Privacy and security go hand in hand. Privacy cannot be protected without implementing proper security controls and technologies. Organizations must not only make reasonable efforts to protect privacy of data, but they must go much further as privacy breaches are damaging to customers and reputation. Potentially, they could put companies out of business.

Privacy and data protection awareness skyrocketed in 2018 with the implementation of the EU General Data Protection Regulation (GDPR), which gave new privacy rights to individuals in the EU and EU citizens everywhere, while creating significant new regulatory burdens on companies that handle personal data (PD), personally identifiable information (PII), and protected health information (PHI). Major corporations, after decades of automation, suddenly were being held to account for all instances and uses of personal consumer data. To do so, data maps and information flow diagrams had to be created to inventory all instances of stored personal data and learn how it flows through the organization.

This inventorying step is often one of the first in launching information governance (IG) programs, so the trend provided a significant increase in support for formal IG programs.

Information Privacy

By Andrew Ysasi

In a 2018 survey, Americans stated that they were more concerned with privacy than with healthcare or economic growth.¹ Privacy came of age in 2018, when the EU GDPR went into effect. Its impact was felt across the globe, as citizens became more aware of privacy concerns.

Information privacy refers to individuals or corporations controlling what others know about them. Unlike information security, privacy is not objective, but subjective. What one believes needs to be private can vary. (Some think that privacy is a moral or legal right, while others have argued that privacy isn't about controlling information about oneself.)² Privacy has been a widespread debate for the past century, and as the Internet has become engrained in societies and cultures, it will continue to be a concern for individuals and organizations.³ In the United States, personally identifiable information (PII) is used to determine privacy attributes, for example, last name, home address, place of birth, and so forth. Often, PII is referred to as information that is not publicly available or in public works.⁴

In the digital age, individuals who are concerned about their privacy are often at the mercy of the corporations and developers of software to control how an individual's information is used. Individuals often use apps to work, manage finances, socialize, and play games on smartphones or tablets. The apps on portable devices often require permission from the user to use the information to operate at their full potential. As a result, individuals permit the organizations that manage the apps to store passwords, credit card information, bank accounts, digital cookies, fingerprints, and a myriad of personal information. If apps or software have privacy controls, an individual may choose to restrict what information is stored, how it is used, and who their information can be shared with. In extreme cases, individuals may opt to share personal information on social media sites with little regard for their privacy. Facebook, Twitter, Tinder, Foursquare, and LinkedIn are some examples of social media where individuals may reveal a great deal of personal information.⁵

Organizations should have an interest in privacy. Whether consumers or employees demand privacy or privacy is regulated in the countries they operate is something an organization should understand and have plans to address. Many organizations have a responsibility to their shareholders to be profitable or, if not an entity to gain profit, ensure that they are meeting their mission within the guidelines of their corporate structure. Privacy concerns can have a direct impact on an organization. Organizations that are more driven by profits may have fewer privacy concerns or controls than organizations that provide significant privacy protection.⁶

Further, organizations may operate in jurisdictions or industries where there are laws or rules around privacy. For example, organizations should determine if they operate in an “opt-in” or “opt-out” jurisdiction, or if they are required to protect information because they operate in the healthcare or financial industries. Opt-in climates typically favor the privacy of the individual whereas opt-out favor an organization. Hospitals and insurance companies usually have laws and rules they need to follow to protect PII (personally identifiable information) or PHI (protected health information). Laws and regulations define what constitutes as PII and provide further guidance on how the information should be handled.

Criminals often target organizations to gain access to private information to sell or disrupt the organization. A database of privacy data breaches can be found at privacyrights.org. Privacyrights.org reports over 11.5 billion records have been breached from over 9000 breaches since 2005.⁷ As data breaches become more prevalent, governments and privacy professionals have advocated for strict laws to protect individuals. Scholars believe that net neutrality, the Internet of Things (IoT), the human genome (medical), and cryptocurrencies will impact privacy for individual and organizations throughout the next decade.⁸

Generally Accepted Privacy Principles

The Generally Accepted Privacy Principles (GAPP) can be used to guide privacy programs. Please see Chapter 3 for more detail.

Fair Information Practices (FIPS)

OCED Privacy Principles

In 1980, the Organisation for Economic Co-operation and Development (OECD) published guidelines on the protection of privacy and personal data and were recently updated in 2013.¹⁵ The eight fair information principles outlined by the OECD are as follows.

Madrid Resolution 2009

In 2009, the Madrid Resolution brought 50 countries together to provide further guidance on information privacy. The resolution was designed and signed by executives from 10 international organizations, and one of the most important recommendations is governments “promoting better compliance with the applicable laws regarding data protection matters.”¹⁶

While the Madrid Resolution was a big step in achieving global privacy awareness and guidance, it was merely viewed as a starting point for addressing the dynamic landscape of personal privacy across the globe. In 2010, the United States Department of Health Services Privacy Office stated an opinion on the Madrid Resolution, specifically criticizing the fact that governments and regulatory authorities were not included, and recommending that all stakeholders be involved in the development of a global privacy framework.¹⁷ It is also worth noting the Director of the Spain Data Protection Agency (AEPD), Artemi Rallo: “These standards are a proposal of international minimums, which include a set of principles and rights that will allow the achievement of a greater degree of international consensus and that will serve as reference for those countries that do not have a legal and institutional structure for data protection.”¹⁸ It appeared in 2010 that a global privacy framework was on the horizon.

EU General Data Protection Regulation

The European Union's Data Protection Regulation (GDPR) provided the most significant privacy framework, policy, and regulatory overhaul history.

“In 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its greatest achievements in recent years. It replaces the 1995 Data Protection Directive which was adopted at a time when the Internet was in its infancy.”¹⁹

Compliance for GDPR and enforceability requirements went into effect on May 28, 2018, and required organizations to seek consent from individuals before collecting their personal information.²⁰ Further, GDPR requires organizations to assign a Data Controller and provides specific principles related to the processing of personal data found in article 5:

Personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).²¹

Failure to comply with GDPR requirements comes with hefty penalties. Fines are not assessed without an investigation and guidance. GDPR outlines the 10 criteria to determine the amount an organization can be fined:

1. Nature of infringement: The number of people affected, damage they suffered, duration of infringement, and purpose of processing.
2. Intention: Whether the infringement is intentional or negligent.
3. Mitigation: Actions taken to mitigate damage to data subjects.
4. Preventative measures: How much technical and organizational preparation the firm had previously implemented to prevent noncompliance.
5. History: Past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and past administrative corrective actions under the GDPR, from warnings to bans on processing and fines.
6. Cooperation: How cooperative the firm has been with the supervisory authority to remedy the infringement.
7. Data type:: What types of data the infringement impacts.
8. Notification: Whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party.
9. Certification: Whether the firm had qualified under approved certifications or adhered to approved codes of conduct.
10. Other: Other aggravating or mitigating factors may include the financial impact on the firm from the infringement.²²

