Global Best Practices in Email Security, Privacy and Compliance
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Best Practices in
Email Security, Privacy and Compliance
A new generation of email security solutions is needed to
meet the challenges of increased message traffic, fast-
growing security threats and evolving global regulations.
file-sharing system for workers. In fact, a company’s email
taken in aggregate probably contains traces of just about
everything important to the company – from proprietary
information such as financial reports and strategic executive
Over the last few years, the Sarbanes-Oxley (SOX) Act of communications (important to SOX) to sales correspondence
2002, the Health Insurance Portability and Accountability and transactional negotiations (subject to SEC or other
Act (HIPAA), the Gramm-Leach-Bliley Act of 1999 (GLBA) regulations). It can also include non-public information
and the threats highlighted by the CAN-SPAM Act of 2003 (NPI) (e.g., healthcare records, financial data, payment-card
and the Internet Spyware (I-SPY) Prevention Act of 2004 information) which may be subject to governmental regula-
have driven major changes in the systems, processes and tions like HIPAA or GLBA, or to a host of emerging state
security inside organizations. and global regulations as well.
Some of these regulations are designed to stop the sources While the primary home of most of this important content
of spam, viruses and spyware. Others intend to make compa- may not be email, many employees do use their mailboxes as
nies more responsible for the protection of customers’ privacy filing systems. Information also finds its way into the email
and for the safety of critical finance and identity information. system as employees communicate with each other or others
All impose increased burdens of accountability: to sharehold- outside the organization. Accidental forwarding, “reply-
ers for the substance of financial reports; to customers and to-all” and other common email behaviors can broadcast
partners as regards information usage, retention, and notifica- information and attached files far more widely than intended.
tion (particularly in the event that information privacy is These features are periodically implicated in horror stories,
compromised); to regulators and auditors for documenting such as one reported in early February, 2008, by Katherine
processes used to manage information; and to the courts, in Eban at portfolio.com (Conde Nast Publications), in which
responding to discovery demands. counsel for Eli Lilly, due to an autocomplete error, acciden-
tally sent documentation of a $1 billion negotiation to a
All have a pronounced effect on corporate email. financial reporter at the New York Times.
While publicly-traded companies are the focus of SOX, On the receiving end, copies of critical data and docu-
financial services, health care and government organizations ments may persist, long term, in email inboxes and tem-
are at the center of information privacy regulation. But all porary directories on office PCs, laptops, home computers
organizations are under pressure to protect themselves and – even on mobile devices and in the databases of public
address increasing internal and external concerns and regula- webmail systems. If unencrypted, senders have no control
tions around privacy, confidentiality and financial reporting. over the security and confidentiality of this data, and stand
Email, the most-used and most unrestricted medium for perpetually at risk of its exposure.
business communications, is one important place where the
rubber meets the road. The right solutions, along with proac- The lesson is clear: organizations must take notice when
tive management, can pay huge dividends in compliance, this information is found in outgoing email. Unfortunately,
risk-reduction, and improved efficiency. In this paper, we ad- unlike other applications and systems in your company that
dress both general and industry-specific business regulations have well-defined authentication and access-control restric-
and how they impact an organization’s email system. tions, email has been mostly unrestricted. Users may send
any message they want, with any content they want, to any
EMAIL TOUCHES THE HEART OF person they want. For many companies, email is an uncon-
YOUR ORGANIZATION trolled communication medium where unmanaged business
Email is about more than just sending messages – it’s often activity—and in some cases, dangerous messages—can travel
the primary groupware, personal information manager and unchecked. Organizations are coming to recognize how
Proofpoint, Inc., 892 Ross Drive, Sunnyvale, CA 94089 USA
www.proofpoint.com
1 408 517 4710The Proofpoint Solution
Proofpoint provides unified email security, data loss Messages that are identified as containing NPI can
prevention and email archiving solutions. These be handled using any of Proofpoint’s standard mes-
solutions help enterprises, universities, government sage dispositions including encrypt (see Proofpoint
organizations and ISPs defend against spam and Secure Messaging, below), quarantine, reject, anno-
viruses, prevent leaks of confidential and private tate or discard, among many other options.
