It is easy to assume that deploying a myriad of electronic surveillance technologies (e.g., data leak protection, logging, archiving, firewalls, event data recorders, etc.) is sufficient on its own, providing organizations with a hundred sets of “electronic eyes” constantly watching for breaches of compliance, leaks of intellectual property, rogue employees, and the like.

Yet it is prudent to consider the vast delta that remains between mankind and machine. Even the most advanced computer technology lacks important elements of human judgment. For example, while technology can identify exceptions in logs or behavior, it takes a human to validate whether an anomalous event is due to a tired executive performing large downloads late in the evening, or a rogue employee attempting to circumvent the system to send confidential contract data to an unauthorized external contact.

The old adage, “people, process, and technology” should be integral to your philosophy of compliance. Notwithstanding the promise of expert systems, interpretation of the meaning of events discovered by technology will require human judgment for the foreseeable future.

… David Sengupta

If you process, store, or transmit credit card data for any reasons in your company, you must be Payment Card Industry (PCI) Data Security Standard (DSS) compliant or your company risks fines or even loss of the ability to process credit card information.

Yet, we regularly hear of companies that handle customer credit card numbers but don’t have data leak protection (DLP) solutions of any sort in place. Sometimes we even read about them in the evening news.

At a minimum, any company concerned with PCI DSS should consider DLP solutions to protect against credit card numbers being unintentionally leaked via email or instant messaging. The question is not if, but when, a leak happens it places your company, your reputation, and your customers at risk.

… David Sengupta

In our world, reality and virtual reality are coalescing at an alarming rate. On a simple level, we enter instant messaging (IM) conversations with those in the same office as ours, preferring a virtual conversation to a physical one. On the other end of the spectrum, we can invent characters in Second Life where we live entirely parallel lives unbeknownst to those around us.

Does compliance find meaning in virtual worlds? We believe it does.

If someone in your organization takes on a Second Life personality, and uses that to breach your corporate policies, the Second Life personality is simply another identity used by the employee. The compliance enforcement challenge, of course, is that many of the new virtual worlds are virtually invisible to the corporate world.

We predict that, over time, the concept of “identity” will extend to include a map of any aliases used by a given employee. So the “david.sengupta” corporate account could, for example, be associated with IM handles including anand@msn.com, pOstmaster@aol.com, and jibber@jabber.com. David’s Second Life persona could be Fritz Finkenstein, and his phone number could be 613.123.4567. The challenge, of course, is developing technologies that automatically discover all the identities associated with all the accounts in your organization.

As compliance breaches start to emerge in virtual worlds, it is only a matter of time until companies decide to either block them, or attempt to extend the long hand of compliance enforcement technologies from the physical world into the virtual one.

… David Sengupta

Many of you will be familiar with the work of Ivan Pavlov, in which he determined that certain reflex responses — like a dog salivating before his normal mealtime — occur conditionally based on one’s previous experiences. We believe there is something to his research that can be applied to email.

Consider these questions:

• Have you ever sat in a location where you knew you didn’t have Internet connectivity, and found yourself clicking send/receive in Outlook just to try and get at your new email?
• Do you sometimes find yourself checking for new email multiple times in a minute?
• Is your BlackBerry the last thing you look at at night, and the first thing you pick up in the morning?

We have come to the conclusion that there is something deeply imprinted on our human nature that has designed us with a need to communicate. Communication can take many forms: in person, via phone, via cell phone, via instant messaging, via Facebook, or via email, to mention a few. For many of us in the corporate world, sitting in front of Microsoft Outlook (or your favorite email client) fills that need to communicate, to feel included, or to feel relevant. We tell our colleagues to “loop me in” or to “copy me,” and otherwise ask to be included on communication that we may care about, or may not.

Set against that backdrop, think of the many days where your inbox has become a frenzy of emails, reply-alls, questions, comments, and flames. Your adrenaline is flowing, and you can barely keep up.

