The Proofpoint Regulatory Compliance™ module makes it easy to ensure that your electronic communications—including email, webmail, web postings and FTP—do not improperly disclose sensitive data about employees, customers or patients. By blocking, quarantining or encrypting such content, it ensures that your organization follows best practices for data protection. It helps ensure compliance with many different types of email-related information privacy regulations, including HIPAA, GLBA, PCI compliance guidelines and SEC regulations. Predefined dictionaries and "smart identifiers" automatically scan for a wide variety of non-public information, including PHI (protected health information as defined by HIPAA), PFI (personal financial information as defined by GLBA) and international identification standards and let you take appropriate actions on noncompliant communications.

Information Privacy Benefits

• Accurately detects a wide variety of US and international personal identifiers, healthcare information and financial information in email and attachments and takes automatic action based on easy-to-define policies.
• Easily define policies and rules, and review potential violations, with a point-and-click interface.
• "Smart identifiers" combine regular expressions with algorithmic checks to ensure detection accuracy and eliminate false positives.
• Included dictionaries of healthcare and financial terms are automatically kept up-to-date.

Features

Large enterprises, universities and government organizations are now subject to a growing number of privacy-related regulations that govern the handling of certain types of non-public information (NPI). These regulations extend to the content of email messages leaving the organization.

Ensures Compliance with HIPAA, GLBA and Other Regulations

The Proofpoint Regulatory Compliance™ module makes it easy to ensure that outbound messages comply with many different types of email-related regulations. Pre-defined dictionaries and "smart identifiers" automatically scan messages and attachments for a wide variety of non-public information including PHI (protected health information as defined by HIPAA) and PFI (personal financial information as defined by GLBA) and let you take appropriate actions on non-compliant communications.

Rules can be easily created or modified via a point-and-click interface to support compliance with many other types of information privacy and data security regulations, such as state regulations (e.g., California AB 1950 and California SB 1386), Canada's PIPEDA, and various European privacy directives.

Detect All Types of Privacy Data Inside Email

Proofpoint Regulatory Compliance includes a wide variety of out-of-the-box features that help keep your organization compliant with today's information privacy rules. Proofpoint Regulatory Compliance monitors all outgoing email to detect NPI based on dictionaries as well as common NPI identifiers.

Pre-defined and Custom Dictionaries

A variety of pre-defined dictionaries are included with Proofpoint Regulatory Compliance. These dictionaries define common protected health information code sets—such as standard disease, drug, treatment and diagnosis codes used by the healthcare industry—to simplify HIPAA compliance. Proofpoint also includes a variety of financial privacy dictionaries-such as SEC, insider trading and trade confirmation terms used in the financial services industry-to aid with compliance with GLBA, PCI and SEC compliance.

New dictionaries can also be defined. These dictionaries can support both exact matches as well as regular expressions. The included HIPAA dictionaries can be expanded to include terms and codes specific to your medical environment, and new dictionaries can be added to support additional regulations such as NASD, PIPEDA, and others. Dictionary terms can be weighted to increase or decrease the matching strength of any term, or to allow exceptions. The Proofpoint Dynamic Update Service™ ensures that installed dictionaries are always up to date with the latest codes.

NPI Identifiers

Proofpoint Regulatory Compliance can also scan for common NPI identifiers such as US Social Security, Canadian Social Insurance, UK National Insurance, Japanese residence registration and driver's licence ID numbers, ABA routing numbers, and US and international credit card numbers.

These "smart identifiers" are more sophisticated than simple regular expressions. The module looks for the correct number of digits, but also computes checksums to confirm that numerical strings that appear to be NPI are actually protected information. This technique greatly reduces the chance of false positives. Custom smart identifiers can easily be added to support customer-specific data types such as account numbers, patient numbers, medical record numbers, billing codes and local forms of ID. Like Proofpoint's built-in smart identifiers, custom-created identifiers can perform complex, algorithmic processing to ensure high detection accuracy while minimizing false positives.

Flexible Privacy Rules and Policy Definitions

A point and click interface makes defining and modifying even complex information privacy rules quick and easy. Rules can be configured to apply to individual occurrences of NPI or when a certain count of dictionary or NPI identifiers is reached. For example, a rule for tracking fraud or theft of credit card numbers can be setup to trigger only if more than three credit card numbers are detected in a message.

Any number of information privacy rules can be defined to support specific compliance requirements. Multiple rules can be mapped into policies, for example a HIPAA policy, GLBA policy and AB 1950 policy. Policies can be further customized to apply only to lists of business partners or only to specified inbound or outbound message routes.

Proofpoint’s policy and content scanning engines detect and “understand” text in any language, including multi-byte languages. Data loss prevention policies can match non-English keywords and dictionary terms written in international character sets including Japanese, Chinese and Cyrillic.

Encryption Support

Many regulations specify that non-public data must be transmitted in a secure or encrypted format. Proofpoint Regulatory Compliance supports two types of encryption:

* TLS (Transport Layer Security): When used with the Proofpoint Messaging Security Gateway appliance, the Regulatory Compliance module can be used to define a set of business partners with whom email should always be encrypted. Messages sent to those partners are automatically transmitted using the TLS gateway-to-gateway encryption protocol.
* Proofpoint Secure Messaging and other third-party encryption solutions: Automatic, content-aware encryption of messages is enabled by the Proofpoint Secure Messaging™ module. Policies can easily be configured to encrypt messages based on detected NPI content, sender, recipient and other conditions. Additionally, Proofpoint Regulatory Compliance easily integrates with a wide variety of third-party secure messaging solutions.

Reporting

Proofpoint Regulatory Compliance helps your organization monitor or track compliance progress with graphical reports that show the number of regulatory breaches over a given timeframe as well as the top offenders of these policies. Reports can be emailed on a scheduled basis or published to an intranet site.

In most enterprises, content security policies are managed by a variety of business users who own responsibility for compliance or data protection. Proofpoint Compliance Incident Manager™ reports make it easy for these managers to review content security violations and take appropriate actions on non-compliant messages. Managers are immediately notified of policy violations and associated severity levels, so business users can easily and effectively review non-compliant messages and release, reroute, approve or otherwise dispose of such messages using Proofpoint's graphical user interface.

As a first step to understanding their regulatory risk exposure in email, organizations can deploy Proofpoint Regulatory Compliance in an audit mode, which monitors all regulatory breaches without altering messages in any way. Reports can then be used to quantify your organization's level of risk.



www.proofpoint.com/products/regulatory.php