information, encrypt sensitive emails and comply
with regulations that affect email use. Proofpoint’s Proofpoint Digital Asset Security™ Module
solutions employ Proofpoint MLX™ machine learn- The Proofpoint Digital Asset Security module keeps
ing technology to accurately identify and classify valuable corporate assets and confidential infor-
all types of email content. They can be deployed in mation contained in the body of an email or in its
SaaS (on-demand), appliance, virtual appliance and attachments from leaking outside your organization
software implementations. Proofpoint MLX employs via email and other protocols. It uses Proofpoint
advanced statistical techniques to deliver adaptive MLX™ machine-learning technology to analyze
protection to defend against emerging threats. confidential documents and keep them from leav-
ing your organization via email. It uses some of the
Proofpoint offers modular defenses to address same advanced statistical techniques applied in
all types of inbound and outbound messaging Proofpoint’s industry-leading anti-spam engine—
threats—including spam, viruses, acceptable use widely acknowledged as one of the most accurate
policy enforcement, email archiving, data loss systems available.
prevention and compliance with data protection
regulations—for both general business and highly- Organizations can flexibly handle different con-
regulated vertical industries. All Proofpoint modules tent categories. A graphical user interface lets you
include powerful monitoring, auditing and report- define document categories such as internal memos,
ing capabilities. These help managers and auditors draft press releases, organizational charts, price lists
monitor and analyze performance and trends over and so forth. Each category can have its own level
time concerning spam, viruses, confidential informa- of protection (stop internal memos and monitor or-
tion and regulatory compliance. ganizational charts, for example). Proofpoint Digital
Asset Security can be used to secure hundreds of
Here’s a quick summary of Proofpoint’s unique document types including text, Microsoft
modular capabilities: Word, Microsoft Excel, Adobe PDF, Microsoft Pow-
erPoint and compressed formats including zip, gzip
Proofpoint Regulatory Compliance™ Module and TAR files.
The Proofpoint Regulatory Compliance module makes
it easy to ensure that outbound messages comply with The Digital Asset Security module is trained to
many different types of data protection regulations recognize document patterns by the loading or
and best practices, including HIPAA, GLBA and PCI. emailing of representative documents by autho-
Pre-defined dictionaries and “smart identifiers” auto- rized personnel. Putting documents into the system
matically scan for a wide variety of non-public infor- “trains” the module to recognize that document and
mation including PHI (protected health information, as portions of its contents.
defined by HIPAA) and PFI (personal financial informa-
tion as defined by GLBA) and let you take appropriate Messages that are identified as containing con-
actions on non-compliant communications. fidential information can be handled using any of
Proofpoint’s standard message dispositions includ-
A variety of pre-defined dictionaries are included ing encrypt, quarantine, reject, annotate, redirect,
with Proofpoint Regulatory Compliance. These dic- reply to sender or discard, among other options. For
tionaries define common protected health informa- example, an outbound message containing portions
tion code sets—such as AMA Treatment Codes, CMS of a confidential memo can be quarantined and
Disease Codes, NDC Drug Codes and others—to flagged for review by the appropriate manager.
simplify HIPAA compliance. New dictionaries can
also be defined. These dictionaries can support both Proofpoint Content Compliance™ Module
exact matches as well as regular expressions, which The Proofpoint Content Compliance module allows
provides the ability to capture important content organizations to define and enforce acceptable
that might evade exact matching techniques. The use policies for message content and attachments.
Proofpoint Dynamic Update Service™ ensures that Proofpoint Content Compliance can be used to
installed dictionaries are always up-to-date with the identify and prevent a wide variety of inbound
latest codes. and outbound policy violations including offensive
The Proofpoint Solution, Continued
language, harassment, file sharing and violations of worry-free way to meet email archiving, legal com-
external regulations. With the Proofpoint Content pliance and Exchange storage management needs.
Compliance module, companies can define policies
such as monitoring offensive language, enforc- Proofpoint Spam Detection™ Module
ing maximum message size or limiting attachment The Proofpoint Spam Detection module is the only
types. For example, an outbound message con- enterprise messaging protection solution based on
taining offensive language can be returned to the advanced machine-learning techniques. The tech-
sender for review and modification. niques—developed by researchers and scientists at
the Proofpoint Attack Response Center—block the
Proofpoint Secure Messaging™ Module most spam, including phishing attacks and hard-
Many privacy regulations specify that non-public to-detect attachment-based spam, with the least
data must be transmitted in a secure or encrypted number of false positives by examining hundreds of
format. The Proofpoint Secure Messaging module thousands of email attributes. The solution identi-
makes it easy to apply policy-based encryption to fies new types of spam and other malicious mes-
outbound messages. Effective secure messaging sages immediately, unlike traditional anti-spam tools
technologies keep sensitive information private, that rely on humans to detect spam manually and
prevent anyone from tampering with the contents of encode new rules.
messages and authenticate the identity of both the
sender and recipient. Proofpoint Secure Messaging Proofpoint Virus Protection™ and Zero-hour
provides a powerful encryption solution that’s easy Anti-virus™ Modules
to deploy, easy to manage and easy for message The Proofpoint Virus Protection and Proofpoint
senders and recipients to use. Zero-Hour Anti-Virus modules allows enterprises to
combat the virus threat effectively and efficiently
Proofpoint Email Archiving™ using enterprise-grade virus protection. Leveraging
Proofpoint Email Archiving is an on-demand solu- the efficient message handling and robust manage-
tion that lets organizations easily access, search and ment services of the Proofpoint processing platform,
retrieve archived data in real-time from Proofpoint’s these solutions offer integrated administration, auto-
secure, state-of-the-art storage infrastructure. With matic updates, high-performance message analysis
industry-leading customer service, technology and and flexible anti-virus policy management to combat
expertise, Proofpoint offers customers a complete, both known and emerging malware threats.
important it is to manage, protect, audit and control outgoing ture costs. This requirement becomes even more demanding as
email; and to do so proactively, with an eye to risk-reduction. organizations submit to the need to archive both inbound and
outbound email traffic and maintain those archives.
The most heavily-regulated industries, of course, have long
since gotten the message. Nearly a quarter of US firms with EMAIL SECURITY MANDATES
20,000 or more employees – and the percentage is growing fast, In addition to spam, organizations should focus on the con-
according to Proofpoint and Forrester Consulting – employ cerns outlined below:
people to monitor outbound email communications in real-
time. But this solution is both costly and problematic — sub- Protection of Non-Public Information
ject to human error in execution, in reporting, and in possible Non-public information (NPI), especially that relating to
later testimony. Ultimately, as regulations grow more numerous customers’ personal, financial or health status, has come un-
and complicated and organizations explore new markets, the der the scrutiny of international, federal, state and industry
“live human” approach hits a natural scaling limit – becom- agencies. The European Union’s (EU) Privacy Directive, Ja-
ing what security expert Bruce Schnier calls “security theatre,” pan’s Personal Information Protection Law (PIPL), Canada’s
rather than actually reducing or eliminating risk. Personal Information Protection and Electronic Documents
Act (PIPEDA), the US government’s Gramm-Leach-Bliley
Incoming messages, too, contain threats to security and pro- Act and California Assembly Bill 1950 (AB 1950), as well as
ductivity—including viruses, spam and phishing emails. Accord- multi-tier emerging industry standards such as PCI for the
ing to email security vendor Proofpoint, spam volumes for many Payment Card Industry, are just some of the many regula-
enterprises grew by 400% or more in 2007, and spam typically tions that address customer privacy protection.
accounts for 90% of total email volume received by enterprises.
Beyond simple security, aggressive control of this huge burden Each approach differs in breadth and specificity. The
is absolutely required to control liability and manage infrastruc- directives and regulations are often a bit nebulous, although
clarification has come over time as findings, case law and (or purposefully) leak internal memos, proprietary secrets,
interpretations emerge. In the case of industry-sponsored or new product information to the public, competitors or
standards, such as PCI, there’s less ambiguity, and require- the press through email. In a 2005 report conducted by
ments for technical compliance are worked out in far greater Radicati Group, over 20% of employees surveyed admitted
detail. In all cases, however, to meet requirements, companies accidentally sending confidential information to unauthor-
must address the danger of passing along private information ized recipients. One can assume that the actual figure is much
knowingly or unknowingly within emails. higher. Another big risk to confidentiality, ironically, may
entail workers – with the best intentions – using email to
What is considered non-public information depends on send themselves copies of confidential documents to permit
the regulation, jurisdiction and industry. For example, the working on them at home.