Then consider the times when your inbox traffic has died down. You sit there, half-expecting the deluge to start any moment, feeling guilty about the many other things you could be doing. For whatever reason, though, you can’t keep Outlook closed for any length of time.

Crazy, we know. But we believe that — much as Pavlov’s dogs salivate for that next dish of food — many of us are almost addicted to that next new message that arrives in our inbox.

Have you checked your inbox lately?

… David Sengupta

Protecting your company against intentional leaks is virtually impossible.

If a rogue employee wants to steal sensitive data from your organization, here are just some of the ways it can be done. The employee could:

• Take a digital photo of the document on screen and walk out with the camera.
• Call their home voicemail and read the document to their voicemail, then transcribe it.
• Print a sensitive document and walk out with it.
• Put PSTs containing hundreds of thousands of sensitive emails on a USB drive and leave with those.
• Upload the files to a VMware image and take the image home.
• Find a Facebook application that permits file exchange and use that to send the file out of your organization.

And so on.

While technologies now exist to try and cover a wide variety of endpoints--email, instant messaging, Web proxy, USB drives on local PCs, and so on--the most effective policy for most organizations is to focus on inadvertent and unintentional leaks, instead of trying to be all things to all people. In other words, give up on the notion that you can stop leaks by protecting all endpoints. By the time you’ve addressed all the possibilities you can think of, 10 new ones will have arisen.

After all, most breaches of PCI compliance, for example, have happened by mistake, where spreadsheets or other files containing credit card numbers have been inadvertently emailed outside the sender’s organization.

Instead of a breadth approach, start with the leakiest of applications, namely email and instant messaging, and work out from there. Numerous technologies exist--Orchestria, MessageGate, Vontu, Proofpoint, Akonix, FaceTime and others--that provide automated policy enforcement of real-time data.

Starting with an achievable goal will help you address the majority of the threats while keeping your DLP goals grounded in reality.

… David Sengupta

Will we ever know the truth behind the White House’s shenanigans around the lost emails to do with the Valerie Plame affair? According to this CNN story, the White House is using exemption from the Freedom of Information Act (FOIA) as a rebuttal to the latest attempt by Citizens for Responsibility and Ethics (CREW) to get at the truth.

Reality aside, if the White House had a properly architected email archiving system at the time in question, with appropriate usage policies (and if they weren’t using backups as email “archives”), we wouldn’t be having this discussion. But therein lies the key question. Does the White House really want an email archive to record everything that goes on in the inboxes of those heading up the U.S. Administration?

We suspect not.

Regardless of what goes on behind the closed doors of the White House, it is very common for organizations to purposely avoid deploying an email archiving solution. We are sure that many of our readers can relate, with corporate legal teams either explicitly instructing IT to delete all email after 30/60/90 days, or simply refusing to invest in technologies to capture and retain all email.

Implementing archiving and retention policies is not always a clear win-win scenario, especially to lawyers. Sometimes the risk of keeping email around is greater than the risk of possible spoliation charges.

… David Sengupta

Some time ago we highlighted the new e-discovery Special Master persona. As the e-discovery market continues to evolve, Law.com recently wrote about another relatively new persona, the “e-discovery attorney”.

E-discovery attorneys are those with a clear understanding of e-discovery process and technologies, and significant hands-on experience in this complex area. While typically found in larger law firms, corporate legal departments in highly litigious environments--insurance, pharmaceuticals, etc.--are starting to take notice.

… David Sengupta

PSS Systems--a vendor of legal hold and retention policy solutions, announced earlier this week that it has secured $18M in financing.

PSS has several solutions:

• Atlas LCC, for legal holds, and custodian and collection management
• Atlas ERM, for enterprise retention policy management
• Atlas Map, for synchronizing systems and people with legal policy

While PSS is not yet profitable, the firm expects to be so this year.

… David Sengupta

If you’re interested in retention and preservation, bookmark this page. The CGOC provides events, working groups, and an annual summit on retention and preservation.

