Companies Clamping Down on Messaging

Whenever a doctor, nurse or administrator in Georgia's DeKalb Medical Center sends an e-mail, the message detours through a special box in the three-hospital system's computing cluster. The box analyzes the e-mail, scanning for sensitive information like patient names, prescription histories and Social Security numbers.

More than 1,200 times a month, the box finds such private data and automatically routes the message to a server that encrypts it for secrecy before sending it to its original destination. Sometimes, though, the box is unsure what to do, so it asks Sharon Finney.

Finney is the information security administrator, which makes her responsible for keeping the hospital in tune with medical privacy laws. Several times a week, the messaging-control system, set up by Proofpoint Inc., alerts Finney to e-mails awaiting her review.

"What I'm looking for is not so much someone sending out something intentional or volumes of info" inappropriately leaving the hospital, she says. "I'm looking at, is this a legitimate recipient?" Maybe an e-mail address was mistyped, for example, or one too many people was copied in on a spreadsheet with patient account numbers.

Such careful oversight is becoming more common. Many organizations, fearful that inside information can slip out through innumerable digital avenues, now govern precisely what employees can or cannot put into e-mails, instant messages, Web postings and even offline documents. But employers can't hold their workers' hands all the time -- so they're increasingly turning to software that tries to do it for them.

Offices have had strong computer controls for years, from inbound protections like antivirus programs to filtering technologies that block porn or Web e-mail sites. This new generation of software sticks its nose into even more of what people do all day.

For example, one communications-control vendor, Orchestria Corp., says its software could have prevented the CEO of Whole Foods Market Inc. from posting the rival-denigrating comments on Internet message boards that he later came to regret.

How so? Because Orchestria's software can be set to notice when certain keywords -- a competitor's name, for example -- are entered in documents or Web forms. The software can be set to block such actions or simply warn users that they're breaking company policy.

This fine-grained, automated monitoring is moving beyond highly regulated industries like health care and financial services thanks to a spate of new rules from government and the credit-card industry. Organizations also fear customer-account data breaches, insider thefts and other public-relations nightmares.

"The driver is ethics and reputation," says Joe Fantuzzi, CEO of Workshare Inc., whose software analyzes data-leakage risks. "Whether I'm regulated or not, I need to be seen as an ethical corporation. That affects my stock price, that affects whether customers are retained -- whether there's a leak or not."

These messaging-compliance technologies are still young. The Radicati Group, a technology research firm, estimates the market will ring up $670 million worldwide this year and more than triple in size by 2011.

Radicati analyst Masha Khmartseva says the technologies have some problems, including a tendency to mistakenly block or hold up too many items even if nothing in them flouts corporate policies. If an innocuous message is erroneously deemed sensitive and routed through an encryption server, the recipient has to spend extra time logging in to that server to retrieve the message.

Also, systems that warn employees if it appears they are about to send something possibly untoward -- say, the name of a product under development to a recipient outside the company -- can produce an annoying stream of pop-up messages, Khmartseva notes.

But get used to it.

"Very soon, everything is going to be controlled," Khmartseva said. "At least that's the idea. We'll see how it's going to happen."

That presages the rise of a powerful new slot in the corporate hierarchy -- the information compliance officer, who can outrank the CEO when it comes to setting rules for who in an organization can send what kind of data where.

In fact, Orchestria's director of sales consulting, David Miller, says its system once blocked one company's boss from sending a message that upbraided an underling with foul language. That further enraged the CEO, who told his compliance officer: "Don't (expletive) block me again," according to Miller.

Orchestria also cites a more productive example: In 2005, its software alerted Lehman Bros. that one of its bankers had improperly e-mailed 45 people some internal documents for an upcoming initial public offering Lehman was handling for VeriFone Holdings Inc. Lehman kept the recipients from being allocated shares in the IPO.

Such finds are actually rare. Makers of compliance software say that less than 1 percent of what their systems spot are actually breaking any rules. And most of those violations are unintentional.

After all, insiders committed to mischief can take routes around these systems.

"If someone really wants to get stuff out of here, what's to stop them from printing it out, folding it up and putting it in his pocket?" says Brett Powell, network engineer for Lakeland Regional Medical Center in Florida, which uses the Proofpoint e-mail system to enforce health-privacy compliance.

Because e-mail is just one part of the equation, the leading compliance products burrow deeper. They can examine documents sitting on file servers and information inside databases to determine whether some grain -- a customer account number, a valuable trade secret -- has landed where it shouldn't. They can prevent files from being transferred to portable USB drives or iPods -- or be set to let only certain higher-ups do it.

These steps are important because finding sensitive data in an inappropriate location is key to making sure it can't accidentally be sent out.

"Information is like water, and it flows everywhere," says John Amaral, chief technology officer at compliance-tech vendor Vericept Corp. "The problem is, you might know where the one genesis document is, but you don't have any idea where all the (replications are) on thumb drives, content-management and e-mail systems. It gets created by normal, everyday business activities."

The software often alerts compliance officers of such finds. But Joseph Ansanelli, CEO of vendor Vontu Inc., whose customers range from cosmetics house Mary Kay Inc. to uranium enricher USEC Inc., says that more and more, the software will be asked to automatically fix such messes by itself.

In that scenario, if an employee's PC has a list of customers' Social Security numbers sitting in plain text, the compliance software will move the file or encrypt it. Better that than running the risk a hacker will filch it.

That brings up an ironic element of these technologies. To a large degree they are being deployed to protect the privacy of patients or consumers. Yet they do so at the expense of employee privacy, putting monitoring into overdrive.

To head off such questions, Finney, the Georgia hospital administrator, went so far as to demonstrate her monitoring system to DeKalb employees "so it's not some secret thing that IT does in a back room." She says employees appreciated that the hospital was taking pains to secure patient info.

For now at least, the rise of compliance-watchdog software doesn't appear to be provoking an outcry. It might be a sign of the times.

"Notions of security and compliance are, frankly, viewed differently than they were 10 years ago," says Orchestria's Miller. "We live in a time when compliance and security are critical disciplines, and people accept that. People's expectations are different now. They want to be protected from themselves."