Getting A Grip On Dirty And Dangerous Documents

Wednesday, February 1, 2006 - 01:00

The Editor interviews Joe Fantuzzi, CEO and President of Workshare, about Workshare's document integrity solutions.

Editor: Tell us about Workshare's business.

Fantuzzi: Workshare's solutions protect organizations from dirty and dangerous documents and other forms of sensitive content transmitted over e-mail and other communications channels. Today Workshare has more than 5,000 customers worldwide using its document integrity solutions - including more than 50 percent of the Fortune 1000 and 85 percent of the ProServices 250.

Editor: What do you mean by dirty and dangerous documents?

Fantuzzi: Literally trillions of business documents and e-mails are created annually. Twenty-five to 30 percent of all e-mails contain document attachments, which are riddled with business and technical risks that threaten privacy, compliance and security. These include hidden threats (like track changes and other deleted material) and obvious threats like social security or account numbers. And e-mail is just one channel for distributing sensitive information. We talk to general counsels at large organizations every day and they are frightened at the volume of sensitive electronic information and variety of ways it can leave an organization - ranging from e-mail and instant messaging to portable USB drives.

Editor: Aren't users aware of content security problems?

Fantuzzi: The vast majority of users are unaware of both visible and invisible document security risks. In fact, a recent survey of hundreds of professionals by Vanson Bourne found that more than 90 percent of documents contain legally sensitive information yet only about 70 percent of users were aware of all of these risks. We call this the document security risk gap.

Editor: Can you cite some examples of sensitive information breaches and errors?

Fantuzzi: Leaks of sensitive, private information are escalating across virtually all industries. But here are two examples that have direct impact on the corporate counsel office. Merck is currently facing more than 7,000 Vioxx personal injury suits. Last year, the New England Journal of Medicine revealed that hidden in a Microsoft Word document was evidence that Merck deleted information linking the drug to increased risk of heart attacks prior to submitting the study.

In the second example, a major software company filed suit against an automobile manufacturer. The filing was submitted as a Microsoft Word document. A journalist reviewed the filing and discovered track changes in the document, which showed that the suit originally had been drawn up against a bank in a different state.

Editor: That's Microsoft Word. But isn't publishing to Adobe PDF enough to protect documents?

Fantuzzi: It is a complete myth that publishing alone in the Adobe PDF format adds security to documents. Several of the largest recent document leaks, including prominent ones at the Pentagon and U.N., involved PDF-formatted material. PDF does nothing to secure documents from hidden and visible threats - or protect an organization from user errors. Third-party security software solutions, like Workshare Protect, are absolutely required to clean documents before they are secured to PDF and other popular publishing formats and standards. PDF, as well as Microsoft Office, are good formats for publishing documents but are not by themselves secure document platforms to protect confidential information.

Editor: Can you give me an example of a PDF leak?

Fantuzzi: There are many. One famous leak was in April 2005 when the Pentagon posted a PDF of a classified report on the Web. The Pentagon "blacked out" sections containing details of an incident where an Italian secret agent was accidentally killed by the U.S. military in Iraq. Readers easily reversed the changes to reveal the blacked out text. In the investigation following the incident, the government concluded that users misunderstood the capability of the Adobe program, mistakenly believing that once converted to PDF, the changes couldn't be reversed.

Editor: Are hackers really that much of a problem for corporate counsel?

Fantuzzi: Actually, it's an inside-out problem. Very few breaches in the corporate world are due to hackers infiltrating. It's far more common that intentional or unintentional employee actions are going to result in a leak. In fact, according to IDC Research, nearly one-third of all organizations have terminated employees or contractors for internal security violations.

E-mail and the Internet have really changed the information protection game. It's very easy to get an address or attachment wrong and accidentally blast information out to the wilds of the Internet. For example, a healthcare worker at Florida's Palm Beach County Health Department accidentally emailed an attached document of the names and addresses of more than 6,500 patients with AIDS or HIV to all 800 members of the health department.

Editor: Shouldn't users just be more careful?

Fantuzzi: The vast majority of users are unaware of both visible and invisible document security risks. Unfortunately, as document security leaks get investigated, conclusions usually point the finger of blame - and the burden of the repair - on users. No matter how careful, human beings will always make mistakes. Organizations must leverage a new class of automated content protection technologies to provide a safety net against both malicious actions and inadvertent mistakes. For example, Workshare's Protect software has the flexibility and intelligence to understand the right action at the right time for the right user. It can automatically block and contain a leak - or simply alert a privileged user that they are about to send something sensitive.

Editor: Are new regulations like Sarbanes-Oxley and HIPAA driving attention to this topic?

Fantuzzi: Corporate internal controls are absolutely becoming stricter due to regulations like Sarbanes-Oxley, HIPAA, the California Security Breach Information Act (SB-1386) and more than 22 more similar state laws that require protection of private information and full disclosure of potential breaches. Even the FTC is going so far as to audit organizations that claim customer information is secure. At the same time, business has never been more competitive, requiring a new level of controls on competitive corporate data, intellectual property and trade secrets.

Editor: What steps should general counsels take to correct leaks of sensitive content?

Fantuzzi: General counsels must take the lead in promoting the protection of content from inside-out leaks. Most organizations still do not have the security measures in place to either prevent or monitor the distribution of documents by e-mail. It's badly needed - so much sensitive information flows out of the organization via email. One slip up can be disastrous. The first step is to leverage a new class of automated content protection solutions, like Workshare Protect, that stop and audit sensitive information leaks without negatively impacting the way users work.

Editor: Have organizations tried anything else?

Fantuzzi: Many organizations have "policies" governing the release of information. But far too often these sit in binders on a shelf and are difficult to enforce. Some organizations have hired small armies of individuals to scan e-mail for sensitive content. Others have created elaborate procedures for users that simply get ignored. Still others have created macros that act like a primitive spell checker, scanning documents for the handful of damaging words and phrases that can never be used. Unfortunately, users have to manually engage these macros on every document - negating its effectiveness. Because these efforts were so expensive, labor intensive or intrusive, they failed, leading them to purchase Workshare's automated content security solution to both automatically notify users of violations and coach users without impacting productivity.

Editor: Why have other security solutions failed to step up and stop these leaks?

Fantuzzi: The vast majority of today's security solutions were designed to stop intruders from entering and stealing sensitive information. It's proved far easier to stop outsiders than malicious or inadvertent user actions - after all, we are talking about supposedly trusted users and insiders. Previous attempts to control content failed because they created damaging side effects that crippled productivity and faced huge implementation or adoption barriers.

Editor: Why is content security so critical for general counsels right now?

Fantuzzi: In a litigious age with a "gotcha" mentality and relentless, electronic 24-hours-a-day news cycles where every tiny detail is scrutinized for a whiff of error and imperfection, companies need another level of automated software protection. They face a landslide of regulations governing disclosure and privacy, ranging from Sarbanes-Oxley to CASB 1386 and HIPAA. A single slip can be disastrous, and no one understands this better than legal counsel. In addition, we are seeing many corporate counsel executives and legal groups who firmly believe that it is their ethical duty to protect company and customer information. Privacy is more than a legal issue - it's becoming an ethical imperative.

Please email the interviewee at with questions about this interview.