Page 1

Global Best Practices in Email Security, Privacy and Compliance


new generation of email security solutions is needed to meet the challenges of increased message traffic, fastgrowing security threats and evolving global regulations. Over the last few years, the Sarbanes-Oxley (SOX) Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act of 1999 (GLBA) and the threats highlighted by the CAN-SPAM Act of 2003 and the Internet Spyware (I-SPY) Prevention Act of 2004 have driven major changes in the systems, processes and security inside organizations. Some of these regulations are designed to stop the sources of spam, viruses and spyware. Others intend to make companies more responsible for the protection of customers’ privacy and for the safety of critical finance and identity information. All impose increased burdens of accountability: to shareholders for the substance of financial reports; to customers and partners as regards information usage, retention, and notification (particularly in the event that information privacy is compromised); to regulators and auditors for documenting processes used to manage information; and to the courts, in responding to discovery demands. All have a pronounced effect on corporate email. While publicly-traded companies are the focus of SOX, financial services, health care and government organizations are at the center of information privacy regulation. But all organizations are under pressure to protect themselves and address increasing internal and external concerns and regulations around privacy, confidentiality and financial reporting. Email, the most-used and most unrestricted medium for business communications, is one important place where the rubber meets the road. The right solutions, along with proactive management, can pay huge dividends in compliance, risk-reduction, and improved efficiency. In this paper, we address both general and industry-specific business regulations and how they impact an organization’s email system.

EMAIL TOUCHES THE HEART OF YOUR ORGANIZATION Email is about more than just sending messages – it’s often the primary groupware, personal information manager and

file-sharing system for workers. In fact, a company’s email taken in aggregate probably contains traces of just about everything important to the company – from proprietary information such as financial reports and strategic executive communications (important to SOX) to sales correspondence and transactional negotiations (subject to SEC or other regulations). It can also include non-public information (NPI) (e.g., healthcare records, financial data, payment-card information) which may be subject to governmental regulations like HIPAA or GLBA, or to a host of emerging state and global regulations as well. While the primary home of most of this important content may not be email, many employees do use their mailboxes as filing systems. Information also finds its way into the email system as employees communicate with each other or others outside the organization. Accidental forwarding, “replyto-all” and other common email behaviors can broadcast information and attached files far more widely than intended. These features are periodically implicated in horror stories, such as one reported in early February, 2008, by Katherine Eban at (Conde Nast Publications), in which counsel for Eli Lilly, due to an autocomplete error, accidentally sent documentation of a $1 billion negotiation to a financial reporter at the New York Times. On the receiving end, copies of critical data and documents may persist, long term, in email inboxes and temporary directories on office PCs, laptops, home computers – even on mobile devices and in the databases of public webmail systems. If unencrypted, senders have no control over the security and confidentiality of this data, and stand perpetually at risk of its exposure. The lesson is clear: organizations must take notice when this information is found in outgoing email. Unfortunately, unlike other applications and systems in your company that have well-defined authentication and access-control restrictions, email has been mostly unrestricted. Users may send any message they want, with any content they want, to any person they want. For many companies, email is an uncontrolled communication medium where unmanaged business activity—and in some cases, dangerous messages—can travel unchecked. Organizations are coming to recognize how Proofpoint, Inc., 892 Ross Drive, Sunnyvale, CA 94089 USA 1 408 517 4710

The Proofpoint Solution Proofpoint provides unified email security, data loss prevention and email archiving solutions. These solutions help enterprises, universities, government organizations and ISPs defend against spam and viruses, prevent leaks of confidential and private information, encrypt sensitive emails and comply with regulations that affect email use. Proofpoint’s solutions employ Proofpoint MLX™ machine learning technology to accurately identify and classify all types of email content. They can be deployed in SaaS (on-demand), appliance, virtual appliance and software implementations. Proofpoint MLX employs advanced statistical techniques to deliver adaptive protection to defend against emerging threats. Proofpoint offers modular defenses to address all types of inbound and outbound messaging threats—including spam, viruses, acceptable use policy enforcement, email archiving, data loss prevention and compliance with data protection regulations—for both general business and highlyregulated vertical industries. All Proofpoint modules include powerful monitoring, auditing and reporting capabilities. These help managers and auditors monitor and analyze performance and trends over time concerning spam, viruses, confidential information and regulatory compliance. Here’s a quick summary of Proofpoint’s modular capabilities:

Proofpoint Regulatory Compliance™ Module The Proofpoint Regulatory Compliance module makes it easy to ensure that outbound messages comply with many different types of data protection regulations and best practices, including HIPAA, GLBA and PCI. Pre-defined dictionaries and “smart identifiers” automatically scan for a wide variety of non-public information including PHI (protected health information, as defined by HIPAA) and PFI (personal financial information as defined by GLBA) and let you take appropriate actions on non-compliant communications. A variety of pre-defined dictionaries are included with Proofpoint Regulatory Compliance. These dictionaries define common protected health information code sets—such as AMA Treatment Codes, CMS Disease Codes, NDC Drug Codes and others—to simplify HIPAA compliance. New dictionaries can also be defined. These dictionaries can support both exact matches as well as regular expressions, which provides the ability to capture important content that might evade exact matching techniques. The Proofpoint Dynamic Update Service™ ensures that installed dictionaries are always up-to-date with the latest codes.

Messages that are identified as containing NPI can be handled using any of Proofpoint’s standard message dispositions including encrypt (see Proofpoint Secure Messaging, below), quarantine, reject, annotate or discard, among many other options.

Proofpoint Digital Asset Security™ Module The Proofpoint Digital Asset Security module keeps valuable corporate assets and confidential information contained in the body of an email or in its attachments from leaking outside your organization via email and other protocols. It uses Proofpoint MLX™ machine-learning technology to analyze confidential documents and keep them from leaving your organization via email. It uses some of the same advanced statistical techniques applied in Proofpoint’s industry-leading anti-spam engine— widely acknowledged as one of the most accurate systems available. Organizations can flexibly handle different content categories. A graphical user interface lets you define document categories such as internal memos, draft press releases, organizational charts, price lists and so forth. Each category can have its own level of protection (stop internal memos and monitor organizational charts, for example). Proofpoint Digital Asset Security can be used to secure hundreds of unique document types including text, Microsoft Word, Microsoft Excel, Adobe PDF, Microsoft PowerPoint and compressed formats including zip, gzip and TAR files. The Digital Asset Security module is trained to recognize document patterns by the loading or emailing of representative documents by authorized personnel. Putting documents into the system “trains” the module to recognize that document and portions of its contents. Messages that are identified as containing confidential information can be handled using any of Proofpoint’s standard message dispositions including encrypt, quarantine, reject, annotate, redirect, reply to sender or discard, among other options. For example, an outbound message containing portions of a confidential memo can be quarantined and flagged for review by the appropriate manager.

Proofpoint Content Compliance™ Module The Proofpoint Content Compliance module allows organizations to define and enforce acceptable use policies for message content and attachments. Proofpoint Content Compliance can be used to identify and prevent a wide variety of inbound and outbound policy violations including offensive

The Proofpoint Solution, Continued language, harassment, file sharing and violations of external regulations. With the Proofpoint Content Compliance module, companies can define policies such as monitoring offensive language, enforcing maximum message size or limiting attachment types. For example, an outbound message containing offensive language can be returned to the sender for review and modification.

Proofpoint Secure Messaging™ Module Many privacy regulations specify that non-public data must be transmitted in a secure or encrypted format. The Proofpoint Secure Messaging module makes it easy to apply policy-based encryption to outbound messages. Effective secure messaging technologies keep sensitive information private, prevent anyone from tampering with the contents of messages and authenticate the identity of both the sender and recipient. Proofpoint Secure Messaging provides a powerful encryption solution that’s easy to deploy, easy to manage and easy for message senders and recipients to use. Proofpoint Email Archiving™ Proofpoint Email Archiving is an on-demand solution that lets organizations easily access, search and retrieve archived data in real-time from Proofpoint’s secure, state-of-the-art storage infrastructure. With industry-leading customer service, technology and expertise, Proofpoint offers customers a complete,