Gramm-Leach-Bliley Act of 1999 protects consumers’ finan-
cial information and is directed at financial institutions. It While a phone call or outside discussion cannot be
puts processes in place to control the use of consumers’ private stopped, a content-rich email with supporting company
information and includes requirements to secure and protect documents can often be more dangerous in the wrong hands.
the data from unauthorized use or access. California’s AB In addition, companies want to protect against the transmis-
1950 specifically protects an individual’s last and first names sion of inappropriate language through their email systems.
in combination with their social security number, driver’s These kinds of emails can increase a company’s liability and
license number, account or credit card numbers or medical in- expose it to potentially damaging lawsuits.
formation. HIPAA protects patients’ personal health informa-
tion from being shared without their consent and from being Email protection requirements for NPI and confidential
transmitted electronically without first being encrypted. information come in two forms:
Outside the US, additional types of data – including 1. Outgoing email content can be checked for NPI and
data effectively considered public in US regulation, such as confidential information, and appropriate action
email and physical address — may be deemed private under taken. Some of these checks can be performed with
certain conditions. One example is found in UK 2023, standard dictionaries (e.g., of inappropriate language)
Great Britain’s 2003 Privacy and Electronic Communica- and simple pattern matching on data such as cus-
tions (EC) Directive, which states that location information tomer names. Other checks require more sophisti-
derived from network data may only be used if the user re- cated algorithms that understand the specific formats
mains anonymous, or to provide a value-added service with of financial data such as social security numbers,
the user’s explicit permission. Aimed presumably at regulat- ABA routing numbers or credit card numbers; and
ing the use of wireless networks for tracking, the regulation industry-specific data like treatment codes from the
can also be interpreted to govern email, which can be used American Medical Association (AMA) or disease
to approximately localize a sender by domain and header. codes from the Centers for Medicare and Medicaid
The Directive thus has implications both to acceptable busi- Services (CMS). Protecting unique proprietary assets
ness process with regard to email, and to the way different (e.g., new product plans) may require a third level of
types of information are associated in storage. filtration, capable of identifying specific documents or
classes of document.
Japan’s Personal Information Protection Law (PIPL), ef-
fective since 2005, governs any company with a presence in It is important to choose an email security solution
Japan that stores more than 5,000 unique customer records. that has sophisticated filters and detection algorithms
The Act has been held also to govern overseas firms doing that can rapidly analyze outgoing email for all of these
remote electronic business with Japanese customers. Signifi- data types, quarantining/blocking and notifying ap-
cantly, PIPL defines an email address as private information, propriate people (e.g., the corporate security officer)
so long as a party’s name, hence identity, can be inferred from when violations of policy occur. Strong “out of the box”
it (as is the case with many business email addresses). It’s easy performance on common types of NPI is essential, as is
to imagine situations where just sending email to an open a vendor’s willingness and capability to deliver updates
list (thus letting recipients see one another’s email addresses) keeping the solution in step with evolving terminology
might put an organization at risk. and data formats. Also important: the system should
ideally apply filters in context, so as to add as little
Confidential Information friction as possible to normal communications. For
While companies are required by law to protect customer example, messages containing NPI sent to a partner
information, they are also very interested in protecting their authorized to receive this class of information might be
own confidential information. Employees may inadvertently logged, but not interrupted.
2. Second, the transmission of private and confidential and Asia is now significantly out-of-step with the abil-
data to partners must occur over encrypted links. This ity of many US firms to protect customer privacy, either
can be done through email transmission security or because of infrastructure and processes tuned to comply
through specialized products designed to encrypt the with US regulations, or because data housed on US soil is
contents of an email message. In fact, a combination subject to search under Homeland Security provisions. For
of several methods – encrypting the pipe, the message organizations coming up against these barriers, adoption
body and any attachments – is best. Encrypting the pipe of infrastructure capable of routing, filtering and archiving
protects the security of communications in transmission. email traffic (perhaps overseas) can be a powerful enabler.
Strong encryption on message-bodies and documents
can, in principle, authenticate sender and receiver to one FINANCIAL REPORTING
another, and ensure that documents are readable only by The Sarbanes-Oxley Act of 2002 has arguably garnered the
their intended recipients. most attention of all regulations. This is primarily due to the
publicity surrounding various public accounting scandals, as
Encryption limits the risk associated with documents well as the very personal requirements on and potential pen-
containing NPI or proprietary information that languish alties against CEO and CFOs. Since April 15, 2005, all U.S.
in recipient inboxes, or are accidentally forwarded. But public companies are required to be in compliance.