Lower-level fines can be up to €10 million, or 2% of the worldwide annual revenue of the prior fiscal year, whichever is higher. Higher-level fines can be up to €20 million, or 4% of the worldwide annual revenue of the prior fiscal year, whichever is higher.²³ The EU is quite evident through GDPR that consumer privacy is of the utmost importance, and organizations that choose to mishandle the data of EU citizens will suffer substantial financial losses. On the day that organizations were required to be compliant, Facebook and Google were hit with over $8 billion in lawsuits.²⁴ Facebook and other large companies seem to be making strides to comply, but other organizations are trying to block EU citizens from their sites to mitigate risk.²⁵ GDPR provides comprehensive oversight and guidance on how to protect consumer information and what happens if an organization does not comply. However, it is yet to be determined if GDPR will provide adequate privacy protection of consumer data without hindering EU citizens from experience foreign sites or companies wishing to expand their market in the EU.

GDPR: A Look at Its First Year

By Mark Driskill

The EU implemented sweeping new data privacy and protection laws meant to protect the personal data (PD) of those in the EU—importantly—be they citizens, temporary residents or visitors, from unauthorized use, and, extraterritorially, wherever in the world their personal data is stored or used.

The issues stem from the EU's broad definition of PD and the long history in Europe of privacy being viewed as a fundamental human right, against too much history of dictatorships and fascist control. The EU's General Data Protection Regulation (GDPR) took effect, provoking a new era of tech-company corporate accountability.

The GDPR didn't just standardize data privacy and protection across all (current) 28 member states of Europe, but refined both how to seek permission to use personal data and refresh the personal rights of each person in the EU to view and take control of their own personal data.

As 2018 came to a close, it was revealed that some major tech companies use personal data in ways that violate personal privacy in many ways.

Large data handlers like Facebook, Google, and Amazon have come under close examination by EU regulators, forcing CEOs in the “personal surveillance data business” to defend, and even rethink, their business models (e.g. Google then cited privacy regulation as a major threat to their business model in corporate documents). These have included both Privacy Regulators around GDPR (e.g. UK ICO, Ireland DPC, etc.) and EU competition regulators. Under the new GDPR these companies, without exception, must follow EU privacy law. The issues rest primarily with the advertising data insights these companies have created using proprietary algorithms. The invasiveness is secretive and at times unsettling, as these companies seem to know when someone will buy a pair of socks!

At first glance, it might seem as if the first year of GDPR compliance was largely uneventful, at least in terms of other leading global news stories. It's really a journey, as the EU regulators and analysts have shared. With almost 95,000 privacy complaints filed, they have only just started to process those investigations, findings, and enforcements. So many of the “privacy fines” we've seen since GDPR went live were really cases that occurred pre-GDPR and were thus much smaller in scope and penalties under the prior EU privacy regulation. What has been happening quietly, almost behind the scenes, is a tacit acceptance that data privacy from the person-centered perspective must begin with forcing larger companies such as Facebook, Google, and Amazon to comply. This hangs over companies in the consumer tech sector like thick fog. American businesses and culture do not like anyone telling them how to run things. Apparently, this is also true for GDPR compliance, adding to a persistent lack of full compliance.

A December 2018 Forrester survey commissioned by Microsoft found that more than half of businesses failed to meet GDPR compliance checkpoints.²⁶ Other highlights included:

• 57% instituted “privacy by design.”
• 59% “collected evidence of having addressed GDPR compliance risks.”
• 57% “trained business personnel on GDPR requirements.”
• 62% “vetted third-party vendors.”

This last item is perhaps the most troubling: 38% have yet to vet their third-party software vendors. This means that a significant portion of the global economy is not meeting GDPR compliance. The Forrester survey's primary findings were that only 11% of global companies are prepared to undergo the type of digital transformation needed to fully comply with GDPR-based privacy needs of citizens. In its entirety, GDPR has yet to make a significant impact, at least one beyond large tech company compliance.

A key implied issue that ultimately influences GDPR compliance checkpoints is the balance between intrusion into a company's business practices and its ability for profitmaking. Industry leaders note that in order to truly protect personal data, you must know exactly where and whose it is. This necessarily requires intrusion.

Privacy Programs

Privacy programs are often required to manage the national and international requirements to protect consumer information. The IAPP has a rigorous certification called the Certified Information Privacy Manager (CIPM), and the outline³⁰ for the exam provides a framework to build a privacy program.

• Vision—The purpose of the privacy program and what the program will achieve.
• Team—Key stakeholders who have direct responsibility for privacy matters that may include a Chief Privacy Officer (CPO), Data Protection Officer (DPO), Data Controller (DC), executive sponsorship, inside or outside legal counsel, technology leadership, compliance leadership, and records and information leadership.
• Policies—Privacy policies for websites, social media, e-mail, mobile apps, internal practices, and privacy policies addressing applicable international, national, and local laws should be reviewed and examined.
• Activities—Examples of activities are training, awareness, updating agreements with key stakeholders, addressing cross-border concerns, reviewing insurance and assurance options, evaluating privacy compliance software tools, and conducting privacy impact assessments along with specific risk assessments that relate to privacy concerns or regulations.
• Metrics—Collection, responses time to inquiries, retention, PIA metrics, maturity levels, and resource utilization are some examples of how organizations can measure privacy.

Privacy in the United States

Privacy Laws

The protection of personally identifiable information (PII) is a core focus of IG efforts. PII is any information that can identify an individual, such as name, Social Security number, medical record number, credit card number, and so on. Various privacy laws have been enacted in an effort to protect privacy. You must consult your legal counsel to determine which laws and regulations apply to your organization and its data and documents.

The CCPA is waking up other US states to the need for more robust privacy legislation, while at the same time there is a move underfoot for the first national privacy legislation. If this goes forward, then there will be legal battles regarding preemption of the federal law in states having stricter privacy laws, using a “states’ rights” argument, and the federal government will argue that they have preemptive legal authority.

The Federal Wiretap Act “prohibits the unauthorized interception and disclosure of wire, oral, or electronic communications.” The Electronic Communications Privacy Act (ECPA) of 1986 amended the Federal Wiretap Act significantly and included specific on e-mail privacy.⁴⁸ The Stored Communications and Transactional Records Act (SCTRA) was created as a part of ECPA and is “sometimes useful for protecting the privacy of e-mail and other Internet communications when discovery is sought.” The Computer Fraud and Abuse Act makes it a crime to intentionally breach a “protected computer” (one used by a financial institution or for interstate commerce).

