Proofpoint: Security, Compliance and the Cloud

August 22, 2014

ILTA14 Highlights the Importance of CTRL

#ILTA14 Marks Debut of CTRL: The Coalition of Technology Resources for Lawyers

http://www.businesswire.com/news/home/20140820005167/en/ILTA-Marks-Debut-CTRL-Coalition-Technology-Resources#.U_TJ1GMx5i8

End of another great ILTA conference, with plenty of interest around information, cloud - and a significant increase in interest around data privacy and security. ILTA also provided a good forum to launch an interesting new initiative - the Coalition of Technology Resources for Lawyers (CTRL) - aiming to address the challenges created by the lack of standards and shared cross-functional vocabulary to describe the intersection of technology and daily needs of those in the legal profession. The challenge the coalition expects to tackle is well stated on the CTRL website (http://ctrlinitiative.com/) :

The availability of technology—even within the practice of law—has increased just as has the volume and complexity of discoverable information. But instead of the discovery process benefiting directly from these advances, technological unease has resulted largely in an e-discovery culture of bare-bones compliance, where technology remains a necessary evil and little more than a tactical means-to-an-end within a deadline-intensive environment

We believe the initiative is directly in line with our history and strategy of helping our clients to proactively control and protect critical information. Our involvement is driven by several factors:

  • The unchecked growth of data volume and proliferation: as stated many times here, information doubling in the next 2.5 years, more of it uniquely in mobile + social + cloud. The challenge of controlling information will never get any easier - and the need for standards to drive greater data leverage and re-use never greater
  • The collision of InfoGov and eDiscovery: moving away from the tactical, event-driven model of Discovery start with arriving at a cross-functional view of data value and risk - efforts such as CTRL can help drive the vocabulary
  • The trend toward converged InfoGov and InfoSec priorities: as soon as the eDiscovery world begins to embrace the InfoGov concepts and stakeholders, we are seeing another set of stakeholders join the discussion representing information security and data privacy. The reasons are obvious given the frequency and repercussions of data breach. The addition of the Chief Security Office adds yet another language and priorities, but one that must be heard in order to move from the culture of bare-bones compliance

We look forward to contributing to the dialog.

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

August 19, 2014

What is the business case for #InfoGov?

#ILTA14 has kicked off, and information governance is one of the topics dominating the hallway discussion in Nashville.

We hear that many continue in the on-going search of a metric to justify expenditure in information governance. A part of the challenge appears to be semantics - with info gov viewed by some as simply a new paint job on records management or short hand way to describe a "comprehensive filing system" (as noted here: http://www.defenselitigationinsider.com/2014/08/05/discovery-costs-how-companies-can-increase-efficiency-and-save-money-in-the-process/#.U-0aTqof99o.twitter)

Semantics aside, we seem to be over-complicating the business case question. Sure, gaining executive sponsorship, aligning multiple functional stakeholders, and selecting the appropriate technologies are not trivial tasks. But, as noted in the Information Governance Initiative (IGI) Annual Report, 92% of surveyed organizations see "value and risk as equal partners" in InfoGov projects, and 68% indicated that establishing a clear, quantifiable metric is essential to their organization.

So, given the $2M average project spend for large organizations (noted by IGI), what are some of the ROI metrics that have emerged? Here are some that we see most typically:

1. Lower storage cost: It may not be on top of list of strategic goals, but impacting the cost of data storage is real, tangible, and achievable when information is expected to grow 44x over the next 10 years. Case studies demonstrating storage cost reduction benefit are growing - such as ARMA 2012 Cobalt Winner CUNA Mutual who eliminated 160TB of outdated junk, realizing an accumulated savings of $2.1M as one example.

More active elimination of digital ROT through approaches to identify and eliminate junk is gaining momentum - which should accelerate now that FRCP 37(e) will provide greater clarity around "reasonable" preservation efforts.