important it is to manage, protect, audit and control outgoing email; and to do so proactively, with an eye to risk-reduction. The most heavily-regulated industries, of course, have long since gotten the message. Nearly a quarter of US firms with 20,000 or more employees – and the percentage is growing fast, according to Proofpoint and Forrester Consulting – employ people to monitor outbound email communications in realtime. But this solution is both costly and problematic — subject to human error in execution, in reporting, and in possible later testimony. Ultimately, as regulations grow more numerous and complicated and organizations explore new markets, the “live human” approach hits a natural scaling limit – becoming what security expert Bruce Schnier calls “security theatre,” rather than actually reducing or eliminating risk. Incoming messages, too, contain threats to security and productivity—including viruses, spam and phishing emails. According to email security vendor Proofpoint, spam volumes for many enterprises grew by 400% or more in 2007, and spam typically accounts for 90% of total email volume received by enterprises. Beyond simple security, aggressive control of this huge burden is absolutely required to control liability and manage infrastruc-

worry-free way to meet email archiving, legal compliance and Exchange storage management needs.

Proofpoint Spam Detection™ Module The Proofpoint Spam Detection module is the only enterprise messaging protection solution based on advanced machine-learning techniques. The techniques—developed by researchers and scientists at the Proofpoint Attack Response Center—block the most spam, including phishing attacks and hardto-detect attachment-based spam, with the least number of false positives by examining hundreds of thousands of email attributes. The solution identifies new types of spam and other malicious messages immediately, unlike traditional anti-spam tools that rely on humans to detect spam manually and encode new rules. Proofpoint Virus Protection™ and Zero-hour Anti-virus™ Modules The Proofpoint Virus Protection and Proofpoint Zero-Hour Anti-Virus modules allows enterprises to combat the virus threat effectively and efficiently using enterprise-grade virus protection. Leveraging the efficient message handling and robust management services of the Proofpoint processing platform, these solutions offer integrated administration, automatic updates, high-performance message analysis and flexible anti-virus policy management to combat both known and emerging malware threats.

ture costs. This requirement becomes even more demanding as organizations submit to the need to archive both inbound and outbound email traffic and maintain those archives.

EMAIL SECURITY MANDATES In addition to spam, organizations should focus on the concerns outlined below: Protection of Non-Public Information Non-public information (NPI), especially that relating to customers’ personal, financial or health status, has come under the scrutiny of international, federal, state and industry agencies. The European Union’s (EU) Privacy Directive, Japan’s Personal Information Protection Law (PIPL), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the US government’s Gramm-Leach-Bliley Act and California Assembly Bill 1950 (AB 1950), as well as multi-tier emerging industry standards such as PCI for the Payment Card Industry, are just some of the many regulations that address customer privacy protection. Each approach differs in breadth and specificity. The directives and regulations are often a bit nebulous, although

clarification has come over time as findings, case law and interpretations emerge. In the case of industry-sponsored standards, such as PCI, there’s less ambiguity, and requirements for technical compliance are worked out in far greater detail. In all cases, however, to meet requirements, companies must address the danger of passing along private information knowingly or unknowingly within emails. What is considered non-public information depends on the regulation, jurisdiction and industry. For example, the Gramm-Leach-Bliley Act of 1999 protects consumers’ financial information and is directed at financial institutions. It puts processes in place to control the use of consumers’ private information and includes requirements to secure and protect the data from unauthorized use or access. California’s AB 1950 specifically protects an individual’s last and first names in combination with their social security number, driver’s license number, account or credit card numbers or medical information. HIPAA protects patients’ personal health information from being shared without their consent and from being transmitted electronically without first being encrypted. Outside the US, additional types of data – including data effectively considered public in US regulation, such as email and physical address — may be deemed private under certain conditions. One example is found in UK 2023, Great Britain’s 2003 Privacy and Electronic Communications (EC) Directive, which states that location information derived from network data may only be used if the user remains anonymous, or to provide a value-added service with the user’s explicit permission. Aimed presumably at regulating the use of wireless networks for tracking, the regulation can also be interpreted to govern email, which can be used to approximately localize a sender by domain and header. The Directive thus has implications both to acceptable business process with regard to email, and to the way different types of information are associated in storage. Japan’s Personal Information Protection Law (PIPL), effective since 2005, governs any company with a presence in Japan that stores more than 5,000 unique customer records. The Act has been held also to govern overseas firms doing remote electronic business with Japanese customers. Significantly, PIPL defines an email address as private information, so long as a party’s name, hence identity, can be inferred from it (as is the case with many business email addresses). It’s easy to imagine situations where just sending email to an open list (thus letting recipients see one another’s email addresses) might put an organization at risk. Confidential Information While companies are required by law to protect customer information, they are also very interested in protecting their own confidential information. Employees may inadvertently

(or purposefully) leak internal memos, proprietary secrets, or new product information to the public, competitors or the press through email. In a 2005 report conducted by Radicati Group, over 20% of employees surveyed admitted accidentally sending confidential information to unauthorized recipients. One can assume that the actual figure is much higher. Another big risk to confidentiality, ironically, may entail workers – with the best intentions – using email to send themselves copies of confidential documents to permit working on them at home. While a phone call or outside discussion cannot be stopped, a content-rich email with supporting company documents can often be more dangerous in the wrong hands. In addition, companies want to protect against the transmission of inappropriate language through their email systems. These kinds of emails can increase a company’s liability and expose it to potentially damaging lawsuits. Email protection requirements for NPI and confidential information come in two forms: 1. Outgoing email content can be checked for NPI and confidential information, and appropriate action taken. Some of these checks can be performed with standard dictionaries (e.g., of inappropriate language) and simple pattern matching on data such as customer names. Other checks require more sophisticated algorithms that understand the specific formats of financial data such as social security numbers, ABA routing numbers or credit card numbers; and industry-specific data like treatment codes from the American Medical Association (AMA) or disease codes from the Centers for Medicare and Medicaid Services (CMS). Protecting unique proprietary assets (e.g., new product plans) may require a third level of filtration, capable of identifying specific documents or classes of document. It is important to choose an email security solution that has sophisticated filters and detection algorithms that can rapidly analyze outgoing email for all of these data types, quarantining/blocking and notifying appropriate people (e.g., the corporate security officer) when violations of policy occur. Strong “out of the box” performance on common types of NPI is essential, as is a vendor’s willingness and capability to deliver updates keeping the solution in step with evolving terminology and data formats. Also important: the system should ideally apply filters in context, so as to add as little friction as possible to normal communications. For example, messages containing NPI sent to a partner authorized to receive this class of information might be logged, but not interrupted.

2. Second, the transmission of private and confidential data to partners must occur over encrypted links. This can be done through email transmission security or through specialized products designed to encrypt the contents of an email message. In fact, a combination of several methods – encrypting the pipe, the message body and any attachments – is best. Encrypting the pipe protects the security of communications in transmission. Strong encryption on message-bodies and documents can, in principle, authenticate sender and receiver to one another, and ensure that documents are readable only by their intended recipients. Encryption limits the risk associated with documents containing NPI or proprietary information that languish in recipient inboxes, or are accidentally forwarded. But use of manual encryption software places significant demands on end-users and complicates process. In general, therefore, it’s wise to choose encryption solutions that are both automated and contextual/policy-based – capable of identifying critical information, noting sender and recipients, and applying appropriate encryption and routing rules automatically. These days, it’s also critical that systems for filtering, routing and encryption be able to “see” and manage content and communications in multiple formats. Systems that only understand the SMTP (Simple Mail Transport Protocol) used in standard email will be unable to apply the same policies to webmail communications or web postings traveling via HTTP. In all cases, centralized management, reporting and auditing are desirable and typically required by one or more industry regulations. The ability to manage policy for filtration, routing, encryption and other disciplines across many devices is essential to protect the complex, permeable network edge of a distributed organization. The need for clear facilities for policy creation and documentation is also critical – providing needed clarity, simplifying communications with legal and other accountable departments, and serving as concrete evidence of due diligence in the event of litigation. The value of being able to define and administer rulesbased policies for email routing, filtering and encryption is amplified many times when global organizations need to comply with foreign regulatory schemes. For example, as noted above, certain types of email content that would be considered non-critical under US regulations might be construed to contain NPI under new UK and Japanese codes – and would require special handling if sent to recipients in these jurisdictions. Nor is compliance by any means the only goal. Stricter, more pro-consumer privacy regulation in Canada, Europe