Also relevant for public entities is the Freedom of Information Act, which allows US citizens to request government documents that have not previously been released, although sometimes sensitive information is redacted (blacked out) and specifies the steps for disclosure as well as the exemptions. In the United Kingdom, the Freedom of Information Act 2000 provides for similar disclosure requirements and mandatory steps.

In the United Kingdom, privacy laws and regulations include the following:

• Data Protection Act 1998
• Freedom of Information Act 2000
• Public Records Act 1958
• Common law duty of confidentiality
• Confidentiality National Health Service (NHS) Code of Practice
• NHS Care Record Guarantee for England
• Social Care Record Guarantee for England
• Information Security NHS Code of Practice
• Records Management NHS Code of Practice

Also, the international information security standard ISO/IEC 27002: 2005 comes into play when implementing security.

Cybersecurity

Breaches are increasingly being carried out by malicious attacks, but a significant source of breaches is internal mistakes caused by poor information governance (IG) practices, software bugs, and carelessness. The average cost of a data breach in 2018 was nearly $4 million,⁴⁹ and some spectacular breaches have occurred, such as the 87 million–plus Facebook accounts and 37 million Panera accounts that were hacked in 2018,⁵⁰ but perhaps the most colossal was the breach of over 500 million customer records, including credit card and passport numbers, suffered by the Marriott Hotel chain that same year.⁵¹ Millions of breaches occur each year: There were an estimated 179 million privacy breaches in the United States in 2017 alone.⁵²

Cyberattacks Proliferate

Online attacks and snooping continue at an increasing rate. Organizations must be vigilant about securing their internal, confidential documents and e-mail messages. In one assessment, security experts at Intel/McAfee “discovered an unprecedented series of cyberattacks on the networks of 72 organizations globally, including the United Nations, governments and corporations, over a five-year period.”⁵³ Dmitri Alperovitch of McAfee described the incident as “the biggest transfer of wealth in terms of intellectual property in history.”⁵⁴ The level of intrusion is ominous.

The targeted victims included governments, including the United States, Canada, India, and others; corporations, including high-tech companies and defense contractors; the International Olympic Committee; and the United Nations. “In the case of the United Nations, the hackers broke into the computer system of its secretariat in Geneva, hid there for nearly two years, and quietly combed through reams of secret data, according to McAfee.”⁵⁵ Attacks can be occurring in organizations for years before they are uncovered—if they are discovered at all. This means that an organization may be covertly monitored by criminals or competitors for extended periods of time.

And they are not the only ones spying—look no further than the US National Security Agency (NSA) scandal of 2013. With Edward Snowden's revelations, it is clear that governments are accessing, monitoring, and storing massive amounts of private data.

Where this stolen information is going and how it will be used is yet to be determined. But it is clear that possessing this competitive intelligence could give a government or company a huge advantage economically, competitively, diplomatically, and militarily.

The information assets of companies and government agencies are at risk globally. Some are invaded and eroded daily, without detection. The victims are losing economic advantage and national secrets to unscrupulous rivals, so it is imperative that IG policies are formed, followed, enforced, tested, and audited. It is also imperative to use the best available technology to counter or avoid such attacks.⁵⁶

Insider Threat: Malicious or Not

Ibas, a global supplier of data recovery and computer forensics, conducted a survey of 400 business professionals about their attitudes toward intellectual property (IP) theft:

• Nearly 70% of employees have engaged in IP theft, taking corporate property upon (voluntary or involuntary) termination.
• Almost one-third have taken valuable customer contact information, databases, or other client data.
• Most employees send e-documents to their personal e-mail accounts when pilfering the information.
• Almost 60% of surveyed employees believe such actions are acceptable.
• Those who steal IP often feel that they are entitled to partial ownership rights, especially if they had a hand in creating the files.⁵⁷

These survey statistics are alarming, and by all accounts the trend continuing to worsen today. Clearly, organizations have serious cultural challenges to combat prevailing attitudes toward IP theft. A strong and continuous program of IG aimed at securing confidential and sensitive information assets can educate employees, raise their IP security awareness, and train them on techniques to help secure valuable IP. And the change needs to be driven from the top: from the CEO and boardroom. However, the magnitude of the problem in any organization cannot be accurately known or measured. Without the necessary IG monitoring and enforcement tools, executives cannot know the extent of the erosion of information assets and the real cost in cash and intangible terms over the long term.

Information Security Assessments and Awareness Training

By Baird Brueseke

Employees’ human errors are the weakest link in securing an organization's confidential information. However, there are some small, inexpensive steps (through employee training) that can reduce information risk.

Security Awareness Training (SAT) programs educate an organization's workforce about the risks to information and potential schemes employed by hackers. SAT provides them with the skills to act consistently in a way that protects the organization's information assets. Bad actors target an employee's natural human tendencies with phishing e-mails and spear-phishing campaigns. SAT training programs often include phishing simulation and other social-engineering tactics such as text message “smishing” and unattended USB drives. SAT products provide a comprehensive approach to employee training, which empowers them to recognize and avoid a broad range of threat vectors.

SAT is an easy effective and easy way to reduce risk. Corporate risk is reduced by changing the (human) behavior of employees. Leading products in this market use innovative methods such as short, animated videos and pop quizzes to teach employees about information security threats.

SAT is not a one-and-done activity. In order to be effective, SAT must be implemented as an ongoing process. Workplace safety programs implemented to meet OSHA requirements serve as a good metaphor. SAT is a continuous improvement process; new threats emerge every day. The leading products incorporate new content on a regular basis and provide employee engagement opportunities that go well beyond the traditional computer-based training activities.

Cybersecurity Assessments

In today's cyber threat landscape, companies have a fiduciary duty to assess their cyber security posture. This is the root function of a Cybersecurity Assessment. Typically, third-party vendors are contracted to perform the Assessment. These firms have expertise in a variety of cybersecurity skills that they use to tailor the engagement to a scope appropriate for the organization being assessed.

One of the first steps when starting a Cybersecurity Assessment project is to select a framework. This choice will become part of the project requirements and in large part define the scope of work to be performed by the third-party vendor. There are several frameworks to choose from including: ISO 27001, COBIT 2019, NIST Cybersecurity Framework, NIST 800-53, DOD 8570, DCID 6/3, HITRUST CSF, and the Cloud Security Alliance's Cloud Controls Matrix. Even the Motion Picture Association of America has defined a cybersecurity framework to protect their member's intellectual property.

