Proofpoint Regulatory Compliance

Features:

Large enterprises, universities and government organizations are now subject to a growing number of privacy-related regulations that govern the handling of certain types of non-public information (NPI). These regulations extend to the content of email messages leaving the organization.

Ensures Compliance with HIPAA, GLBA and Other Regulations
The Proofpoint Regulatory Compliance™ module makes it easy to ensure that outbound messages comply with many different types of email-related regulations. Pre-defined dictionaries and "smart identifiers" automatically scan messages and attachments for a wide variety of non-public information including PHI (protected health information as defined by HIPAA) and PFI (personal financial information as defined by GLBA) and let you take appropriate actions on non-compliant communications.

Rules can be easily created or modified via a point-and-click interface to support compliance with many other types of information privacy and data security regulations, such as state regulations (e.g., California AB 1950 and California SB 1386), Canada's PIPEDA, and various European privacy directives.

Detect All Types of Privacy Data Inside Email
Proofpoint Regulatory Compliance includes a wide variety of out-of-the-box features that help keep your organization compliant with today's information privacy rules. Proofpoint Regulatory Compliance monitors all outgoing email to detect NPI based on dictionaries as well as common NPI identifiers.

Pre-defined and Custom Dictionaries
A variety of pre-defined dictionaries are included with Proofpoint Regulatory Compliance. These dictionaries define common protected health information code sets—such as standard disease, drug, treatment and diagnosis codes used by the healthcare industry—to simplify HIPAA compliance. Proofpoint also includes a variety of financial privacy dictionaries-such as SEC, insider trading and trade confirmation terms used in the financial services industry-to aid with compliance with GLBA, PCI and SEC compliance.

New dictionaries can also be defined. These dictionaries can support both exact matches as well as regular expressions. The included HIPAA dictionaries can be expanded to include terms and codes specific to your medical environment, and new dictionaries can be added to support additional regulations such as NASD, PIPEDA, and others. Dictionary terms can be weighted to increase or decrease the matching strength of any term, or to allow exceptions. The Proofpoint Dynamic Update Service™ ensures that installed dictionaries are always up to date with the latest codes.

NPI Identifiers
Proofpoint Regulatory Compliance can also scan for common NPI identifiers such as US Social Security, Canadian Social Insurance, UK National Insurance, Japanese residence registration and driver's licence ID numbers, ABA routing numbers, and US and international credit card numbers.

These "smart identifiers" are more sophisticated than simple regular expressions. The module looks for the correct number of digits, but also computes checksums to confirm that numerical strings that appear to be NPI are actually protected information. This technique greatly reduces the chance of false positives. Custom smart identifiers can easily be added to support customer-specific data types such as account numbers, patient numbers, medical record numbers, billing codes and local forms of ID. Like Proofpoint's built-in smart identifiers, custom-created identifiers can perform complex, algorithmic processing to ensure high detection accuracy while minimizing false positives.

Flexible Privacy Rules and Policy Definitions
A point and click interface makes defining and modifying even complex information privacy rules quick and easy. Rules can be configured to apply to individual occurrences of NPI or when a certain count of dictionary or NPI identifiers is reached. For example, a rule for tracking fraud or theft of credit card numbers can be setup to trigger only if more than three credit card numbers are detected in a message.

Any number of information privacy rules can be defined to support specific compliance requirements. Multiple rules can be mapped into policies, for example a HIPAA policy, GLBA policy and AB 1950 policy. Policies can be further customized to apply only to lists of business partners or only to specified inbound or outbound message routes.

Proofpoint’s policy and content scanning engines detect and “understand” text in any language, including multi-byte languages. Data loss prevention policies can match non-English keywords and dictionary terms written in international character sets including Japanese, Chinese and Cyrillic.

Encryption Support
Many regulations specify that non-public data must be transmitted in a secure or encrypted format. Proofpoint Regulatory Compliance supports two types of encryption:

• TLS (Transport Layer Security): When used with the Proofpoint Messaging Security Gateway appliance, the Regulatory Compliance module can be used to define a set of business partners with whom email should always be encrypted. Messages sent to those partners are automatically transmitted using the TLS gateway-to-gateway encryption protocol.
   
• Proofpoint Secure Messaging and other third-party encryption solutions: Automatic, content-aware encryption of messages is enabled by the Proofpoint Secure Messaging™ module. Policies can easily be configured to encrypt messages based on detected NPI content, sender, recipient and other conditions. Additionally, Proofpoint Regulatory Compliance easily integrates with a wide variety of third-party secure messaging solutions.

Reporting
Proofpoint Regulatory Compliance helps your organization monitor or track compliance progress with graphical reports that show the number of regulatory breaches over a given timeframe as well as the top offenders of these policies. Reports can be emailed on a scheduled basis or published to an intranet site.

In most enterprises, content security policies are managed by a variety of business users who own responsibility for compliance or data protection. Proofpoint Compliance Incident Manager™ reports make it easy for these managers to review content security violations and take appropriate actions on non-compliant messages. Managers are immediately notified of policy violations and associated severity levels, so business users can easily and effectively review non-compliant messages and release, reroute, approve or otherwise dispose of such messages using Proofpoint's graphical user interface.

