Our live web seminar series continues on March 24th, 2010 with an important topic that we haven't covered in a while, compliance with PCI (Payment Card Industry) data security standards. If your company handles credit cards and cardholder data, you should be aware of these requirements.

We'll discuss the critical role that email security plays in PCI-DSS compliance. You'll also hear real-world examples of how Proofpoint customers use integrated email encryption and data loss prevention technologies to tackle a wide variety of compliance challenges, securely transmit sensitive data via email and improve the levels of service and convenience they deliver to their customers.

Find more details and register by visiting the link below: 

Register for Proofpoint's PCI-DSS and Email Security Webinar

As 2009 winds down, it's a good time to take a look at your organization's IT plans for 2010 and, in the world of email, one of the biggest considerations (at least, for those enterprises that use Microsoft Exchange) is when and how to migrate to Exchange 2010. Exchange 2010 offers a wide variety of improvements over previous versions and among the most anticipated features are the addition of more sophisticated email retention and improved storage management.

Because email archiving has become a "must have" feature for so many organizations today, email administrators and other IT professionals are wondering whether Exchange 2010 will provide all of the email archiving features that they need to meet their eDiscovery, email retention and storage management needs. Many others wonder if they should hold off on the purchase of a third-party email archiving solution or if they'll be able to migrate off of an existing email archiving solution in 2010.

In our first live web seminar of 2010 (Wednesday, January 13th) we'll be discussing these issues. If email archiving is on your "to do" list for 2010, you won't want to miss it. Register here:

Email Archving in Exchange 2010: Are Third-party Solutions Still Necessary?

Attend this webinar to learn:

• Top 10 reasons you’ll still need third-party email archiving—even with Exchange 2010.

• How you can get all the archiving-related benefits of Exchange 2010 and more, without having to migrate.

• What critical factors and features you need to consider when evaluating any email archiving solution for your organization.

• How choosing the right email archiving solution can reduce business risk, increase Exchange performance and reduce costs associated with storage and eDiscovery.

• Which types of email archiving solutions deliver the lowest total cost of ownership.

I've been following the rather long and confusing story of millions of "missing" emails from the George W. Bush White House off and on in the blog for some time. This week, the White House settled lawsuits relating to these missing emails that had been brought by two groups, the National Security Archive and Citizens for Responsibility and Ethics in Washington.

The loss of these email messages and eventual recovery of 22 million "newly found" messages seems to have been extremely costly and serves as a reminder to all organizations that, if they haven't thought about and planned for electronic discovery of email, it's probably time to do so. As I've noted repeatedly here and in the press, at least 25% of enterprises are faced with a subpoena each year that requires them to produce employee email. (You can find this and other related statistics in our annual Outbound Email and Data Loss Prevention report.)

Media coverage of the White House's settlement of these lawsuits has exposed some interesting information about the White House's IT and email security practices that are worth sharing here.

Computerworld has a good article ("'Lost' Bush e-mail settlement requires that White House reveal IT practices") that notes that the emails in question went missing due to "what may have been one of the messiest e-mail platform migrations ever," saying:

The e-mail problem began in 2002 and 2003 after the White House moved from Lotus Notes to Microsoft Exchange. As it moved to the new platform, the President's IT staff also discontinued use of legacy, circa 1994, electronic management and archiving system, called Automated Records Management Systems (ARMS.) Development began on a new archiving system that ran into its own issues and wasn't implemented.

Without an automated archiving system, the White House relied on manual processes to archive e-mails, and that's when the problems evidently began. Files were mislabeled and commingled on back-up tapes containing all types of information. 

If that sort of manual email retention and recovery process sounds familiar, maybe it's time for your organization to consider a more robust technology solution for email archiving. (Email archiving is the topic of our next live webinar, being held January 13, 2010 - you can register for that free web seminar here.)

For a good summary of the entire saga of the missing White House emails, see this Atlantic Wire story which includes links to a number of external articles that reflect on a number of different legal, technological and political dimensions of this story. See, "The Strange Story of 22 Million Misplaced White House Emails."

One more related media item that I thought was interesting is this audio interview that played on NPR this morning wherein Meredith Fuchs, general counsel of the National Security Archive, talks to NPR's Ari Shapiro about the missing Bush emails and about whether the current (Obama) administration is meeting its own promises to be more transparent.

You can find a player for that interview on this page - Group: Administration Making an Effort at Openness - or jump directly to an MP3 version of that replay.

We held a web seminar yesterday titled "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" (you can view the replay of this HIPAA email webinar by following this link) where Rami Habal presented some great information on the new requirements enterprises face when protecting private healthcare information (PHI) in email. This was our most highly attended web seminar ever with more than 1200 registered attendees.

During the question and answer session at the end of presentation, I mentioned briefly that HIPAA may require some types of emails to be retained and that this argued for adopting email archiving solutions as well as email encryption/data loss prevention.

At the end of all our webinars, we conduct a survey that allows attendees to provide feedback. One of the webinar attendees chastised me gently in their survey response saying that my assertion was wrong and that HIPAA does not require organizations to retain email.

Was I wrong? Well, it's true that HIPAA does not specifically mandate that covered entities archive email. (Certainly not in the same way that it requires encryption of PHI in electronic messages.) However, HIPAA does require that covered entities retain certain types of documentation related to their compliance with the HIPAA regulations. It's my contention that, in some cases, this requires that certain emails be retained.

This is a fairly subtle point but one that I think healthcare organizations and other HIPAA covered entities should consider. I wrote about this briefly in our whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email. Here's an excerpt of what I had to say:

While this paper has focused primarily on the requirements for protecting private healthcare information during email transmission, HIPAA covered entities are also required to retain a wide range of documentation regarding their compliance with the regulation. In general, documentation must be retained for six years from the date of its creation, or the date of last effect, whichever is later (though some states mandate longer retention periods).

Documentation that must be retained includes:

• Policy or procedural documentation: Including notices of privacy practices, consents, authorizations and other standard forms
• Patient requests: Such as requests for access, amendment or accountings of PHI disclosures
• Complaints: Documentation related to the handling of patient and/or HCO employee complaints
• Training: Including processes for and content of workforce training.

An increasing number of email messages sent or received by HCOs could fall into these categories, and in some cases, may only exist in email (for example, patient requests sent via email). In a recent Proofpoint survey of large healthcare organizations, 68% of respondents cited “ensuring the confidentiality and protection of private healthcare information” as a top concern driving the need to archive email in their organizations. HCOs should look for email security solutions that also include an email archiving component.

Email archiving technology can ensure both the preservation and easy discovery of email messages that could be considered medical records or HIPAA-regulated documentation. Such systems should store email in an encrypted form, to ensure the security of any PHI contained in archived email messages and their attachments.

The point is, some email communications clearly do qualify as documentation that must be retained under the HIPAA regulations. Modern email archiving solutions can enforce retention of such messages and make them more easily discoverable. The full whitepaper has a bit more detail and, as always, I appreciate your comments as to whether I'm off base on this topic!

Links:

• Watch the HIPAA and Beyond webinar replay
• Download the HIPAA and Beyond whitepaper

A couple of "last chance" reminders today: First, Gartner's most recent "Magic Quadrant for E-mail Security Boundaries" published in 2008 is about to be retired as an updated quadrant will debut in the first half of 2010.

You can still get a complimentary copy of that document from Proofpoint (until December 11th, 2009) at the following URL:

http://www.proofpoint.com/id/gartner-email-security-magic-quadrant/index.php

After 12/11/09, you'll have to wait until Gartner publishes an updated Magic Quadrant on email security, probably not available until Q2 of 2010.

Gartner, Inc. positions Proofpoint in the Leaders quadrant in its 2008 Magic Quadrant for the Email Security Boundaries (anti-spam, anti-virus, outbound content filtering, email encryption, intrusion prevention market). While consolidation in the email security market means that the market landscape is rather different today than when this report was first published, it still provides some great insight into what enterprises should look for when buying email security solutions and the comparison of the various vendor solutions is still quite useful.

Second, our next live Proofpoint webinar, "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email" is just a week away (Wednesday, December 9th at 2:00 PM ET, 11:00 AM PT).

This is an extremely popular topic right now and there are already more than 750 attendees signed up. As usual, if you can't make it to the live webinar, just register and we'll send you a replay as soon as it's available.

Proofpoint's 2009 live web seminar series continues on Wednesday, December 9th, 2010 with a webinar titled, "HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email." Join us to learn about the recent changes and expansions to HIPAA healthcare privacy regulations and how they impact your organization's approach to email security.