2. Reduced eDiscovery cost: taking proactive steps to identify and control data from the outset has produce measurable ROI - not only in the elimination of manual methods of identifying and collecting ESI, but more significantly, in squeezing the number of documents that should not be carried forward to review. This math here is simple when the average average custodian generates between 3-5GB of data and the average attorney is reviewing 100 documents per hour. Case studies: vmware saving $300K per matter by proactively managing email, NYC-based law firm Graubard Miller saving $200K in collections expense alone per matter versus the use of back-up tapes. No advanced calculus required.

3. Reduced regulatory exposure: regulatory risk has jumped into the leader box of areas of litigation risk concerning corporate counsel (per Norton Rose). The reasons: increased regulatory complexity, increased attention of HIPAA, FINRA, and the SEC in light of data privacy mandates other preventative measures, and information increasingly finding its way into unmanaged locations (social, IM, mobile, cloud). With the average SEC fine reaching record levels in 2013, case studies are any regulated firm not appearing on the SEC Enforcement Reports, FINRA Disciplinary Summary or similar firm hit with sanction and the resulting reputation harm

4. Productivity Impact: often overlooked, the simple elimination of wasted effort in the attempt to locate data can be measurable and significant in contrast to current practices. Several interesting analyses have been produced measuring productivity impact, such as Bill Tolson's post (http://informationgovernance101.com/2014/08/08/infogov-productivity-gains-equal-revenue-gains/) which estimate the time regained per year valued at $3.8M and total recoverable revenue per year of $6.8M.

How Proofpoint can help

Given the results of early adopters, business case definition should not be the obstacle to investmet in information governance. Proofpoint provides a portfolio of information governance capabilities that can help organization to quickly achieve measureable results - whether those are focused on securing high value content or eliminating information that creates unneeded cost and unnecessary risk. For more information, please visit: http://www.proofpoint.com/products/archive-governance/index.php

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

August 12, 2014

Top 5 InfoGov Drivers of 1h 2014

We are a bit late, but thought it would be a good time to revisit some of the key drivers that have shaped the #InfoGov landscape in the 1st half of 2014. A few surprises in comparing to our January predictions (http://blog.proofpoint.com/2014/01/top-5-infogov-trends-for-2014.html), but the general trend line shows that information governance is becoming prioritized as a top initiative by more organizations than ever. So, here are the Top 5 InfoGov Drivers we've seen so far this year:

  1. Cloud buyers become more discriminating: without a doubt, cloud adoption has accelerated in the first half of 2014, in particular in application areas that have been plagued with unchecked data growth - and the resulting challenge and headache of managing large on-premise data repositories. In fact, Gartner has stated that over 70% of all new information archive deployments are now cloud-based. However, as the use cases where cloud-based options are available expands, buyers have also become more rigorous in their due diligence efforts. For example, those with larger volumes of eDiscovery with multi-national scope are diving deeper into the cloud provider's ability to meet the complex web of regulatory and data privacy requirements. Clearly, cloud-based solutions are not homogenous, and cloud market maturity is driving more toward solutions designed to meet their use cases as opposed to merely providing cheaper storage and reduced IT hassle. There is no 'one-size-fits-all' in the cloud. (Robert)
  2. Office 365 adoption continues: Microsoft continues to invest heavily in Office 365, and appears to be pleased with the rate it’s converting its Exchange install base. Earlier this year, the company revealed a roadmap inclusive of critical security and information governance functionality. For example, they have committed to bring DLP capabilities to SharePoint while also expanding the number of mailboxes in scope―from 5,000 to unlimited―for an eDiscovery search. This is clearly an attempt to address the needs of larger organizations with more stringent security, eDiscovery and compliance requirements. We expect Microsoft to continue investing here through technology partnerships and acquisitions, while also gradually building out basic functionality at a clip that’s somewhat slower than what’s demanded by the market. (Joe D)
  3. Enterprise Social Media Explodes: As we’re sure you’ve noticed, electronic communications have evolved beyond more traditional forms such as email. And while organizations have since found novel ways to best leverage this evolution, such as selling and marketing, they’ve not always done so with Information Governance in mind. The fact is, Social Media use is downright dangerous if correct governance controls are not put in place and the need to capture, archive, retain and discover Social Media content has, as a result, never been greater. Regulators are increasing taking note - mandates and fines around Social Media information governance are on the rise. Smart organizations, therefore, have Information Governance controls around their Social Media use in place, and organizations that neglect this important issue do so at their own peril (Chris Riciutti)
  4. InfoSec and InfoGov Collide: As the urgency around data security and data privacy commands more focus at C-level, we are seeing an increased level of involvement from Chief Security Officers in InfoGov initiatives. This appears to be in part due to priorities that already were aligned, but simply separated by organizational lines with different vocabularies. Information risk is described with one set of terminologies by the security office versus those in the regulatory compliance department or within inside counsel. Ultimately, we expect to see information security and privacy as full-fledged stakeholders within infogov initiatives, and within standing working groups and committees tasked with reducing information risk across multiple application areas and functions (Stephen)
  5. eDiscovery dependency on InfoGov becomes clearer: the first half of 2014 spotlighted a number of topics that impact organizational InfoGov efforts including the continued rise in eDiscovery expense, the realities of new FRCP rules to create uniform standards for failure to preserve ESI and elevate the proportionality standard, and the increased adoption of predictive and technology assisted review approaches. The continued reality, however, is the data volume continues to explode, increasingly in unmanaged locations including social media, mobile, cloud, and networked file share locations. eDiscovery tools designed to address clean, context-specific datasets are proving to have limited practice use in attacking large, overgrown information repositories and dark data locations. The value of proactive technologies and internal processes to identify and track data so that value can be separated from junk has never been higher (Robert)