The resources made available on the CGOC Portal are top-notch. Registering is well worthwhile. You’ll find numerous documents written by experts in the e-discovery industry, a discussion forum, primers on the Federal Rules of Civil Procedure (FRCP), and a great private blog.

… David Sengupta

If you’re like many in the corporate world, you probably spend a substantial amount of time triaging your email. Afraid to miss an important email, you likely use a combination of rules, folders, flags, and categories in your triage. Some of you are “filers,” placing email neatly in a carefully organized set of folders — arranged by project, by topic, or perhaps by individual. Many of you are “pilers,” letting email pile up in your inbox and constantly trying to get through as much of it as you can. If you’ve been doing this for years, you’ll know that there are parallels between email triage and playing a Whack-a-Mole game.

While many have taken a behavioral approach to the issue, throwing end-user training at the email overload problem, numerous third-party players have come up with software solutions to help you triage your email. ClearContext allows you to prioritize your contacts, provides prioritized views into your inbox, and allows you to defer entire conversations for future processing (my favorite feature). Our friends at Xobni flip things around and show you a person-centric view of who you communicate with most, what attachments you last shared with that individual, and that person’s pertinent contact information (with Skype and calendaring integration). The guys at Sperry Software sell add-ins like their Reply To All Monitor to tackle things one feature at a time.

But we want more. It’s not enough to simply move things around our inboxes. Why not work with the archiving vendors and move data straight to the archive instead of to myriad folders in the inbox? Why not create a pseudo-quarantine folder in the archive -– for all those emails from the help desk, from mailing lists and alerting applications, and similar corporate “spam” — which expires data after 30 days if not dealt with? Help us get the email out of our inboxes, and then dispose of it rapidly if we haven’t looked at it.

And why not help the addicts to overcome their email addictions?

… David Sengupta

There is a new phenomenon happening behind closed doors in the corporate world. We call it email bankruptcy.

To illustrate, we would challenge you to an experiment. Assuming your email policies allow this, we dare you to simply delete all the email in your inbox that is older than three days and see if it causes you much grief. All of it.

Then wait for 10 days and see how much of it was really important.

Lest you think us extreme, we think you will be surprised with how much of the “work” represented by those emails simply “goes away.” After all, much of what is in your inbox represents other people’s priorities, which are usually not the same as yours.

We are hearing of more and more people who have added a regular declaration of email bankruptcy to their strategies in trying to cope with information overload.

Taming your inbox is hard, but it’s a necessary step if you are to increase your productivity and sanity.

… David Sengupta

Over the coming weeks we will be blogging a series on email and information overload. As part of this series, we will be running some quizzes, and also posting some challenges.

We are very interested in hearing from you on the following questions. Send your responses to david.sengupta@ferris.com (if you wish to remain anonymous) or leave a comment at the foot of this post:

1. Do constant interruptions at work (email, IM, phone, etc.) cause you to feel ADD-like symptoms, often referred to as Attention Deficit Trait (ADT)?
2. Do people in your company constantly read email during meetings?
3. Do your colleagues constantly read their BlackBerries or Windows Mobile devices?
4. How much time (hours) do you spend reading email every day?
5. What percentage of time spent on email is “wasted” that you could have been productive?
6. Does reading work email at home cause stress on your family/personal life?
7. If someone emails you a question during working hours, how many hours can go by before you are expected to respond?
8. Compared to 12 months ago, do you work more hours triaging email or less? How many more/less hours per week?
9. If you carry a mobile email device, could you turn it off and leave it on your desk at work without looking at it for 24 hours?
10. What strategies do you use to cope with “information overload”?

Stay tuned. And join in the discussion. We will expand on various “coping strategies” and will challenge you to take some “challenges” with us.

Challenge #1: If you carry a BlackBerry or Windows Mobile device, turn it off (yes, now), put it down on your desk but within sight of where you sit during the daytime, and spend the rest of your workday without touching the device. (Betcha can’t.)

Once you’ve tried this, feel free to leave a comment with your experiences.