Email continues to be the number one source of exposures of protected health information (PHI) and, with the new HITECH provisions of HIPAA now applying to more companies than ever, it's a great time to learn about these regulatory changes and how data loss prevention and policy-based encryption technologies can help you meet the latest requirements.

Register here: HIPAA and Email Security Webinar, Dec 9, 2010

If you'd like a preview of the types of information we'll be presenting, check out our new whitepaper on the same topic. Read our HIPAA and Beyond whitepaper to get a quick overview of what you need to know about the latest security, privacy and data breach regulations for companies that handle private healthcare information.

It also outlines what to look for in a secure email solution for HIPAA compliance.

Download it here: Proofpoint's HIPAA and Beyond whitepaper.

Earlier this week, we issued a press release that recaps some new statistics about IT attitudes toward cloud computing and SaaS solutions(especially with respect to email security). Working with Osterman Research, we polled more than 200 IT professionals about whether they felt that they understood "cloud computing" and their attitudes and perceptions about cloud-based services. The findingsgenerated some interesting commentary in other blogs. Sam Diaz over at ZDNet's "Between the Lines" blog reported the basic findings, including:

40 percent of IT professionals said they were confused by the term while more than half (52 percent) said no. Of the respondents, 33 percent said the believe cloud computing to be more hype than substance while 24 percent “weren’t sure.”

Mike Vizard at IT Business Edge's "IT Unmasked" blog commented that:

Sometimes it’s hard to distinguish between when somebody really doesn’t understand something and when they just don’t want to understand something. Such is the case with cloud computing, which from the perspective of the internal IT staff all too often threatens their status quo in terms of employment...

...When asked if they thought cloud computing was less secure than on-premise approaches, 43 percent said yes, 31 percent said not sure and 26 percent said no. And only 37 percent said their organizations would experience cost savings in the first year of a cloud-based security solution...

...when you add up all the cost of the infrastructure and expensive security professionals required to run e-mail security on premise, it’s pretty hard not to come up with savings in the first year. In fact, what these survey numbers tend to show as a whole is that a lot of IT people are still in various stages of denial about cloud computing.

Mike makes a good point. Indeed, IT professionals are concerned about the perception that using cloud-based services might lead to layoffs. Coincidentally, this is something that we asked about in our survey, but didn't report in the original press release. Asked if they agreed or disagreed with the following statement:

"If we implemented cloud-based services, many of our IT staff members would perceive that our company was preparing to lay them off."

We found that 47% said "Yes", 30% said "No" and 23% were "Not sure."

Mike goes on to note two interesting studies that I was not previously aware of: The Society for Information Management is working on determining how cloud computing is being used and also how software-as-a-service is being integrated with existing enterprise systems. Of these, he notes, "Taken together, the two studies will probably confirm the existence of a blended computing model where various IT services are delivered via the cloud, while others remain on premise." I would agree!

Upcoming Webinars Related to this Topic

There are two upcoming web seminars that relate to this topic. Both happen on the same day, at the same time... Next Wednesday, Nov. 18th at 2:00 PM ET. First, Proofpoint is holding a webinar about email security in the cloud. Learn more and register here:

Proofpoint Webinar: Cloud Computing Confusion - Is SaaS Email Security Right for You?

At that same time, our European datacenter partner TelecityGroup is hosting a webinar about the role data centers play in overseas expansion. Proofpoint's senior director of operations, Alexei Rodriguez, will be speaking about how Proofpoint goes about selecting datacenters and the operational issues that go into those selections and deployments. Learn more and register here:

Telecity Webinar: How The Planet and Proofpoint Accelerated Growth in Europe by Outsourcing Data Center Requirements to a European Specialist

Proofpoint email encryption experts Ken Liao and Steve Martensen (pictured at left) will be your hosts for this week's live Proofpoint web seminar, "Is Now the Time to Deploy Email Encryption?" to be held this Wednesday, October 21st.

Learn about the new regulatory pressures that are making email encryption the next "must have" component of enterprise email security and compliance solutions. Ken and Steve will also present information on the new Proofpoint Encryption solution, which leverages Proofpoint's SaaS infrastructure to make encrypting email and protecting data privacy easier than ever.

To register, visit the link below. If you can't attend the webinar in person, you can still register... We send a link to a replay to registered attendees shortly after the live event!

http://www.proofpoint.com/id/email-encryption1009/index.php