and Asia is now significantly out-of-step with the ability of many US firms to protect customer privacy, either because of infrastructure and processes tuned to comply with US regulations, or because data housed on US soil is subject to search under Homeland Security provisions. For organizations coming up against these barriers, adoption of infrastructure capable of routing, filtering and archiving email traffic (perhaps overseas) can be a powerful enabler.

FINANCIAL REPORTING The Sarbanes-Oxley Act of 2002 has arguably garnered the most attention of all regulations. This is primarily due to the publicity surrounding various public accounting scandals, as well as the very personal requirements on and potential penalties against CEO and CFOs. Since April 15, 2005, all U.S. public companies are required to be in compliance. Sarbanes-Oxley requires that companies identify and document the processes employed to collect information used to build their financial reports. It says that the company’s financial leadership—the CEO and CFO—must review annual and quarterly financial reports to ensure the information they contain is complete and correct. These reports must have effective disclosure controls and procedures and must define and explain how financial information is stored, managed and communicated. Sarbanes-Oxley also requires that external public auditors review these procedures. Since email is such a common communication tool, any robust Sarbanes-Oxley plan must include the management of the corporate email system along with the incoming and outgoing emails themselves. Email sent around end-of-quarter or end-of-year financial preparation should be monitored and audited. Companies should also archive email relevant to financial report generation. Such goals are best achieved via a two-pronged approach, combining robust email archiving with proactive email security, working in tandem in a policymanaged framework.

SECURITY AND PRODUCTIVITY THREATS While regulations have forced companies into action around customer privacy, other regulations addressing the sources of spam, viruses and spyware problems have not been as successful. Companies must take their own actions to combat the increasing threats posed by messages containing this rogue content and to stop directed denial of service and directory harvest attacks on their email systems. Security and productivity threats attack the foundation of an email system by increasing the negative impact of email. Email-borne viruses can bypass corporate firewalls and attack desktop machines that may not have the latest virus definition update. Once the intruder gains a foothold, a Trojan horse contained within many viruses can launch

further attacks from inside the company. These attacks can compromise or destroy an organization’s data. And spam, if left unchecked, can paralyze email users with mailbox noise that decreases productivity and sometimes leads users to turn away from email. While companies are on their own to determine the right approach to this problem, some guidance exists. The ISO Security Standard (ISO 17799), an international standard addressing general security with sections affecting email, and the Federal Information Security Management Act of 2002 (FISMA), targeted at government projects, have compliance recommendations and requirements. In some cases, such as when doing international business, a company may be asked to meet ISO recommendations, and government agencies will need to address FISMA compliance when implementing email security. Email administrators must address these threats at the perimeter before they affect end users or internal mail servers. A perimeter email security solution can stop directed attacks, remove viruses and stop spam while letting legitimate messages through. Perimeter security can also be applied to defend against so-called “zero day” virus and malware attacks – the critical hours or days following identification of a threat, but before deterministic virus signatures have been distributed. Perimeter security can also play a critical role in preserving service availability during Distributed Denial-of-Service (dDOS) attacks (by rapidly blocking communications in threatening formats or from suspect IP addresses).

LESSONS LEARNED IN VERTICAL INDUSTRIES All organizations must address the issues above, but certain highly regulated industries like financial services and health care put additional restrictions on member companies. In addition, the public sector has added pressure that comes from its own regulations and its position in the public eye. Even if you aren’t in government or one of these industries, read on, because similar regulations to those found here will likely trickle down to your industry sometime soon. Financial Services With financial service companies increasing their offerings and their audience, email has become an important sales (offering notice, new investment vehicles) and customer service (confirm trades, account changes, service updates) tool to reduce costs and increase the effectiveness of client interactions. Email also plays a vital role in communications within financial services companies—to send around stock reports, investment performance and news updates, for example.

Non-public Information Checklist 1. Define the NPI that must be managed in your company, industry and countries where you do business. Start with the simple use cases first. 2. Identify all data stores, documents and applications containing non-public information on customers. 3. Identify all data stores, documents and applications containing confidential information. 4. Identify where combinations of identification (e.g., last name, first name) and personal information (e.g., social security number, credit card numbers) are kept. 5. Identify partner companies with which you share NPI. 6. Identify policies and procedures you will enforce around NPI. 7. Define your reporting and auditing approach around NPI. 8. Define your periodic review process designed to keep your policies and procedures up-to-date with current conditions.

When it comes to the regulation of money, everyone takes notice. In the financial services industry, international and federal regulations like the Basel II Accord governing business continuity, risk management and bank supervision and the Gramm-Leach-Bliley Act addressing customer privacy stand alongside more focused regulations from the New York Stock Exchange (NYSE), National Association of Securities Dealers (NASD) and requirements from the U.S Securities and Exchange Commission (SEC) to create an overabundance of electronic dictates. With the deregulation that has occurred over the last several years in the financial services industry, companies must still pay close attention to existing and new regulations. NASD has numerous regulations that restrict how financial services firms can sell and market investment offerings. The SEC publishes guidance on the use of electronic media by operating companies, investment companies and municipal securities issuers, as well as market intermediaries. The SEC restricts forward-looking statements during certain time periods and enforces quiet periods that restrict what a company can say publicly after it files a registration statement. In order to meet the mesh of requirements, companies must deploy a centralized email security solution that can monitor inbound and outbound communications. In addition to protecting customer information, financial services companies must monitor and stop zealous sales people from

sending email that might be interpreted as breaking NASD rules. In addition, companies must create policies to control email communications during quiet periods and around SEC filing periods. In the wake of the recent subprime mortgage scandal, it seems certain that regulatory pressures to apply such protections can only increase. Health Care Any discussion of email security in the health care industry starts with the Health Insurance Portability and Accountability Act (HIPAA). Health care has traditionally been a paper-based industry, with patient records and health insurance forms completed manually. However, with tightening regulations brought about by HIPAA around patient privacy, and increasing competitive pressures, health care providers have implemented new electronic systems rather than incurring the enormous costs of patching antiquated records systems. With the move to electronic information, email has become a more important communication medium inside companies and among health care providers, insurance companies and patients. There are many potential applications. Email can be an excellent means for the electronic exchange of health-related information such as patient records, medical images and referral assessments. Electronic medical information systems with access to comprehensive medical records can alert care givers via email when critical health factors are uncovered. Email and other electronic applications can significantly decrease the costs associated with patient management issues such as appointment scheduling, referrals, invoicing and billing workflows. Email security must honor the protection of patient health information. The typical requirement is that communications with business partners (that contain protected health information, or PHI) be handled via encryption. Email destined for other recipients should not contain patient health information. The email security solution should search the body of the message for occurrences of patient names (and other personal identifiers, such as Social Security Numbers) along with related health terms. To keep up with the everchanging health codes, email solutions should have dynamically updated dictionaries that define common protected health information code sets—such as AMA treatment codes and CMS (Center for Medicare and Medicaid Services) disease codes. This will simplify HIPAA compliance and protect against patient or class-action lawsuits. Public Sector E-government initiatives abound as government agencies attempt to leverage new breakthroughs in data and communications technology. While many of these projects involve

portals for better customer service to constituents, some efforts have also leveraged email as a way to contact individual citizens or large groups. The government must constantly talk to its citizens for many reasons. For example, the Freedom of Information Act compels federal agencies to disclose records requested in writing by any person. This can be done effectively in many cases using email. Interagency communication is also more important than ever, as evidenced at the highest levels in our homeland security efforts as the CIA, FBI and other security teams come together electronically. Email was born in the academic, scientific and military communities because collaboration leads to better results. Now, even the more traditional government agencies are using email. The Federal Information Security Management Act of 2002 (FISMA), created by the National Institute of Standards and Technology (NIST) requires federal agencies and their partners to establish consistent, risk-based security programs. While FISMA does not call out email directly, its parts address the oversight and management of information security risks, which certainly includes those risks posed by email. FISMA leaves the selection of specific solutions in the hands of individual agencies. The public sector has perhaps even greater email security needs than public companies. Government is a high-profile target and local, state and federal agencies remain quite visible as an indicator of stability. Attacks on government Web sites have been front-page news whenever they occur. Trust and confidence are key issues for police, fire and those in the public eye — especially in the face of emergencies. Public communication can be compromised by breaches emanating from security lapses, viruses or excessive spam. Email security solutions must protect the email systems used by government agencies and universities and the email sent through them. All solutions must be assessed based on FISMA compliance. Government agencies should monitor the content of all outgoing email, especially messages being sent to large groups of constituents, since inappropriate or disturbing email from a government sender will have a pronounced impact. Electronic Discovery, Compliance and Storage Management Increased regulatory pressure – plus the fact that email and other electronically stored documents are now routinely presented as evidence in courts of law – has by now compelled most larger companies to implement email archiving. Solutions have, in many cases, become problematic for several reasons. It’s costly to provide continually expanding storage. And many archiving solutions are not sufficiently user-friendly and efficient in managing retention policy, or producing documents on demand by the courts.

To ensure litigation readiness, both legal and IT departments must address the management of electronic communications in their organization. Without the right tools in place, collecting, processing and reviewing electronic data for e-discovery can be time-consuming, expensive and expose a business to significant legal risks. To effectively prepare for litigation, legal professionals must have some understanding of the technology required to store and retrieve electronic documents. Similarly, IT professionals must be familiar with the laws and regulations that impact their organizations. The most significant and widespread of those regulations are the Federal Rules of Civil Procedure (FRCP), which apply to any business that may be engaged in federal litigation. These rules clearly outline expectations for businesses to apply a consistent retention policy for email, enforce litigation holds and produce relevant or requested email evidence in a timely manner. From Sarbanes-Oxley to SEC rules, numerous legislative requirements have been introduced that dictate how electronic records are retained and retrieved. Organizations that fail to meet regulatory compliance requirements can face significant risks including large fines and prison sentences, plus serious, long term damage to their corporate reputations. To meet these requirements, organizations should consider deploying an email archiving solution that allows them to consistently enforce email retention policies. Beyond the discovery and compliance motivations for email archiving, as email volume and attachment sizes continue to grow, the burden on storage also increases. Since corporate email servers weren’t designed to store large volumes of data for extended periods of time, overloading them can result in significant performance issues and prohibitively long backup windows.

Email archiving solutions—which securely store a copy of every legitimate (non-spam) email sent and received—can help address ongoing email storage issues by greatly reducing the storage load on the email server. They can eliminate the risks associated with end-users archiving email locally (e.g., in Outlook PST files) while still allowing end-users to quickly retrieve copies of their messages and attachments from the archive.

CONCLUSION The take-away, here, is that securing inbound email – while challenging enough – is less difficult than maintaining compliance on the outbound side with complex, overlapping and in some cases conflicting regulations on privacy, transactional ethics and corporate governance. Reporting and process documentation add further complexity to this equation, as does the challenge of making appropriate information readily accessible in response to discovery demands, in documenting due-diligence, and in defending against litigation. Selection of tools is absolutely critical for achieving real risk reduction. A single, modular system – rather than discrete point solutions – is required to maintain manageability. And this system should be made available in a range of deployment formats that serve your IT strategy for each location. The solution you invest in must provide both the functionality you need – machine-learning, filtration, notification, policy-managed routing, encryption, archiving – but also the ability to compose, document and manage policy from the top down, and reporting that’s comprehensive and meaningful both to IT and to general management: in particular to upper management and legal personnel accountable for compliance and risk reduction. n

For more information, visit

Proofpoint, Inc., 892 Ross Drive, Sunnyvale, CA 94089 USA 1 408 517 4710


Over the last few years, the Sarbanes-Oxley (SOX) Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Le...


Over the last few years, the Sarbanes-Oxley (SOX) Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Le...