The NIST Cybersecurity Framework consists of five “functions,” which are: Identify, Protect, Detect, Respond, and Recover, as shown in the following.

These five functions are subdivided into 22 categories—and then each category has multiple controls. One issue with the NIST framework is that a comprehensive Security Assessment using this framework can quickly become a big project, often too big for the organization's size.

For small and medium-sized business, a good step forward is to specify the Center for Internet Security (CIS) Top 20 controls as the framework the independent Cyber Security team will assess. The CIS Top 20 controls provide an easy to understand assessment tool that senior executives will understand.

Once the CIS controls are evaluated, the organization's security posture can be easily visualized using color coded infographics and risk score heat charts. Many Security Assessments include an evaluation of the business's people, process, and technology. There is no point in spending technology dollars if the existing corporate processes do not support their use. These decisions can be explored using Radar charts to visualize the cyber readiness of three metrics: people, process, and technology. Radar charts depict cybersecurity assessment scores in a circular chart with gradient ranking that shows executives the information they need to act on to enhance their security posture.

The term vulnerability assessment applies to a broad range of systems. For example, in the context of a disaster recovery plan, the vulnerability assessment would include the likelihood of flooding, earthquakes, and other potential disasters. In the digital sphere, a vulnerability assessment is an evaluation of an organization's cybersecurity weaknesses. This process includes identifying and prioritizing specific computer configuration issues that represent vulnerable aspects of an organization's computing platforms.

The Institute for Security and Open Methodologies (ISECOM; www.isecom.org/research/) publishes the Open-Source Security Testing Methodology Manual that documents the components of a vendor neutral approach to a wide range of assessment methods and techniques. A vulnerability assessment project typically includes the following:

1. Inventory of computing assets and networked devices
2. Ranking those resources in order of importance
3. Identification of vulnerabilities and potential threats
4. Risk assessment
5. Prioritized remediation plan

A vulnerability assessment starts with an inventory of computer systems and other devices connected to the network. Once the items on the network have been enumerated, the network is scanned using an automated tool to look for vulnerabilities. There are two types of scans: credentialed and noncredentialed. A credentialed scan uses domain admin credentials to obtain detailed inventories of software applications on each of the computers. This method provides the security team with the information necessary to identify operating system versions and required patches.

Often, a company's website is an overlooked corporate asset for a vulnerability assessments. The Open Web Application Security Project (OWASP) maintains a list of the top-10 vulnerabilities most commonly found on websites. Surprisingly, many websites fail to properly implement user authentication and data input checking. These types of vulnerabilities have the potential to expose corporate data to anyone with Internet access. Performing a vulnerability assessment exposes these issues so they may be resolved.

The final output of a vulnerability assessment project is the prioritized remediation plan. This plan uses the results of the risk assessment to determine which vulnerabilities represent the greatest risk to the organization. The total list of vulnerabilities is often numbered in the hundreds, if not thousands. However, not all of the vulnerabilities are big problems requiring immediate attention. The prioritized remediation plan allows IT administrators to reduce corporate risk quickly by focusing on the most important weaknesses first.

Cybersecurity Considerations and Approaches

By Robert Smallwood

Defense in Depth

Defense in depth is an approach that uses multiple layers of security mechanisms to protect information assets and reduce the likelihood that rogue attacks can succeed.⁶³ The idea is based on military principles that an enemy is stymied by complex layers and approaches compared to a single line. That is, hackers may be able to penetrate one or two of the defense layers, but multiple security layers increase the chances of catching the attack before it gets too far. Defense in depth includes a firewall as a first line of defense and also antivirus and anti-spyware software, identity and access management (IAM), hierarchical passwords, intrusion detection, and biometric verification. Also, as a part of an overall IG program, physical security measures are deployed, such as smartcard or even biometric access to facilities and intensive IG training and auditing.

Controlling Access Using Identity Access Management

IAM software can provide an important piece of the security solution. It aims to prevent unauthorized people from accessing a system and to ensure that only authorized individuals engage with information, including confidential e-documents.

Today's business environment operates in a more extended and mobile model, often including stakeholders outside of the organization. With this more complex and fluctuating group of users accessing information management applications, the idea of identity management has gained increased importance.

The response to the growing number of software applications using inconsistent or incompatible security models is strong identity management enforcement software. These scattered applications offer opportunities not only for identity theft but also for identity drag, where the maintenance of identities does not keep up with changing identities, especially in organizations with a large workforce. This can result in theft of confidential information assets by unauthorized or out-of-date access and even failure to meet regulatory compliance, which can result in fines and imprisonment.⁶⁴

IAM—along with sharp IG policies—“manages and governs user access to information through an automated, continuous process.”⁶⁵ Implemented properly, good IAM does keep access limited to authorized users while increasing security, reducing IT complexity, and increasing operating efficiencies.

Critically, “IAM addresses ‘access creep’ where employees move to a different department of business unit and their rights to access information fail to get updated” (emphasis added).⁶⁶

In France in 2007, a rogue stock trader at Société Générale had in-depth knowledge of the bank's access control procedures from his job at the home office.⁶⁷ He used that information to defraud the bank and its clients out of over €7 billion (over $10 billion). If the bank had implemented an IAM solution, the crime may not have been possible.

A robust and effective IAM solution provides for:

• Auditing. Detailed audit trails of who attempted to access which information, and when. Stolen identities can be uncovered if, for instance, an authorized user attempts to log in from more than one computer at a time.
• Constant updating. Regular reviews of access rights assigned to individuals, including review and certification for user access, an automated recertification process (attestation), and enforcement of IG access policies that govern the way users access information in respect to segregation of duties.
• Evolving roles. Role life cycle management should be maintained on a continuous basis, to mine and manage roles and their associated access rights and policies.
• Risk reduction. Remediation regarding access to critical documents and information.

Enforcing IG: Protect Files with Rules and Permissions

One of the first tasks often needed when developing an IG program that secures confidential information assets is to define roles and responsibilities for those charged with implementing, maintaining, and enforcing IG policies. Corollaries that spring from that effort get down to the nitty-gritty of controlling information access by rules and permissions.

Rules and permissions specify who (by roles) is allowed access to which documents and information, and even contextually, from where (office, home, travel), and at what times (work hours, or extended hours). Using the old policy of the need-to-know basis is a good rule of thumb to apply when setting up these access policies (i.e. only those who are at a certain level of the organization or are directly involved in certain projects are allowed access to confidential and sensitive information). The roles are relatively easy to define in a traditional hierarchical structure, but today's flatter and more collaborative enterprises present challenges.

To effectively wall off and secure information by management level, many companies and governments have put in place an information security framework—a model that delineates which levels of the organization have access to specific documents and databases as a part of implemented IG policy. This framework shows a hierarchy of the company's management distributed across a range of defined levels of information access. The US Government Protection Profile for Authorization Server for Basic Robustness Environments is an example of such a framework.

Challenge of Securing Confidential E-Documents

Today's various document and content management systems were not initially designed to allow for secure document sharing and collaboration while also preventing document leakage. These software applications were mostly designed before the invention and adoption of newer business technologies that have extended the computing environment. The introduction of cloud computing, mobile PC devices, smartphones, social media, and online collaboration tools all came after most of today's document and content management systems were developed and brought to market.

Thus, vulnerabilities have arisen that need to be addressed with other, complementary technologies. We need to look no further than the WikiLeaks incident and the myriad of other major security breaches resulting in document and data leakage to see that there are serious information security issues in both the public and private sectors.

Technology is the tool, but without proper IG policies and a culture of compliance that supports the knowledge workers following IG policies, any effort to secure confidential information assets will fail. An old IT adage is that even perfect technology will fail without user commitment.

Apply Better Technology for Better Enforcement in the Extended Enterprise

E-Mail Encryption

Encrypting (scrambling using advanced algorithms) sensitive e-mail messages is an effective step to securing confidential information assets while in transit. Encryption can also be applied to desktop folders and files and even entire disk drives (full disk encryption, or FDE). All confidential or sensitive data and e-documents that are exposed to third parties or transferred over public networks should be secured with file-level encryption, at a minimum.⁷³

Secure Communications Using Record-Free E-Mail

What types of tools can you use to encourage the free flow of ideas in collaborative efforts without compromising your confidential information assets or risking litigation or compliance sanctions?

Stream messaging is an innovation that became commercially viable around 2006. It is similar in impact to IRM software, which limits the recipients’ ability to forward, print, or alter data in an e-mail message (or reports, spreadsheets, etc.) but goes further by leaving no record on any computer or server.

Stream messaging is a simple, safe, secure electronic communications system ideal for ensuring that sensitive internal information is kept confidential and not publicly released. Stream messaging is not intended to be a replacement for enterprise e-mail but is a complement to it. If you need an electronic record, e-mail it; if not, use stream messaging.⁷⁴

What makes stream messaging unique is its recordlessness. Streamed messages cannot be forwarded, edited, or saved. A copy cannot be printed as is possible with e-mail. That is because stream messaging separates the sender's and receiver's names and the date from the body of the message, never allowing them to be seen together. Even if the sender or receiver were to attempt to make a copy using the print-screen function, these elements are never captured together.⁷⁵

The instant a stream message is sent, it is placed in a temporary storage buffer space. When the recipient logs in to read the message, it is removed from the buffer space. By the time the recipient opens it, the complete stream message no longer exists on the server or any other computer.

This communications approach is Web based, meaning that no hardware or software purchases are required. It also works with existing e-mail systems and e-mail addresses and is completely immune to spam and viruses. Other solutions (both past and present) have been offered, but these have taken the approach of encrypting e-mail or generating e-mail that disappears after a preset time. Neither of these approaches is truly recordless.

Stream messaging is unique because its technology effectively eliminates the ability to print, cut, paste, forward, or save a message. It may be the only electronic communications system that separates the header information—date, name of sender, name of recipient—from the body of the message. This eliminates a traceable record of the communication. Soon many other renditions of secure messaging will be developed.

In addition, stream messaging offers the added protection of being an indiscriminate Web-based service, meaning that the messages and headers are never hosted on the subscribing companies’ networks. This eliminates the risk that employers, competitors, or hackers could intercept stream messages, which is a great security benefit for end users.⁷⁶

Digital Signatures

Digital signatures are more than just digitized autographs—they carry detailed audit information used to “detect unauthorized modifications” to e-documents and to “authenticate the identity of the signatory.”⁷⁷

Online transactions can be conducted with full trust that they are legal, proper, and binding. They prove that the person whose signature is on the e-document did, in fact, authorize it. A digital signature provides evidence in demonstrating to a third party that the signature was genuine, true, and authentic, which is known as nonrepudiation. To repudiate is to dispute, and with digital signatures, a signatory is unable to claim that the signature is forged.

Digital signatures can be implemented a variety of ways—not just through software but also through firmware (programmed microchips), computer hardware, or a combination of the three. Generally, hardware- and firmware-based implementations are more difficult to hack, since their instructions are hardwired.

Here is a key point: for those who are unfamiliar with the technology, there is a big difference between electronic signatures and digital signatures.⁷⁸

An “electronic signature is likely to be a bit-map image, either from a scanned image, a fax copy or a picture of someone's signature, or may even be a typed acknowledgment or acceptance.” A digital signature contains “extra data appended to a message which identifies and authenticates the sender and message data using public-key encryption.”⁷⁹

So digital signatures are the only ones that offer any real security advantages.

Digital signatures are verified by the combination of applying a signatory's private signing key and the public key that comes from the signatory's personal ID certificate. After that, only the public key ID certificate is required for future verifications. “In addition, a checksum mechanism confirms that there have been no modifications to the content.”⁸⁰

A formal, trusted certificate authority (CA) issues the certificate associated with the public-private key. It is possible to generate self-certified public keys, but these do not verify and authenticate the recipient's identity and are therefore flawed from a security standpoint. The interchange of verified signatures is possible on a global scale, as “digital signature standards are mature and converging internationally.”⁸¹

After more than 30 years of predictions, the paperless office is almost here. Business process cycles have been reduced, and great efficiencies have been gained since the majority of documents today are created digitally and spend most of their life cycle in digital form, and they can be routed through work steps using business process management (BPM) and work flow software. However, the requirement for a physical signature frequently disrupts and holds up these business processes. Documents have to be printed out, physically routed, and physically signed—and often they are scanned back into a document or records management (or contract management) system, which defeats the efficiencies sought.

Often multiple signatures are required in an approval process, and some organizations require each page to be initialed, which makes the process slow and cumbersome when it is executed without the benefit of digital signatures. Also, multiple copies are generated—as many as 20—so digital signature capability injected into a business process can account for significant time and cost savings.⁸²

Document Encryption

There is some overlap and sometimes confusion between digital signatures and document encryption. Suffice it to say, they work differently, in that document encryption secures a document for those who share a secret key, and digital signatures prove that the document has not been altered and the signature is authentic.