use of manual encryption software places significant de-
mands on end-users and complicates process. In general, Sarbanes-Oxley requires that companies identify and
therefore, it’s wise to choose encryption solutions that document the processes employed to collect information used
are both automated and contextual/policy-based – to build their financial reports. It says that the company’s
capable of identifying critical information, noting sender financial leadership—the CEO and CFO—must review an-
and recipients, and applying appropriate encryption and nual and quarterly financial reports to ensure the information
routing rules automatically. they contain is complete and correct. These reports must have
effective disclosure controls and procedures and must define
These days, it’s also critical that systems for filtering, routing and explain how financial information is stored, managed
and encryption be able to “see” and manage content and com- and communicated. Sarbanes-Oxley also requires that exter-
munications in multiple formats. Systems that only understand nal public auditors review these procedures.
the SMTP (Simple Mail Transport Protocol) used in standard
email will be unable to apply the same policies to webmail Since email is such a common communication tool, any
communications or web postings traveling via HTTP. robust Sarbanes-Oxley plan must include the management
of the corporate email system along with the incoming and
In all cases, centralized management, reporting and audit- outgoing emails themselves. Email sent around end-of-quar-
ing are desirable and typically required by one or more in- ter or end-of-year financial preparation should be monitored
dustry regulations. The ability to manage policy for filtration, and audited. Companies should also archive email relevant to
routing, encryption and other disciplines across many devices financial report generation. Such goals are best achieved via
is essential to protect the complex, permeable network edge a two-pronged approach, combining robust email archiving
of a distributed organization. The need for clear facilities for with proactive email security, working in tandem in a policy-
policy creation and documentation is also critical – provid- managed framework.
ing needed clarity, simplifying communications with legal
and other accountable departments, and serving as concrete SECURITY AND PRODUCTIVITY THREATS
evidence of due diligence in the event of litigation. While regulations have forced companies into action around
customer privacy, other regulations addressing the sources of
The value of being able to define and administer rules- spam, viruses and spyware problems have not been as success-
based policies for email routing, filtering and encryption is ful. Companies must take their own actions to combat the
amplified many times when global organizations need to increasing threats posed by messages containing this rogue
comply with foreign regulatory schemes. For example, as content and to stop directed denial of service and directory
noted above, certain types of email content that would be harvest attacks on their email systems.
considered non-critical under US regulations might be con-
strued to contain NPI under new UK and Japanese codes – Security and productivity threats attack the foundation
and would require special handling if sent to recipients in of an email system by increasing the negative impact of
these jurisdictions. email. Email-borne viruses can bypass corporate firewalls
and attack desktop machines that may not have the latest
Nor is compliance by any means the only goal. Stricter, virus definition update. Once the intruder gains a foothold,
more pro-consumer privacy regulation in Canada, Europe a Trojan horse contained within many viruses can launch
further attacks from inside the company. These attacks can Non-public Information Checklist
compromise or destroy an organization’s data. And spam, if
left unchecked, can paralyze email users with mailbox noise 1. Define the NPI that must be managed in your
that decreases productivity and sometimes leads users to turn company, industry and countries where you do
business. Start with the simple use cases first.
away from email.
2. Identify all data stores, documents and applications
While companies are on their own to determine the right containing non-public information on customers.
approach to this problem, some guidance exists. The ISO
Security Standard (ISO 17799), an international standard 3. Identify all data stores, documents and applica-
addressing general security with sections affecting email, and tions containing confidential information.
the Federal Information Security Management Act of 2002
4. Identify where combinations of identification (e.g.,
(FISMA), targeted at government projects, have compliance last name, first name) and personal information
recommendations and requirements. In some cases, such as (e.g., social security number, credit card numbers)
when doing international business, a company may be asked are kept.
to meet ISO recommendations, and government agencies
will need to address FISMA compliance when implementing 5. Identify partner companies with which you share NPI.
email security.
6. Identify policies and procedures you will enforce
around NPI.
Email administrators must address these threats at the pe-
rimeter before they affect end users or internal mail servers. 7. Define your reporting and auditing approach
A perimeter email security solution can stop directed attacks, around NPI.
remove viruses and stop spam while letting legitimate mes-
sages through. 8. Define your periodic review process designed to
keep your policies and procedures up-to-date
with current conditions.
Perimeter security can also be applied to defend against
so-called “zero day” virus and malware attacks – the critical
hours or days following identification of a threat, but before When it comes to the regulation of money, everyone takes
deterministic virus signatures have been distributed. Perim- notice. In the financial services industry, international and
eter security can also play a critical role in preserving service federal regulations like the Basel II Accord governing business
availability during Distributed Denial-of-Service (dDOS) continuity, risk management and bank supervision and the
attacks (by rapidly blocking communications in threatening Gramm-Leach-Bliley Act addressing customer privacy stand
formats or from suspect IP addresses). alongside more focused regulations from the New York Stock
Exchange (NYSE), National Association of Securities Deal-
LESSONS LEARNED IN ers (NASD) and requirements from the U.S Securities and
VERTICAL INDUSTRIES Exchange Commission (SEC) to create an overabundance of
All organizations must address the issues above, but certain electronic dictates.
highly regulated industries like financial services and health
care put additional restrictions on member companies. In ad- With the deregulation that has occurred over the last
dition, the public sector has added pressure that comes from several years in the financial services industry, companies
its own regulations and its position in the public eye. Even must still pay close attention to existing and new regulations.
if you aren’t in government or one of these industries, read NASD has numerous regulations that restrict how financial
on, because similar regulations to those found here will likely services firms can sell and market investment offerings. The
trickle down to your industry sometime soon. SEC publishes guidance on the use of electronic media by
operating companies, investment companies and municipal
Financial Services securities issuers, as well as market intermediaries. The SEC
With financial service companies increasing their offerings restricts forward-looking statements during certain time pe-
and their audience, email has become an important sales riods and enforces quiet periods that restrict what a company
(offering notice, new investment vehicles) and customer can say publicly after it files a registration statement.
service (confirm trades, account changes, service updates)
tool to reduce costs and increase the effectiveness of client In order to meet the mesh of requirements, companies
interactions. Email also plays a vital role in communica- must deploy a centralized email security solution that can
tions within financial services companies—to send around monitor inbound and outbound communications. In addi-
stock reports, investment performance and news updates, tion to protecting customer information, financial services
for example. companies must monitor and stop zealous sales people from
sending email that might be interpreted as breaking NASD portals for better customer service to constituents, some ef-
rules. In addition, companies must create policies to control forts have also leveraged email as a way to contact individual
email communications during quiet periods and around SEC citizens or large groups. The government must constantly talk
filing periods. to its citizens for many reasons. For example, the Freedom of
Information Act compels federal agencies to disclose records
In the wake of the recent subprime mortgage scandal, it requested in writing by any person. This can be done effec-
seems certain that regulatory pressures to apply such protec- tively in many cases using email. Interagency communication
tions can only increase. is also more important than ever, as evidenced at the highest
levels in our homeland security efforts as the CIA, FBI and
Health Care other security teams come together electronically. Email was
Any discussion of email security in the health care industry born in the academic, scientific and military communities
starts with the Health Insurance Portability and Accountability because collaboration leads to better results. Now, even the
Act (HIPAA). Health care has traditionally been a paper-based more traditional government agencies are using email.
industry, with patient records and health insurance forms com-
pleted manually. However, with tightening regulations brought The Federal Information Security Management Act of
about by HIPAA around patient privacy, and increasing 2002 (FISMA), created by the National Institute of Stan-
competitive pressures, health care providers have implemented dards and Technology (NIST) requires federal agencies and
new electronic systems rather than incurring the enormous their partners to establish consistent, risk-based security
costs of patching antiquated records systems. With the move programs. While FISMA does not call out email directly, its
to electronic information, email has become a more important parts address the oversight and management of information
communication medium inside companies and among health security risks, which certainly includes those risks posed by
care providers, insurance companies and patients. email. FISMA leaves the selection of specific solutions in the
hands of individual agencies.
There are many potential applications. Email can be an
excellent means for the electronic exchange of health-related The public sector has perhaps even greater email security
information such as patient records, medical images and needs than public companies. Government is a high-profile
referral assessments. Electronic medical information systems target and local, state and federal agencies remain quite vis-
with access to comprehensive medical records can alert care ible as an indicator of stability. Attacks on government Web
givers via email when critical health factors are uncovered. sites have been front-page news whenever they occur. Trust
Email and other electronic applications can significantly and confidence are key issues for police, fire and those in the
decrease the costs associated with patient management public eye — especially in the face of emergencies. Public
issues such as appointment scheduling, referrals, invoicing communication can be compromised by breaches emanating
and billing workflows. from security lapses, viruses or excessive spam.
Email security must honor the protection of patient health Email security solutions must protect the email systems
information. The typical requirement is that communica- used by government agencies and universities and the email
tions with business partners (that contain protected health sent through them. All solutions must be assessed based on
information, or PHI) be handled via encryption. Email des- FISMA compliance. Government agencies should monitor
tined for other recipients should not contain patient health the content of all outgoing email, especially messages being
information. The email security solution should search the sent to large groups of constituents, since inappropriate or
body of the message for occurrences of patient names (and disturbing email from a government sender will have a pro-
other personal identifiers, such as Social Security Numbers) nounced impact.
along with related health terms. To keep up with the ever-
changing health codes, email solutions should have dynami- Electronic Discovery, Compliance and
cally updated dictionaries that define common protected Storage Management
health information code sets—such as AMA treatment codes Increased regulatory pressure – plus the fact that email and
and CMS (Center for Medicare and Medicaid Services) dis- other electronically stored documents are now routinely pre-
ease codes. This will simplify HIPAA compliance and protect sented as evidence in courts of law – has by now compelled
against patient or class-action lawsuits. most larger companies to implement email archiving. Solu-
tions have, in many cases, become problematic for several
Public Sector reasons. It’s costly to provide continually expanding storage.
E-government initiatives abound as government agencies And many archiving solutions are not sufficiently user-friend-
attempt to leverage new breakthroughs in data and commu- ly and efficient in managing retention policy, or producing
nications technology. While many of these projects involve documents on demand by the courts.
To ensure litigation readiness, both legal and IT depart- Email archiving solutions—which securely store a copy of
ments must address the management of electronic commu- every legitimate (non-spam) email sent and received—can help
nications in their organization. Without the right tools in address ongoing email storage issues by greatly reducing the
place, collecting, processing and reviewing electronic data for storage load on the email server. They can eliminate the risks
e-discovery can be time-consuming, expensive and expose a associated with end-users archiving email locally (e.g., in Out-
business to significant legal risks. look PST files) while still allowing end-users to quickly retrieve
copies of their messages and attachments from the archive.
To effectively prepare for litigation, legal professionals
must have some understanding of the technology required CONCLUSION
to store and retrieve electronic documents. Similarly, IT The take-away, here, is that securing inbound email – while
professionals must be familiar with the laws and regula- challenging enough – is less difficult than maintaining com-
tions that impact their organizations. The most signifi- pliance on the outbound side with complex, overlapping and
cant and widespread of those regulations are the Federal in some cases conflicting regulations on privacy, transactional
Rules of Civil Procedure (FRCP), which apply to any ethics and corporate governance. Reporting and process
business that may be engaged in federal litigation. These documentation add further complexity to this equation, as
rules clearly outline expectations for businesses to apply does the challenge of making appropriate information readily
a consistent retention policy for email, enforce litigation accessible in response to discovery demands, in documenting
holds and produce relevant or requested email evidence in due-diligence, and in defending against litigation.
a timely manner.
Selection of tools is absolutely critical for achieving real
From Sarbanes-Oxley to SEC rules, numerous legisla- risk reduction. A single, modular system – rather than
tive requirements have been introduced that dictate how discrete point solutions – is required to maintain manage-
electronic records are retained and retrieved. Organizations ability. And this system should be made available in a range
that fail to meet regulatory compliance requirements can face of deployment formats that serve your IT strategy for each
significant risks including large fines and prison sentences, location. The solution you invest in must provide both the
plus serious, long term damage to their corporate reputations. functionality you need – machine-learning, filtration, notifi-
To meet these requirements, organizations should consider cation, policy-managed routing, encryption, archiving – but
deploying an email archiving solution that allows them to also the ability to compose, document and manage policy
consistently enforce email retention policies. from the top down, and reporting that’s comprehensive and
meaningful both to IT and to general management: in par-
Beyond the discovery and compliance motivations for ticular to upper management and legal personnel accountable
email archiving, as email volume and attachment sizes for compliance and risk reduction. n
continue to grow, the burden on storage also increases. Since
corporate email servers weren’t designed to store large vol-
umes of data for extended periods of time, overloading them For more information, visit
can result in significant performance issues and prohibitively http://www.proofpoint.com
long backup windows.
Proofpoint, Inc., 892 Ross Drive, Sunnyvale, CA 94089 USA
www.proofpoint.com
1 408 517 4710You can also read