… David Sengupta

Microsoft is making big claims around its Exchange Online initiatives. Senior Vice President Chris Capossela recently predicted that by mid-2013, half of all Exchange mailboxes will be hosted on Microsoft’s Exchange Online. Chris points out that many of these will move from Notes. Chris’s prediction suggests around 150 million mailboxes will be on Exchange Online in five years.

At least Chris was specific in his prediction. I asked Steve Ballmer a few weeks ago how large he envisioned Microsoft’s Exchange Online business would be by mid-2011 and his response was simply “greater than a million, and … less than 100 million …. (with the inflection point or “hockey stick” starting) two to three years from now.” He was purposely vague since press were in the room.

Clearly, Microsoft is serious about hosting your email. If you’re evaluating the offering, good questions include:

• Do you trust Microsoft with data in your email system?
• How well will Microsoft deliver on service-level agreements (SLAs), and will the SLAs provided be sufficient?
• How easy will the on-boarding, co-existence, and migration processes be?
• How good will customer support be?
• How will Microsoft address BlackBerry integration?
• How will de-provisioning work if you want to terminate the agreement?
• If you’ve got Software Assurance, how will licensing work?

Are there other factors that you wonder about? Would your company consider Exchange Online? Is Microsoft’s head in the clouds? We’d love to see your comments.

…. David Sengupta

Web 2.0 technologies provide a plethora of places that data can reside. These present substantial compliance challenges. For example, it will be hard to know where all of your company’s data is, and whether and how intellectual property has escaped your organization today.

Fast-forward five years. Imagine hosting some of your email with Microsoft Exchange Online, some with Gmail, some being sent PIN-to-PIN on BlackBerry devices, and some in an on-premises email system. Add to that SharePoint hosted with a third-party hosting provider; layer in hosted Salesforce.com, backup in the cloud, and storage with Amazon S3; and season it with a bit of Live Mesh. And keep in mind that data could be in any of hundreds of file formats, including voice, video, or even purposely encoded messages within other documents.

To complete the picture, add one or two rogue executives or other employees with data that they feel a need to hide. In addition to the plethora of data silos on the Internet, data could be “hidden” on USB drives, in PSTs, even (gasp) in offshore data havens such as Havenco. And finally, those hiding their tracks and data may resort to any number of encryption technologies to make detection more difficult.

What does compliance and data control mean in this context? Think of the challenges this brings. Think of how laws around data protection will evolve in the coming few years. Regulations today-–such as the European Commission’s 1995 Directive on Data Protection (Directive 95/46/EC)--stipulate that certain types of data must only be transferred to countries meeting specific criteria. Other regulatory regimes or laws may prohibit certain types of data leaving the company, leaving the country, or being shared with individuals in certain restricted countries.

To address these challenges, organizations must:

• Decide between the following starting points around security:
  • Anything not explicitly denied is permitted.
  • Anything not explicitly permitted is denied.
• Establish realistic, enforceable, and well-implemented policies around appropriate and inappropriate use of corporate data.
• Have the will to enforce breaches of policy, without showing favoritism.
• Carefully screen all hosting and software as a service technologies from the perspectives of searchability, data access, data protection, and applicable laws and regulations.
• Evaluate technologies that help establish safeguards against data leakage.
• Track the plethora of new social media and collaboration technologies emerging on the market and understand how much of this is in their environment.
• Define discovery requirements and implement technologies that enable discoverability within acceptable time frames.

… David Sengupta

According to this article, outsourcing services to India and other less expensive offshore labor pools has recently expanded to legal services. Mindcrest employs 459 lawyers in Pune, India. The Indian lawyers are trained in the same common-law and business principles as British, Canadian, and U.S. lawyers.

On one hand, the cost savings are extremely attractive. However, regulatory regimes or laws may prohibit certain types of data leaving the company, leaving the country, or being shared with individuals in certain restricted countries.

As outsourcing plays an ever-increasing role, the role of data leak prevention (DLP) and similar solutions will thus become critical within three to five years. Cheaper lawyers in India are just one of the reasons.

… David Sengupta