We look forward to the InfoGov momentum continuing for the remainder of 2014.

-Joe, Stephen, Chris, Robert

---

Joe-diamondJoe has more than a decade of engineering, product management, product marketing and software leadership expertise in both the consumer and enterprise markets. In his role at Proofpoint, Joe is responsible for defining and bringing to market Proofpoint's next generation information governance products. Prior to Proofpoint, Joe was the Head of Product Management & Marketing for RiskIQ, led enterprise product management for Symantec's Emerging Products and Technologies and served in product management and marketing roles for hosted email archiving vendor LiveOffice, which was acquired by Symantec.

 

 

 

Stephen Chan Blue BckgndStephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry and has advised the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of the University of California at Davis and Harvard University.

Linkedin_icon Twitter-icon1  

ChrisRicciutiNewChristopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

 Linkedin_icon Twitter-icon1

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

Linkedin_icon Twitter-icon1  

August 07, 2014

FCA Issues New Social Media Guidance to UK Financial Services Industry

The UK's governing body over financial services, the FCA, issued much anticipated guidance today to govern the use of social media by financial organizations. The guidance (http://www.fca.org.uk/static/documents/guidance-consultations/gc14-06.pdf) is open until November to public comment.

Similar to existing rules issued by FINRA and IIROC (Canada), the guidance emphasizes that social is like any other form of communication, capable of being viewed as an "invitation to engage in financial promotion". As such, it is to be managed within existing frameworks and processes established for other communication. On the record keeping and supervisory aspects, the FCA remains less specific as to proceses and technologies that firms should consider. For approval of social posts, the FCA states in section 2.23:

 "We remind firms of their obligations to have an adequate system in place to sign off digital media communications. This sign-off should be by a person of appropriate competence and seniority within the organization"

On record keeping and retention of social, the FCA offers the following in section 2.24:

 "Firms should also keep adequate records of any significant communications. As well as helping to protect consumers, these records enable the firm to deal effectively with any subsequent claims or complaints. Firms should not rely on digital media channels to maintain records, as they will not have control over this: social media in particular may refresh content from time to time, with the consequent deletion of older material."

Implications

Given the reach of social media, the UK guidance is important for any multi-national financial organization to study in assessing internal social media policies and roll-out plans. Similar to IIROC in Canada, the UK guidance emphasizes that existing supervisory and record keeping practices be followed, and that it should not be presumed that the record keeping capabilities of social channels themselves will be sufficient to address FCA scrutiny.