As a first step to understanding their regulatory risk exposure in email, organizations can deploy Proofpoint Regulatory Compliance in an audit mode, which monitors all regulatory breaches without altering messages in any way. Reports can then be used to quantify your organization's level of risk.

Technology:

Smart Identifiers
Proofpoint's smart identifier technology offers higher accuracy than simple regular expressions, looking not just for a certain pattern of characters, but also computing checksums, incorporating dictionary lookups or performing other tests to confirm that alphanumeric strings that appear to be violations are truly protected information.

A plug-in architecture allows customers to add their own customized "smart identifiers" to Proofpoint Regulatory Compliance as needed. Custom smart identifiers can be created for detecting customer- or location-specific data types such as account numbers, patient numbers, medical record numbers, billing codes, local forms of ID, etc. Like Proofpoint's built-in smart identifiers, custom-created identifiers can perform complex, algorithmic processing to ensure high detection accuracy while minimizing false positives.

Quick Inspection Violation Analysis
In most enterprises, content security policies are managed by a variety of business users—such as compliance, security, risk management, HR and other line-of-business managers—who own responsibility for compliance and privacy protection.

The Proofpoint Regulatory Compliance™ module's "quick inspection" violation view makes it easy for these users to more rapidly identify and take action on messages and attachments that are flagged as privacy breaches or policy violations.

Attachment Scanning and Support for Custom or Proprietary Document Types
Built-in attachment scanning capabilities allow you to apply your Regulatory Compliance policies to the contents of message attachments. Policies can be enforced on content in more than 400 types of document attachments.

In addition to the hundreds of built-in document types that Proofpoint's outbound email security modules natively understand, administrators can use Proofpoint's File Type Profiler to easily extend support to new, custom or proprietary file types (e.g., proprietary CAD/CAM formats).

Flexible Message Actions
Messages that are identified as containing NPI can be handled using any of Proofpoint's standard message dispositions, including:

• Encrypt or reroute to an encryption device. For example, messages that contain more than three terms from the PHI dictionaries can be automatically routed to the Proofpoint Secure Messaging module.
• Redirect. Send the message to a legal or compliance officer for further review, or send the message to an archive mailbox for an archiving and audit trail.
• Quarantine. Send the message to a specific folder for later review.
• Reply to sender. Email the sender with text describing the breach and a link to an intranet site explaining your organization's privacy policy.
• Reject or block. If you choose to adopt a strict policy, these options can be used to ensure that noncompliant messages never leave your organization.
• Add X-Header. Add a string to the message header to track all messages that have been filtered by the Regulatory Compliance module.
• Annotate. Add a disclaimer to the message as a footer or an annotation in the subject line.

Compliant Security
Many privacy and data security regulations not only specify rules for handling non-public information, but also define security requirements for systems that process this information. Proofpoint provides the security and access control features required to meet these regulations.

• Stringent password policies: Servers can be configured to require arbitrarily stringent passwords and enforce password expiration dates.
   
• Access control capabilities: Access to the Regulatory Compliance module can be restricted to select individuals and groups, so only authorized staff can create and modify compliance policies.

Compare:

Proofpoint Regulatory Compliance is the industry's most advanced and easy-to-use solution for protecting data privacy in email and other message streams, offering:

• Smart identifiers for accurate detection of private or regulated data.
• A wide variety of managed, pre-configured dictionaries of healthcare, financial services and other terms
• Pre-configured policies for many of the most common data protection and privacy applications.
• Easy, customized policy creation through Proofpoint's graphical user interface.
• Extremely flexible message routing and disposition options.
• Integrated, policy-based encryption with the addition of the Proofpoint Secure Messaging module.
• Built-in attachment scanning with support for custom and proprietary document formats.

Smart Identifiers and Dictionaries Included with Proofpoint Regulatory Compliance
Proofpoint Regulatory Compliance Includes the essential building blocks to meet a wide variety of privacy regulations right out of the box:

Healthcare code sets
The module includes a large assortment of dictionaries preloaded with code sets for PHI detection, required for compliance with HIPAA and other healthcare regulations.

• ICD-9-CM diagnosis and procedure codes
• HCPCS common procedure codes
• NDC drug codes
• Numerous other medical code sets

Financial & privacy smart identifiers
Includes "smart identifiers" for personal identity and PFI detection, such as:

• US Social Security, Canadian Social Insurance, UK National Insurance, Japnese residence registration and driver's license IDs and other unique personal identifiers
• ABA routing numbers
• Credit card numbers (US & international)
• CUSIP securities identifiers, SEC filings, trade confirmations

Customized smart identifiers
A plug-in architecture allows you to add your own custom "smart identifiers" for customer- or location-specific data types such as:

• Medical record numbers
• Financial services account numbers
• Local forms of ID (such as driver's license or identity card numbers)
  

Screenshots:

Click on a thumbnail to see that picture in full size!

Regulatory Compliance Dictionaries

"Quick Inspection" Quarantine View

Documentation:

Download the Proofpoint Regulatory Compliance Datasheet (PDF).