There are e-records management implications of employing document encryption:

Unless it is absolutely essential, full document encryption is often advised against for use within electronic records management systems as it prevents full-text indexing, and requires that the decryption keys (and application) are available for any future access. Furthermore, if the decryption key is lost or an employee leaves without passing it on, encrypted documents and records will in effect be electronically shredded as no one will be able to read them.

Correctly certified digital signatures do not prevent unauthorized persons reading a document nor are they intended to. They do confirm that the person who signed it is who they say they are, and that the document has not been altered since they signed it. Within a records management system a digital signature is often considered to be an important part of the metadata of a document, confirming both its heritage and its integrity.⁸³

Data Loss Prevention (DLP) Technology

The aforementioned document security challenges have given rise to an emerging but critical set of capabilities by a new breed of IT companies that provide data loss prevention (DLP) (also called data leak prevention). DLP providers create software and hardware appliances that thoroughly inspect all e-documents and e-mail messages before they leave the organization's perimeter and attempt to stop sensitive data from exiting the firewall.

This filtering is based on several factors, but mostly using specified critical content keywords that are flagged by the implementing organization. DLP can also stop the exit of information assets by document types, origin, time of day, and other factors.

DLP systems are designed to detect and prevent unauthorized use and transmission of confidential information.⁸⁴ In more detail, DLP is a computer security term referring to systems that identify, monitor, and protect data/documents in all three states: (1) in use (endpoint actions), (2) in motion (network actions), and (3) at rest (data/document storage). DLP accomplishes this by deep content inspection and contextual security analysis of transaction data (e.g. attributes of the originator, the data object, medium, timing, recipient/destination, etc.) with a centralized management framework.

Missing Piece: Information Rights Management (IRM)

Another technology tool for securing information assets is information rights management (IRM) software (also referred to as enterprise rights management [ERM] and previously as enterprise digital rights management [e-DRM].) For purposes of this book, we use the term “IRM” when referring to this technology set, so as not to be confused with electronic records management. Major software companies also use the term “IRM.”

IRM technology provides a sort of security wrapper around documents and protects sensitive information assets from unauthorized access.⁹⁰ We know that DLP can search for key terms and stop the exit of sensitive data from the organization by inspecting its content. But it can also prevent confidential data from being copied to external media or sent by e-mail if the person is not authorized to do so. If IRM is deployed, files and documents are protected wherever they may be, with persistent security. The ability to apply security to an e-document in any state (in use, in motion, and at rest), across media types, inside or outside of the organization, is called persistent security. This is a key characteristic of IRM technology, and it is all done transparently without user intervention.⁹¹

IRM has the ability to protect e-documents and data wherever they may reside, however they may be used, and in all three data states (at rest, in use, and in transit).⁹²

IRM allows for e-documents to be remote controlled, meaning that security protections can be enforced even if the document leaves the perimeter of the organization. This means that e-documents (and their control mechanisms) can be separately created, viewed, edited, and distributed.

IRM provides persistent, ever-present security and manages access to sensitive e-documents and data. IRM provides embedded file-level protections that travel with the document or data, regardless of media type.⁹³ These protections prevent unauthorized viewing, editing, printing, copying, forwarding, or faxing. So, even if files are somehow copied to a thumb drive and taken out of the organization, e-document protections and usage are still controlled.

The major applications for IRM services include cross-protection of e-mails and attachments, dynamic content protection on Web portals, secure Web-based training, secure Web publishing, and secure content storage and e-mail repositories all while meeting compliance requirements of Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, and others. Organizations can comply with regulations for securing and maintaining the integrity of digital records, and IRM will restrict and track access to spreadsheets and other financial data too.

In investment banking, research communications must be monitored, according to National Association of Securities Dealers (NASD) rule 2711, and IRM can help support compliance efforts. In consumer finance, personal financial information collected on paper forms and transmitted by fax (e.g. auto dealers faxing credit applications), or other low-security media can be secured using IRM, directly from a scanner or copier. Importers and exporters can use IRM to ensure data security and prevent the loss of cargo from theft or even terrorist activities, and they also can comply with U.S. Customs and trade regulations by deploying IRM software. Public sector data security needs are numerous, including intelligence gathering and distribution, espionage, and Homeland Security initiatives. Firms that generate intellectual property (IP), such as research and consulting groups, can control and protect access to IP with it. In the highly collaborative pharmaceutical industry, IRM can secure research and testing data.

IRM protections can be added to nearly all e-document types including e-mail, word processing files, spreadsheets, graphic presentations, computer-aided design (CAD) plans, and blueprints. This security can be enforced globally on all documents or granularly down to the smallest level, protecting sensitive fields of information from prying eyes. This is true even if there are multiple copies of the e-documents scattered about on servers in varying geographic locations. Also, the protections can be applied permanently or within controlled time frames. For instance, a person may be granted access to a secure e-document for a day, a week, or a year.

Embedded Protection

IRM embeds protection into the data (using encryption technology), allowing files to protect themselves. IRM may be the best available security technology for the new mobile computing world of the permeable perimeter.⁹⁷

Hybrid Approach: Combining DLP and IRM Technologies

An idea being promoted recently is to make IRM an enforcement mechanism for platforms like DLP. Together, DLP and IRM accomplish what they independently cannot. Enterprises may be able to use their DLP tools to discover data flows, map them out, and detect transmissions of sensitive information. They can then apply their IRM or encryption protection to enforce their confidentiality and information integrity goals.⁹⁹

Several vendors in the fields of DLP, encryption, and IRM have already announced integrated products. However, at this point in time, most IRM solutions are by no means ready for prime time when it comes to this use. Only a select few select second-wave IRM software providers can offer comprehensive, streamlined, persistent security across many platforms.

As the enterprise perimeter dissolves, document and data security should become the focus of the Internet security field. However, most legacy solutions, such as encryption and legacy IRM, are complex and expensive and provide only a partial solution to the key problems. Combining several methods offers effective countermeasures, but an ultimate solution has not yet arrived.

Securing Trade Secrets After Layoffs and Terminations

In today's global economy—which has shifted labor demands—huge layoffs are not uncommon in the corporate and public sectors. The act of terminating an employee creates document security and IP challenges while raising the question: How does the organization retrieve and retain its IP and confidential data? An IG program to secure information assets must also deal with everyday resignations of employees who are in possession of sensitive documents and information.¹⁰⁰

According to Peter Abatan, author of the Enterprise Digital Rights Management blog, “As a general rule all organizations should classify all their documents with the aim of identifying the ones that need persistent protection” (emphasis added). That is to say, documents should be protected at all times, regardless of where they travel and who is using them, while the organization still retains control of usage rights. There are two basic technological approaches to this protection:

1. The first, as discussed earlier in this chapter, is combining IRM with DLP; DLP is used to conduct deep content inspection and identify all documents that may contain sensitive information, then the DLP agent “notifies the enterprise [information] rights management engine that sensitive information is about to be copied to external media or outside the firewall and therefore needs to be encrypted.”
2. The second is using a form of context-sensitive IRM “in which all documents that contain sensitive data defined in the [global] data dictionary [are] automatically encrypted.”

These two technological approaches must be fostered by an IG program. They can have significant positive impact in protecting sensitive information, no matter where it is located, and can help document owners withdraw access to its sensitive documents at any time.

Organizations must educate their employees to increase awareness of the financial and competitive impact of breaches and to clarify that sensitive documents are the property of the organization. If those handling sensitive documents are informed of the benefits of IRM and related technologies, they will be more vigilant in their efforts to keep information assets secure.

Persistently Protecting Blueprints and CAD Documents

Certain IRM software providers have focused on securing large-format engineering and design documents, and they have made great strides in the protection of computer-aided design files. As much as 95% of CAD files are proprietary designs and represent valuable, proprietary IP of businesses worldwide. And CAD files are just as vulnerable as any other e-document in that, when unprotected, they “can be e-mailed or transferred to another party without the knowledge of the owner of the content.”¹⁰¹

In today's global economy, it is common to conduct manufacturing operations in markets where labor is inexpensive and regulations are lax. Many designs are sent to China, Indonesia, and India for manufacturing. Although they usually are accompanied by binding confidential disclosure contracts, but these agreements are often difficult to enforce, especially given the disparity in cultures and laws. And what happens if a rogue employee in possession of designs and trade secrets absconds with them and sells them to a competitor? Or starts a competing business? There are a number of examples of this happening.

Owners of valuable proprietary IP must vigilantly protect it; the very survival of the business may depend on it. Monitoring and securing IP wherever it might travel is now a business imperative.

Theft of IP and confidential information represents a clear and present danger to all types of businesses, especially global brands dependent on proprietary designs for a competitive advantage. Immediate IG action by executive management is required to identify possible leaks and plug the holes. Not safeguarding IP and confidential or sensitive documents puts the organization's competitive position, strategic plans, revenue stream, and very future at risk.

Securing Internal Price Lists

In 2010, it was reported that confidential information about the advertising expenditures of some of Google's major accounts was leaked to the public.¹⁰² This may not seem like a significant breach, but, in fact, with this information, Google's customers can determine if they are getting a preferred price schedule, and competitors can easily undercut Google's pricing for major customers. According to Peter Abatan, “[It is clear] why this information is so critical to Google that this information is tightly secured.”

Is your company's price list secured at all times? Price lists are confidential information assets, and if they are revealed publicly, major customers could demand steeper discounts and business relationships could suffer irreparable damage, especially if customers find out they are paying more for a product or service than their competitors.

A company's price list is critical to an organization because it impacts all aspects of the business, from the ability to generate revenue to private dealings with customers and suppliers. IRM should be used to protect price lists, and printing of these valuable lists must be monitored and controlled using secure printing methods and document analytics.

Confidential information should be persistently protected throughout their document life cycle in all three states (at rest, in motion, and in use) so that if they are compromised or stolen, they are still protected and controlled by the owning organization.

Approaches for Securing Data Once It Leaves the Organization

It is obvious with today's trends that, as Andrew Jaquith of Forrester Research states, “The enterprise security perimeter is quickly dissolving.” A lot of valuable information is routed outside the owning organization through unsecured e-mail. A breach can compromise competitive position, especially in cases dealing with personnel files and marketing plans or merger details. Consider for a moment that even proprietary software and company financial statements are sent out. Exposure of this data can have real financial impact. Without additional protections, such as IRM and e-mail encryption, these valuable information assets are often out of the control of the IT department of the owning organization.¹⁰³

Third-party possession or control of enterprise data is a critical point of vulnerability, and many organizations realize that securing data outside the organizational perimeter is a high priority. But a new concept has cropped up of late that bucks unconventional wisdom: “control does not require ownership.”

Instead of focusing on securing devices where confidential data is accessed, the new thinking focuses on securing the data and documents directly. With this new mind-set, security can be planned under the assumption that the enterprise owns its data but none of the devices that access it. As Jaquith states, “Treat all endpoints as hostile” (emphasis added). Forrester Research refers to this concept as the “zero-trust model of information security.” Zero trust, according to Jaquith, is “centered on the idea that security must become ubiquitous” throughout an organization's infrastructure.

Forrester has developed a new network architecture that builds security into the DNA of a network, using a mixture of five data security design patterns:

1. Thin client. Access information online only, with no local operations, using a diskless terminal that cannot store data, documents, or programs so confidential information stays stored and secured centrally. For additional security, “IT can restrict host copy-and-paste operations, limit data transfers, and require strong or two-factor authentication using SecurID or other tokens.”
2. Thin device. Devices such as smartphones, which have limited computing resources, Web surfing, e-mail, and basic Web apps that locally conduct no real information processing are categorized as thin devices. In practice, these devices do not hold original documents but merely copies, so the official business record or master copy cannot be altered or deleted. A nice feature of many smartphones is the ability to erase or wipe data remotely, in the event the device is lost. This is a little added insurance, and it makes smartphones “truly ‘disposable,’ unlike PCs,” according to Jaquith.
3. Protected process. This approach allows local processing with a PC where confidential e-documents and data are stored and processed in a partition that is highly secure and controlled. This processing can occur even if the PC is not owned and controlled by the organization. “The protected process pattern has many advantages: local execution, offline operation, central management, and a high degree of granular security control, including remote wipe [erase].” A mitigating factor to consider here is most business PCs today are Windows based, and the world is rapidly moving to other, more nimble platforms.
4. Protected data. Deploying IRM and embedding security into the documents (or data) provides complete DLS. The newer wave of more sophisticated, easier-to-use IRM vendors have role-based policy implementation and such features as “contextual” enforcement, where document rights are dependent on the context—that is, where and when a user attempts access. For instance, allow access to documents on workers’ desktops but not on their laptops; or provide access to printing confidential documents at the facility during office hours but not after. “Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.”
5. Eye in the sky. This design pattern uses technologies such as DLP to scan network traffic content and halt confidential documents or sensitive data at the perimeter. Deployed properly, DLP is “ideal for understanding the velocity and direction of information flow and for detecting potential breaches, outliers, or anomalous transmissions.” It should be noted that DLP does not provide complete protection. To do so would mean that many legitimate and sanctioned e-mails and documents would be held up for inspection, thus slowing the business process. As stated earlier, DLP is best for discovering information flows and monitoring network traffic. Another negative is that you cannot always require partner organizations and suppliers to install DLP on their computers. So this is a complementary technology, not a complete solution to securing confidential information assets.

By discarding the “age-old conflation of ownership and control, enterprises will be able to build data protection programs that encompass all possible ownership scenarios, including Tech Populism, offshoring, and outsourcing.”

Document Labeling

Document labeling is “an easy way to increase user awareness about the sensitivity of information in a document” (emphasis added).¹⁰⁴ What is it? It is the process of attaching a label to classify a document. For instance, who would not know that a document labeled “confidential” is indeed confidential? If the label appears prominently at the top of a document, it is difficult for persons accessing it to claim they did not know it was sensitive.

The challenge is to standardize and formalize the process of getting the label onto the document—enterprise-wide. This issue would be addressed in an IG effort focused on securing confidential e-documents, or may also be a part of a classification and taxonomy design effort. It cannot simply be left up to users to type in labels themselves, or it will not be sufficiently executed and will end up leaving a mishmash of labeled documents without any formal classification.

Another great challenge is legacy or archived documents, which are the lion's share of an organization's information assets. How do you go back and label those? One by one? Nope. Not practical.

Some content repositories or portals, such as Microsoft SharePoint, provide some functionality toward addressing the document labeling challenge. SharePoint is the most popular platform for sharing documents today.

SharePoint has an information management policy tool called Labels, which can be used to add document labels, such as Confidential, to the top of documents.

There are several options available for administrators to customize the labels, including the ability to:

1. Prompt users to add the label when they save or print, rather than relying on the user to click the Label button in the ribbon;
2. Specify labels containing static text and/or variables such as Project Name;
3. Control the appearance of the labels, such as font, size, and justification.¹⁰⁵

The labels are easily added from within Microsoft Office Word, PowerPoint, and Excel. One method that can be used is for the user to click the Label button on the Insert ribbon group; another method is to add the label through a prompt that appears when a user saves or prints a document (if the administrator has configured this option).

The labeling capabilities in document and content management systems such as Microsoft's SharePoint are a good start for increasing user awareness and improving the handling of sensitive documents. However, the document labeling capabilities of SharePoint are basic and limited. These basic capabilities may provide a partial or temporary solution, although organizations aiming for a high level of security and confidentiality for their documents will need to search for supplemental technologies from third-party software providers. For instance, finding the capabilities to label documents in bulk rather than one by one, add watermarks, or force users to save or print documents with a standard document label that cannot be altered may require looking at alternatives. Some are software vendors that have enhanced the SharePoint document labeling capability and may provide the complete solution.

Document Analytics

Some software providers also provide document analytics capabilities that monitor the access, use, and printing of documents and create real-time graphical reports of document use activities. These capabilities are very valuable.

Document analytics allow a compliance officer or system administrator to view exactly how many documents a user accesses in a day and how many documents the user accesses on average. Using this information, analytics monitors can look for spikes or anomalies in use. It is also possible to establish baselines and compare usage with that of an employee's peers as well as his or her past document usage. If, for instance, a user normally accesses an average of 25 documents a day and that suddenly spikes to 200, the system sends an alert, and perhaps it is time to pay a visit to that person's office. Or, if an employee normally prints 50 pages per day, then one day prints 250 pages, a flag is raised. Document analytics capabilities can go so far as to calculate the average time a user spends reading a document; significant time fluctuations can be flagged as potentially suspicious activity.

Confidential Stream Messaging

E-mail is dangerous. It contains much of an organization's confidential information, and 99% of the time it is sent out unsecured. It has been estimated that as many as 20% of e-mail messages transmitted pose a legal, financial, or regulatory threat to the organization. Specifically, “34 percent of employers investigated a leak of confidential business information via e-mail, and an additional 26 percent of organizations suffered the exposure of embarrassing or sensitive information during the course of a year,” according to Nancy Flynn, Executive Director of the ePolicy Institute. These numbers are rising, giving managers and business owners cause to look for confidential messaging solutions.¹⁰⁶

Since stream messaging (a form of ephemeral messaging) separates the header and identifying information from the message, sends them separately, and leaves no record or trace, it is a good option for executives and managers, particularly when engaged in sensitive negotiations, litigation, or other highly confidential activities. Whereas e-mail leaves behind an indelible fingerprint that lives forever on multiple servers and systems, stream messaging does not.

Business records, IP and trade secrets, and confidential executive communications can be protected by implementing stream messaging. It can be implemented alongside and in concert with a regular e-mail system, but clear rules on the use of stream messaging must be established, and access to it must be tightly restricted to a small circle of key executives and managers.

The ePolicy Institute offers seven steps to controlling stream messaging:

1. Work with your legal counsel to define “business record” for your organization on a companywide basis. Establish written records retention policies, disposition and destruction schedules. And litigation hold rules. Support the e-mail retention policy with a bona fide e-mail archiving solution to facilitate the indexing, preservation, and production of legally authentic records. Implement a formal electronic records management system to manage all records.
2. Work with your legal counsel to determine when, how, why, and with whom confidential stream messaging is the most appropriate, effective—and legally compliant—way to hold recordless, confidential business discussions when permanent records are not required.
3. In order to preserve attorney-client privilege, a phone call or confidential electronic messaging may be preferable to e-mail. Have corporate counsel spell out the manner in which executives and employees should communicate with lawyers when discussing business, seeking legal advice, or asking questions related to specific litigation.
4. Define key terms for employees. Don't assume employees understand what management means when using terms like “confidential,” ”proprietary,” “private” or “intellectual property,” and so on. Employees must clearly understand definitions if they are to comply with confidentiality rules.
5. Implement written rules and policies governing the use of e-mail and confidential stream messaging. E-policies should be written clearly and should be easy for employees to access and understand. Make them [as] “short and sweet” as possible. Do not leave anything up to interpretation.
6. Distribute a hard copy of the new confidential messaging policy, e-mail policy and other electronic communications (e.g., social media, blogs). Insist that each and every employee signs and dates the policy, acknowledging that they understand and accept it and that disciplinary action including termination may result from violation of the organization's established policies.
7. Educate, educate, educate. Ensure that all employees who need to know are able to discern between e-mail that leaves a potential business record and stream messaging which does not, and what is confidential.¹⁰⁷

Securing confidential information assets effectively requires an eclectic, multifaceted approach. It takes clear and enforced IG policies, a collection of technologies, and regular testing and audits, both internally and by a trusted third party.