Both reasons - supervisory and record keeping - are key reasons why global financial services organizations are adopting Proofpoint's Social Platform for Archiving. Proofpoint natively captures social content from Twitter, LinkedIn, Yammer, Chatter, and Facebook and delivers that content to the archive and supervisory tools you already have in place - enabling you to quickly and efficiently address a multitude of evolving regulatory frameworks arising internationally.

To help demonstrate these benefits, Proofpoint utilizes an established proof-of-concept process that can quickly demonstrate the solution’s ease of deployment and on-going hassle-free operation. 

For more information, please visit http://www.proofpoint.com/products/archive-governance/social-platform - or if you would like to speak to one of our experts, please provide your information at  http://www.proofpoint.com/id/contact-us/index.php.

- Robert Cruz and Chris Ricciuti

---

Robert.Cruz150x175

Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

 

 

Linkedin_icon Twitter-icon1  

ChrisRicciutiNewChristopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College.      

      

 Linkedin_icon Twitter-icon1

August 03, 2014

Social Media and IIROC: Overview for Financial Organisations

 

Cube

The Financial Services industry has seen significant evolution in the acceptance of social media use by broker dealers and their firms. In fact, a recent study conducted by LIMRA found that 9 in 10 financial services firms were using social media in Canada. Social media is fast, ubiquitous, and can produce measurable impact on sales productivity; however, it also poses significant risks that lead to damaged brands, regulatory fines and other harsh consequences of eDiscovery. 

Specific Canadian regulations are focused on two primary information archiving requirements: Record Keeping and Supervision.  These requirements are spread across IIROC 29-7, IIROC Notice 11-0349, MFDA Rules 2 & 5, and National Instrument 31-103, which are highlighted below:

Requirement

Applicable Rules

Record Keeping

IIROC Rule 29.7: requires firms to archive, monitor and review electronic advertisements, sales literature and correspondence for clients including Facebook, Twitter, YouTube, blogs, and chat rooms

 

IIROC Notice 11-0349: firms must retain all advertisements and sales literature for 2 years and correspondence with the public for 5 years

 

MFDA Rule 5: firms must retain records for 7 years from the data of creation or such terms required by the MDFA

 

NI 31-103: electronic communications must be retained for 7 years from date of creation, and store records in a “durable form in a safe location”

Supervision

Under IIROC 29.7 and 11-0349 firms must establish written supervisory procedures, training and monitoring systems, with interactive content (e.g. Tweets) supervised (but not requiring pre-approval)

 

MDFA Rule 2: firms must establish a monitoring system and maintain audit trail and record of supervisory review for 5 years

 

How Proofpoint Can Help

Proofpoint’s Social Platform for Archiving automates the capture and archiving of social media content from specific social channels as required for regulatory purposes. Native APIs are used to capture social content from leading channels including Salesforce Chatter, Microsoft Yammer, LinkedIn, Facebook, and Twitter – with all content captured to establish a complete regulatory record. Social content is then fully integrated into the archiving solution that you already have in place, thereby eliminating the need to manage multiple supervisory tools for regulatory compliance. This enables the compliance officer to view the entire context of the content in each captured item, enabling fast and efficient compliance review  in light of requirements set forth by IIROC and other regulatory entities.

To help demonstrate these benefits, Proofpoint utilizes an established proof-of-concept process that can quickly demonstrate the solution’s ease of deployment and on-going hassle-free operation. For more information – or to request a proof-of-concept, please visit http://www.proofpoint.com/products/archive-governance/social-platform

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

Linkedin_icon Twitter-icon1  

July 29, 2014

Why All the Chatter about Chatter?

One of the information governance surprises from the first half of 2014 has been the emergence of enterprise social. While our typical infogov discussions usually focus on compliance officers, legal staff, and records managers, the enterprise social topic (e.g. Salesforce Chatter) has been expanding our discussions into the areas involving business intelligence, enterprise apps, collaboration, and sales operations. The reasons behind the broader functional interest in the capture and archiving of Salesforce Chatter are clear, which we will summarize here.

  1. For IT messaging teams, Salesforce is an established system of record and an existing part of the IT fabric, unlike use of public social media that requires changes to processes, training, and policies. For IT decision makers, enabling new features on existing applications with known security capabilities, support processes, and existing contracts is significantly easier than deploying emerging, public social channels.  Topics of interest have centered on the processes for deployment, as well as understanding what additional on-going burdens are created for IT staff in managing the use of Chatter’s collaborative features
  2. For Sales & Marketing teams, the use of enterprise social increases the value they can gain from this existing asset – whether it is using Chatter to collaborate on multi-national sales opportunities, share customer information with sales channels, or simply use Salesforce to improve communication efficiency with prospects. Sales and marketing management are typically driving requirements for Salesforce Chatter archiving projects given the objectives to directly impact productivity and sales results, while sales operations has been most typically been asking about administrative impact, user registration, and on-going management processes
  3. For Compliance teams, most recognize that the use of Chatter creates yet another form of communication that must be controlled. In addition to helping them to stay on top of quickly moving regulatory requirements, our discussions have most often focused on what specific Chatter content is captured, how that content is captured (e.g. complete, time slice, incremental), and if existing compliance tools and processes can be leveraged to address potential regulatory concerns
  4. For Legal teams, few have indicated that they have existing litigation involving the use of social, but it seems to be clear to most that FRCP rules define social media to be discoverable as any other form of electronically stored information (ESI). In that light, enabling the use of Chatter raises questions of how that information would be identified and collected if requested for eDiscovery, how the method of capture could reduce common concerns over how one can attest to the authenticity of social at trial, and what would be required to extract and produce social content that is stored in the cloud

In spite of the differences in these functional perspectives across industries, we are seeing a consistent pattern where sales & marketing are creating the compelling business cases and defining requirements – that then require the sign-off from compliance and legal teams over eDiscovery and regulatory risk. What is clear is that many solutions in the market lack the capabilities to sufficiently address the legal and regulatory concerns, be it:

  • methods used to collect content are not complete or comprehensive;
  • dependence of manual methods to map social identities to Active Directory information;
  • use of data storage that does not ensure information is stored immutably according to defined retention requirements;
  • data privacy and/or data security capabilities that do not meet internal IT standards
  • review of social content for regulatory or legal purposes requires the deployment of new tools and costly and time consuming data migration

How Proofpoint Helps To Meet These Requirements

Proofpoint’s Archiving for Chatter, a module of the Social Platform for Archiving, is a cloud-based service that is quick to deploy and works seamlessly with the archiving and compliance solution that you already have in place, thereby eliminating the need to manage multiple tools for electronic communication compliance. Proofpoint Archiver for Chatter archives all Chatter-related conversational content, by converting user content to email form in real-time - even if a user deletes that content. All elements related to that post are captured, including the full conversation thread and all parties involved in the communication. This enables the compliance officer to view the entire context of the content in each captured item, enabling fast and efficient compliance review  in light of requirements set forth by the SEC, FINRA, EPA, HIPAA and other regulatory entities.

To help demonstrate these benefits, Proofpoint utilizes an established proof-of-concept process that can quickly demonstrate the solution’s ease of deployment and on-going hassle-free operation. For more information – or to request a proof-of-concept, please visit http://www.proofpoint.com/products/archive-governance/social-platform

---

Robert.Cruz150x175Robert Cruz is Senior Director of eDiscovery and Information Governance, bringing 20+ years of Silicon Valley based subject matter expertise in the areas of eDiscovery and regulatory compliance. He works with Proofpoint customers via workshops, seminars, and industry conferences to share best practices and review changes in regulatory environments. He previously held similar posts within the ECM and eDiscovery markets, and holds an MBA from Stanford University.

 

 

Linkedin_icon Twitter-icon1  

ChrisRicciutiNewChristopher Ricciuti is Vice President of Financial Services Archiving Solutions at Proofpoint, where he brings 10+ years of Financial Services industry experience. He focuses mainly on helping regulated organizations leverage next-gen communication technologies, such as social media, while maintaining regulatory compliance. Prior to Proofpoint, Christopher worked as a CTO on Wall Street and founded eDynamics, a social media compliance start-up. He holds an MBA from Babson College. 

 

 Linkedin_icon Twitter-icon1

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption