addition of the Chief Security Office adds yet another language and priorities, but one that must be heard in order to move from the culture of bare-bones compliance

We look forward to contributing to the dialog.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

August 12, 2014

Top 5 InfoGov Drivers of 1h 2014

We are a bit late, but thought it would be a good time to revisit some of the key drivers that have shaped the #InfoGov landscape in the 1st half of 2014. A few surprises in comparing to our January predictions (http://blog.proofpoint.com/2014/01/top-5-infogov-trends-for-2014.html), but the general trend line shows that information governance is becoming prioritized as a top initiative by more organizations than ever. So, here are the Top 5 InfoGov Drivers we've seen so far this year:

  1. Cloud buyers become more discriminating: without a doubt, cloud adoption has accelerated in the first half of 2014, in particular in application areas that have been plagued with unchecked data growth - and the resulting challenge and headache of managing large on-premise data repositories. In fact, Gartner has stated that over 70% of all new information archive deployments are now cloud-based. However, as the use cases where cloud-based options are available expands, buyers have also become more rigorous in their due diligence efforts. For example, those with larger volumes of eDiscovery with multi-national scope are diving deeper into the cloud provider's ability to meet the complex web of regulatory and data privacy requirements. Clearly, cloud-based solutions are not homogenous, and cloud market maturity is driving more toward solutions designed to meet their use cases as opposed to merely providing cheaper storage and reduced IT hassle. There is no 'one-size-fits-all' in the cloud. (Robert)
  2. Office 365 adoption continues: Microsoft continues to invest heavily in Office 365, and appears to be pleased with the rate it’s converting its Exchange install base. Earlier this year, the company revealed a roadmap inclusive of critical security and information governance functionality. For example, they have committed to bring DLP capabilities to SharePoint while also expanding the number of mailboxes in scope―from 5,000 to unlimited―for an eDiscovery search. This is clearly an attempt to address the needs of larger organizations with more stringent security, eDiscovery and compliance requirements. We expect Microsoft to continue investing here through technology partnerships and acquisitions, while also gradually building out basic functionality at a clip that’s somewhat slower than what’s demanded by the market. (Joe D)
  3. Enterprise Social Media Explodes: As we’re sure you’ve noticed, electronic communications have evolved beyond more traditional forms such as email. And while organizations have since found novel ways to best leverage this evolution, such as selling and marketing, they’ve not always done so with Information Governance in mind. The fact is, Social Media use is downright dangerous if correct governance controls are not put in place and the need to capture, archive, retain and discover Social Media content has, as a result, never been greater. Regulators are increasing taking note - mandates and fines around Social Media information governance are on the rise. Smart organizations, therefore, have Information Governance controls around their Social Media use in place, and organizations that neglect this important issue do so at their own peril (Chris Riciutti)
  4. InfoSec and InfoGov Collide: As the urgency around data security and data privacy commands more focus at C-level, we are seeing an increased level of involvement from Chief Security Officers in InfoGov initiatives. This appears to be in part due to priorities that already were aligned, but simply separated by organizational lines with different vocabularies. Information risk is described with one set of terminologies by the security office versus those in the regulatory compliance department or within inside counsel. Ultimately, we expect to see information security and privacy as full-fledged stakeholders within infogov initiatives, and within standing working groups and committees tasked with reducing information risk across multiple application areas and functions (Stephen)
  5. eDiscovery dependency on InfoGov becomes clearer: the first half of 2014 spotlighted a number of topics that impact organizational InfoGov efforts including the continued rise in eDiscovery expense, the realities of new FRCP rules to create uniform standards for failure to preserve ESI and elevate the proportionality standard, and the increased adoption of predictive and technology assisted review approaches. The continued reality, however, is the data volume continues to explode, increasingly in unmanaged locations including social media, mobile, cloud, and networked file share locations. eDiscovery tools designed to address clean, context-specific datasets are proving to have limited practice use in attacking large, overgrown information repositories and dark data locations. The value of proactive technologies and internal processes to identify and track data so that value can be separated from junk has never been higher (Robert)

We look forward to the InfoGov momentum continuing for the remainder of 2014.

-Joe, Stephen, Chris, Robert

---

Joe-diamondJoe has more than a decade of engineering, product management, product marketing and software leadership expertise in both the consumer and enterprise markets. In his role at Proofpoint, Joe is responsible for defining and bringing to market Proofpoint's next generation information governance products. Prior to Proofpoint, Joe was the Head of Product Management & Marketing for RiskIQ, led enterprise product management for Symantec's Emerging Products and Technologies and served in product management and marketing roles for hosted email archiving vendor LiveOffice, which was acquired by Symantec.

 

 

 

Stephen Chan Blue BckgndStephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry and has advised the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of the University of California at Davis and Harvard University.

Linkedin_icon Twitter-icon1  

ChrisRicciutiNewChristopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

 Linkedin_icon Twitter-icon1

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

July 16, 2014

How big of a threat is intellectual property theft?

While digital solutions like email, mobile devices and the cloud have greatly benefited most businesses, they also raise the specter of intellectual property theft. In order to safeguard mission-critical assets at all times, companies should adopt enterprise security solutions from Proofpoint to make sure their intellectual property is never leaked out or stolen.

In a recent speech to filmmakers, media professionals and other businesspeople, Vice President Joe Biden said that intellectual property theft is a multibillion-dollar issue, according to The Hollywood Reporter. As the Internet rose in prominence, however, the threat landscape changed dramatically. For example, Biden said that instead of bringing a camcorder into a movie theater, someone can get an illegal recording of that film much more easily online. This is just one example of how it has become easier than ever for criminals to pilfer intellectual property.

While exact numbers related to the overall costs of IP theft are not known, most estimates corroborate the figure Biden noted. A May 2013 report from The Commission on the Theft of American Intellectual Property estimated that the United States loses more than $300 billion a year from this issue, and numbers cited by the National Crime Prevention Council put potential losses at up to $5.5 trillion.

Although IP theft is often considered a victimless crime, the NCPC noted that it is typically anything but that. The crime inhibits many companies' ability to grow and hire, and often businesses need to recoup related losses by charging consumers more for their goods or services.

"The effects of this theft are twofold," The IP Commission Report stated. "The first is the tremendous loss of revenue and reward for those who made the inventions or who have purchased licenses to provide goods and services based on them, as well as of the jobs associated with those losses. American companies of all sizes are victimized. The second and even more pernicious effect is that illegal theft of intellectual property is undermining both the means and the incentive for entrepreneurs to innovate, which will slow the development of new inventions and industries that can further expand the world economy and continue to raise the prosperity and quality of life for everyone."

How can companies stem the IP theft tide?
The situation relating to IP today may seem dire, but companies can take steps to significantly insulate themselves against this threat. In particular, by adopting a best-in-class suite of cybersecurity solutions from Proofpoint, businesses will be able to keep their trade secrets, patents and other pieces of intellectual property safe from harm.

For example, Proofpoint Enterprise Archive allows organizations to keep a thorough record of all online messaging, and Proofpoint Enterprise Privacy secures email and other forms of communication that may contain sensitive information. To keep threats like malware on the outside looking in, businesses can use Proofpoint Enterprise Protection.

Only by leveraging a comprehensive and powerful data security and privacy suite will businesses be able to safeguard all of their intellectual property. As the IP threat environment grows larger and more potent, Proofpoint's solutions will become even more vital and mission critical for organizations operating in a wide variety of industries.

July 09, 2014

A CISO, GC, and Records Manager Walk into a Bar…

THE JOKE

A CISO, GC, and Records Manager walk into a bar.

The CISO says, “Can you believe a guy just tried to sell me a tool that can guarantee when intellectual property is about to leave my network?”

The GC says, “That’s hilarious, I just talked with a man who told me his software can tell me exactly where the smoking guns are amongst my entire corpus of data.”

The Records Manager says, “That’s odd because I just read about a solution claiming it can scan all my files and classify records according to my file plan.”

 The trio quickly realized they were all talking about the same solution. Of course, such “all in one” claims will cause many of us to drop to the floor, rolling with laughter. Yet, the statement above - while not remotely imaginable even a few years ago - today, is not that far off.

 THE SETUP

 CISO have no problem getting attention. Every hour, each day is another headline that keeps them up at night. Most recently, Goldman Sachs accidentally sent highly confidential information about its brokerage clients to a Google account, immediately going into damage control, requesting Google to block access to the email and to delete it. This type of exposure will continue to increase as the amount of sensitive information increases; as the number of locations sensitive information is stored in increases, and as the number of channels through which sensitive information can be passed increases.

 Breaches are happening every day around the world.

 GC’s have a sleep schedule similar to the CISO. However, their greatest challenge is identifying, controlling, and sifting through gigabytes of business documents typically associated with eDiscovery and large scale investigations. Doing so with a defensible process only adds to the Sominex bill.

 The sheep counting culprit is not only the amount of unstructured corporate information, (growing by at least 60% per year per IDG by 800% over the next 5 years per Gartner), but that information increasingly exists in new, often unmanaged data types such as social media, IM, and mobile.

 Records managers face a more insidious threat in that co-workers often choose the path of least resistance when it comes to records management, and this means any remotely complex policy will be casually ignored or circumvented. The consequences are tangible and often quantifiable when the company is in a regulated industry such as healthcare.

 THE DELIVERY

 Speaking to Jason R. Baron, former law of records management Jedi of NARA and now Of Counsel at Drinker Biddle & Reath LLP, he described the solution (and problem) of records management, in the most elegant fashion. Paraphrasing, there are two requirements for records management to work: 1) Simpler policies, 2) Machine assistance.

 While Jason is doing great work in helping firms simplify policies, it will be up to technology firms to ante up with usable, workable, and scalable machine assisted technologies to address the second requirement.

 Considering Jason’s points and listening to customers talk about their concerns around security, privacy, compliance, and records, it’s clear to me that there is an Informational Convergence taking place where corporate information, regardless of its business use or risk profile, is increasingly in need of a common, firm wide classification. This means centralized classification that can be shared across all groups, stakeholders, or leaders; be they CISOs, GCs, or records managers.

 Impossible?  Conventional wisdom divides departments into distinct groups possessing their unique view of information and what it means. The joke works because CISOs think differently from GCs who in turn differ from records managers. Or do they? The tenth time I heard a CISO ask if our DLP technology could be used to help their current records classification efforts I raised an eyebrow. Once ten records managers asked about the possibility of flagging records for security violations, I realized that the market is ignoring conventional thinking.

 The Informational Convergence of Information Governance (IG) provides a holistic view across every information-driven department. Each department is asking for the same thing in their own way and soon companies will realize this. As thought leading technology firms, we need to enable them.

 An equally important side effect to Informational Convergence is the need for IG platforms to support more sophisticated and cloudy ecosystems. Business relevant, cloud-based repositories are also corporate content containers and exposure points. Their rising popularity demands that the most advanced IG platforms support them as well as conventional repositories. Solutions like Box, Dropbox, or OneDrive, contain records, legal content, and represent risk like any other repository.

 THE PUNCHLINE

There are actually several punch lines to this joke. The saddest version is that no one knows what the records manager thinks about the solution because they forgot to invite him to the meeting. As noted above, this only makes everyone’s job harder because proper records management helps everyone in the end.

 I’ll also note that some to whom I’ve told this story have immediately declared it a lie. That it’s all just a dream. Not because the notion of Informational Convergence is too complex to conceive. No. It’s because no one would ever believe these three individuals would be caught socializing.

- Stephen Chan

 ---

Stephen Chan Blue Bckgnd

Stephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry and has advised the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of the University of California at Davis and Harvard University.

Linkedin_icon Twitter-icon1  

July 01, 2014

Why All Libraries Need Robust Cybersecurity Solutions

As libraries transform from places to check out books into a critical digital resource for many people, these public services need to adopt best-of-breed cybersecurity solutions from Proofpoint to ensure that public computers remain safe and usable.

Libraries have always been a source of learning within communities, but now a lot of that education happens online instead of from books or periodicals. For many individuals today, the public library is their go-to option for getting online, checking email and browsing the Web. According to the latest statistics from the Pew Research Center, among those in the United States over the age of 16 that use the Internet at a library, 63 percent were browsing the Web for leisure and 54 percent said they checked email there.

In addition, numbers from the American Library Association just how critical these public services are for many people today. More than three-fourths of libraries provide Wi-Fi access, and 98.7 percent of them offer Internet access at no charge. Furthermore, not only does the average library now have around 11 computers per each facility, but more than 71 percent of libraries say they are the only source of free Internet access in their general vicinity.

But, too often, this rise in Internet usage at libraries does not accompany increased cybersecurity. The ALA noted that many of those who use library computers are not tech savvy, which means that they could inadvertently be introducing malware onto the library's network. Considering how many people are using these machines, libraries need to take every step possible to ensure that one lapse in judgment does not compromise the assets of hundreds or thousands of people.

"Think about it: Your constituents, volunteers, and donors entrust their personal information with you," TechSoup contributor Zac Mutrux wrote. "If you're not taking steps to secure your data, including using antivirus and anti-spyware software, their information may not be safe. Information security breaches can have major legal and financial ramifications."

Case study: South Dakota Library Network
For libraries that often strapped for cash, trying to keep their IT assets safe from the myriad threats that abound in cyberspace can seem like an insurmountable task. Users can accidentally click on a bad link in an email, and malware has become especially adept at duping unsuspecting people. Libraries may think that the only effective response to these issues is unobtainable to them, but the South Dakota Library Network shows that libraries can have all of their major cybersecurity needs covered with a suite of solutions with Proofpoint. Now, the South Dakota Library Network is able to effectively eliminate spam, encrypts emails, protect the network against viruses and ensure that all of their compliance needs are met.

"The Proofpoint Messaging Security Gateway has worked exactly as we've needed it to, eliminating all types of spam messages and detecting a wide variety confidential information with very high accuracy," said Sean Crooks, systems administrator with South Dakota Library Network. "As an added bonus, the appliance truly runs itself, requiring less than an hour of my time per week for administration."

June 04, 2014

New cybercrime survey highlights need for data loss prevention

06042014_keyThe amount of information companies store online increases everyday and its leading to an surge in cybersecurity incidents, creating a need for stronger data loss prevention solutions. A recent PricewaterhouseCoopers survey underscored the rising discrepancies between the number of cyber incidents and the extent of the data loss prevention techniques put in place by vulnerable organizations.

"Despite substantial investments in cybersecurity technologies, cyber criminals continue to find ways to circumvent these technologies in order to obtain sensitive information that they can monetize," said U.S. Secret Service Criminal Investigative Division special agent in charge Ed Lowery.

Fifty-nine percent of those surveyed said that cybersecurity was more of a concern this year than it had been in the past, but less than half of all respondents had implemented a plan for responding to threats.

Perhaps because of a lack of preparedness, 77 percent of participants said they experienced a security incident in the last 12 months, and 34 percent said this year brought an increase in the number of security events from the previous year. According to the report, organizations experienced an average of 135 security events in the past year. Not all of those surveyed were able to estimate the cost of a security breach on their organization, but for those who could, the average annual monetary loss was $415,000.

According to PwC's Annual Global CEO Survey, 69 percent of U.S. executives are concerned that cybersecurity issues could curtail their organizations' growth. Despite the fear, many businesses still don't take steps to secure many new types of technology.

"Cybersecurity for disruptive technologies remains inadequate when considering Bring Your Own Device, cloud, [and] Software Defined Networking are always put in place first and then secured later," said vice president and publisher of CSO Magazine Bob Bragdon.

Three thousand organizations reported that they were not aware of any breach of their cybersecurity until they were notified by the FBI, according to the cybercrime survey.

"The United States faces real [cybersecurity] threats from criminals, terrorists, spies and malicious cyber actors," said FBI director James Comey. "The playground is a very dangerous place right now."

Protecting enterprise documents
There are a variety of data loss prevention solutions that companies can employ to better protect against cyberthreats. Proofpoint's digital asset security provides document fingerprinting that allows unstructured data to be accurately detected. Specific folders containing sensitive enterprise documents can be monitored and managed. The documents within the selected folders are fingerprinted and can be recognized either partially or fully by the program, whether in the original file format or not.

March 17, 2014

Office365 and eDiscovery? The confusion continues…

 

Ediscovery

Speaking to many customers considering Microsoft Office365 and its new features for eDiscovery leads me to one and only one conclusion: the confusion continues.

Articles published by Microsoft and others that have seen preview of the technology reinforce this point. (See here, referencing a Microsoft webinar where “no specifics were provided”). Hmmm.

Those looking for a simple, straight forward answer as to whether Office365 alone is sufficient to address one’s eDiscovery burdens will be greatly disappointed. No one likes to see a response of “it depends” to a simple RFP question. But, it depends. So, here are 5 simple questions to ask yourselves to determine whether Office365 could be sufficient to address your specific demands.

First, a simple question – do you work for a financial services provider? If yes, stop here. Office 365 and Exchange 2013 do not address requirements outlined by SEC 17a3-4 that outline how data must be stored immutably, or supervisory review requirements under FINRA. You should be engaging with archiving or data storage providers to address these requirements.

1. Do you need to conduct real-time, iterative search against multiple matters concurrently? Office 365 relies upon a batch-based searching process that is not designed for  large scale search – nor unlimited search against concurrent matters. IT must break up requests into multiple smaller searches, introducing multiple points of failure and unknown performance. Limits of 2 concurrent searches is difficult if you have (hmmm) 3 time sensitive matters.

2. Do you need to conduct keyword search against an entire enterprise or large department? Again, the number of mailboxes that can be searched is limited (and continues to be changed by Microsoft – is it 50 mailboxes? 500?). Not ideal for investigative purposes where a set of keywords are known, but the custodian scope/scale is not yet defined.

3. Do you need to search against non-Microsoft office content types? On average, organizations deal with 400+ different attachment types within email alone, and must be able to capture and extract text of these file types prior to sending to a storage environment in order to search and retrieve later. Office 365 cannot help you here.

4. Do you have strict retention and enforcement mandates? Within Office365, email is archived only after a configured time period (default is 2 years). Users can delete or otherwise do as they chose beforehand. In fact, per Microsoft’s own documentation: “Important   MRM doesn’t guarantee retention of every message. For example, a user can delete or remove a message from their mailbox before the message reaches its retention age; MRM isn't designed to prevent users from deleting their own messages.”

5. Do you need it now? Short term, inflexible discovery demands are challenged when all content sources must be within Exchange 2013 to be useable. And, when Microsoft lacks tools to migrate data from earlier versions of Exchange and third party archives that leverage the accepted industry standard approach of journaling. And, when IT command line tools must be used when tasks exceed the existing features – such as creating and managing multiple retention policies through Microsoft’s rolling hold features. And, when archived data needs to be manually segregated for ethical wall or local data privacy adherence. And, when non-Microsoft content must be manually collected, searched, and processed through other systems.

Like with any other early stage software, it is easy for technologists to give the “yes, it can be done” or “yes, on our roadmap” response question to address functional requirements that today do not exist in the product. But, is this adequate to address the immediate, real-time, and unpredictable nature of eDiscovery that your company faces?

“It depends”, as they say.

January 23, 2014

Top 5 reasons Why Your eDiscovery Tool May Not be Sufficient for Information Governance

With LegalTech New York (#LTNY14) fast approaching, I find it a bit odd that to see some of same vendors at LegalTech as at ARMA and MER. With technology that, hmmm, looks pretty much the same at both. This raises some interesting questions about how eDiscovery tools may or may not address information governance (IG) objectives. Some use cases appear more plausible than others – for example, applying advanced analytics to the task of migrating a legacy information repository to enhance visibility into the contents of those repositories (e.g. what is duplicative, what is aged, transitory, etc.).  But, attempting to point predictive eDiscovery tools at raw content sources in order to implement policies for information tracking and control is a bit more daunting – especially for those experiencing unrelenting data growth and explosion of content in unmanaged locations (as would be the case for most corporations today).

So, here are the top 5 reasons why eDiscovery tools may not be sufficient to address your short term information governance objectives (noting that capabilities evolve over time. M&A happens, product portfolios expand, OEM deals are forged, etc.):

  1. Volume: Most analytically driven eDiscovery tools have been well designed to plow through, analyze and accelerate review of clean, contextually specific data sets – let’s say a matter involving 20 custodians and 100 GB.  But attempting to apply that same technology to plow through a billion items (as many corporations can easily accumulate) is more complex than just adding more processing power or spending additional time to train the system to produce a sufficient indexing rate. Data repositories tend to contain information that is highly duplicative, poorly indexed – and growing at a rate of 44x over the next several years per IDC. Analytically driven eDiscovery tools can enhance visibility (after being properly resourced with processing power and $$), but do little to address the high priority of gaining control over unchecked data growth

  2. Context: eDiscovery tools operate best with a defined context of a matter or investigation, but there is no easily discernible context around the word ‘windows’ when pointing at an information repository. In fact, defining and separating the ‘high value’ from the ‘digital ROT’ within a typical IG initiative is often the product of input from legal, regulatory, IT, and business unit representatives melding their own definitions of information value and risk. IG is more than just improving eDiscovery efficiency and reducing expense by looking at upstream data patterns. And using analytics when context has been separated from content makes the technological challenge exponentially more challenging to produce measurable results.

  3. Wild Data: Organizations today are struggling not only with the absolute growth of information, but also the fact that material information is increasingly being created (and is uniquely maintained) in unmanaged locations (e.g. social media, IM, networked fileshares, mobile, nomadic SharePoint sites, etc.).  While it is true that eDiscovery today continues to be dominated by email, patterns of everyday business communications are changing dramatically as can be noted by actions from various regulatory entities including the SEC, FINRA, and FFIEC.  eDiscovery tools work well in processing centrally stored data, but collecting and moving information from unmanaged locations is rarely practical or without risk. Technologies to enable management in-place are emerging, but few have yet achieved significant market presence.

  4. Control: Many effective IG initiatives have focused not just on producing critical content when required, but understanding how information moves throughout its life cycle so that organizations can be proactive in managing information risks.  Enhanced visibility from analytics tools is helpful to understand where the eDiscovery needles exist in the data haystack – but do little to understand how the pins, needles, and other sharp objects move within and across haystacks in order to determine how to best define policies and procedures to manage information risk and enhance control.

  5. Cloud: It appears that much of the interest in the application of eDiscovery analytics to IG is due to failed enterprise content management implementations. Information life cycle management was a good idea, but ultimately failed because of poor user acceptance and on-premise technology design that became too expensive and complex to manage as data grew. Hence, the appeal of cloud-based information repositories that take advantage of shared resources and scale-on-demand benefits that are not attainable behind the firewall. To date, it does not appear that any leading eDiscovery analytics tool has been designed for the cloud (which is significantly different from simply offering a hosted version of the same on-premise technology through a service provider). Consequently, companies must deploy more servers requiring more storage and IT overhead – which appears to be a repeat of same failures of the 1990s. This will no doubt change – but evidence of leadership on this front is still scant.

 

eDiscovery and Information Governance will continue to become more tightly intertwined over time as more companies realize that the ‘keep everything forever’ strategy is not sustainable. Focus is beginning to shift from optimizing review efficiency to enhancing insight into data repositories so that value can be separated from junk earlier. But you should take care in ensuring that your short-term IG risk reduction goals can be delivered with the capabilities offered today by the eDiscovery tool providers.

 

December 16, 2013

FFIEC Raises the Bar on Social Media and Regulatory Compliance

On Wednesday, the Federal Financial Institutions Examination Council (FFIEC) issued its long awaited guidance "Social Media:  Consumer Compliance Risk Management Guidance", covering the use of social media within financial services. The guidance applies to banks and nearly every other financial entity that fall under the regulatory umbrellas of the Office of the Comptroller of the Currency (OCC), FDIC, NCUA, and Consumer Financial Protection Bureau (CFPB).

While the guidance imposes no new obligations upon firms, it does a very thorough job of highlighting the plethora of existing regulations whose rules should be considered in assessing the risks of using social media for firm business. Amongst these include:

Applying to Deposit and Lending:

  • Truth in Savings Act/Regulation DD
  • Fair Lending Laws: Equal Credit Opportunity
  • Fair Housing Act
  • Truth in Lending Act/Regulation Z
  • Real Estate Settlement Procedures Act
  • Fair Debt Collection Practices Act
  • FTC Section 5 on Unfair, Deceptive, or Abusive Acts
  • FDIC requirements on Deposit Insurance

Applying to Payment Systems:

  • Electronic Fund Transfer Act
  • Check Transactions rules

Applying to Data Privacy:

  • Children's Online Privacy Protection Act
  • CAN-SPAM Act
  • Gramm-Leach Bliley Act (GLBA)

On the GLBA point, the FFIEC noted specific relevance when social media has been integrated into the over-all customer experience. In this case, firms should clearly disclose the use of social media within its privacy policies as required under GLBA.

Most importantly, the ruling outlines the compliance, operational, and reputational risks associated within social media, and encourages the use of risk management programs to assess the potential exposure to the firm. Components of this program should include:

  • Design with participation from stakeholders from compliance, technology, information security, legal, human resources, and marketing,
  • A governance structure with clear roles and responsibilities
  • Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations
  • A risk management process for selecting and managing third-party relationships in connection with social media
  • An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities
  • An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party
  • Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate
  • Periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

The net effect of the FFIEC should be to encourage firms to think holistically about social media as an integrated component of its information risk management strategy. As a component of this strategy, firms should also evaluate available technologies that allow for the proactive capture and secure storage of social media content - as is provided today for email, instant messages and other mature communication technologies.

The business use of social media is undeniable - and the FFIEC guidelines clearly demonstrate that regulated firms should take proactive steps now to ensure issues with existing regulations are avoided.

November 25, 2013

Social Media and Compliance: Salesforce Chatter

We just returned from the Financial Services track at Dreamforce, where many speakers  touched on the topic of Archiving for Chatter – and its potential regulatory implications.  This led to many interesting discussions at our booth, with some of the common themes and conclusions summarized here.

  1. The most frequently asked question/comment: “We would like to enable Salesforce Chatter, but our compliance team is concerned about the implications. What can we do?” Not surprisingly, many of the Dreamforce attendees we talked to had recognized the business value of leveraging their investment in SFDC to drive collaboration and productivity via Chatter (or, perhaps, are being pressured by SF users to enable this feature). The reasons are clear within financial services: enabling better customer service, improving communication flow with independent agents, and in sharing account information with peers. But, simply turning that feature on led many into conversations about internal policies pertaining to social media, supervisory obligations addressed under FINRA’s 11-39 guidance on social media, and storage requirements within financial services outlined by SEC 17a3-4. Conclusions: 1) Chatter is easy to enable? Yes. 2) Opening a new collaboration channel within financial services raises regulatory compliance questions? UNEQUIVALLY YES.
  2. Compliance teams are becoming more active in decisions regarding use of Chatter. Again, not surprising, as firms have become accustomed to since FINRA 11-39 in 2011, and as more have acknowledged the futility of blocking social channels including LinkedIn and Twitter. Today, this involvement is moving beyond the yes/no of enabling access toward the issues of social media policy refinement, in determining what specific social media channels can be utilized, which features within those channels are usable by investment professionals whose actions are regulated under FINRA and NASD rules, and how firms intend to monitor, supervise and report on those activities. Simply turning on the capability is the starting point – looking at how you may enable selective access to those users whose activities need to be archived and reported is where many companies appear headed.
  3. Salesforce Communities creates additional risk. As firms iron out plans to enable Salesforce Communities, it’s important to consider regulatory compliance as part of the discussion. Salesforce Communities enables firms to expose parts of their Salesforce environment to the outside world; creating a collaboration portal for customers, vendors or partners. The Chatter feed is an integral component of Communities and, without Chatter, the benefits of enabling Communities diminish. Similar to “internal” Chatter communications, it’s important to ensure that your archiving solution supports the capture of Chatter content that is authored within Communities as well. Moreover, if your firm creates multiple Communities, your archiving solution should be able to capture Chatter content only from the Communities that you specify, thereby eliminating unnecessary noise from your archive.
  4. Archiving of social media goes beyond basic storage. For many, envisioned processes  for manual collection and basic store/retrieve Chatter content would be - in most cases – woefully inadequate. SEC Rule 17a3-4 in particular contains a number of specific provisions about information storage locations being “WORM-like” and actively managed to ensure information retains its integrity. Simply moving captured Chatter content to a network storage location – or copying to DVDs and sending to giant records warehouses via couriers in small vehicles – may not be meeting the risk profiles of your compliance executives.
  5. Firms are seeking leverage across other information sources.  Enabling the capture and archival of Chatter content is not unique discussion. Firms have already been through this with email. But, firms are reluctant to deploy yet another single-purpose repository to manage that information. In fact, most of the attendees we talked to are seeking to aggregate Chatter with other captured social media content – and leverage their existing processes and technology in place that is used for email. This leverage brings familiarity and comfort to compliance teams – and higher likelihood that SFDC teams can roll-out Chatter faster  with fewer compliance obstacles.

Proofpoint, with its Archiver for Chatter solution, can help organizations address these challenges, with a proven track record of capturing and managing content for many leading financial institutions that need to adhere to SEC, FINRA, and other emerging regulatory requirements. For more information about our Social Platform for Archiving solution, please visit http://www.proofpoint.com/social-platform.

 

 

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption