Recently, we sat down with experts from the ZixResearch Center to get insight into how ZixCorp’s industry-leading filtering policies determine which emails must be encrypted, or in the case of ZixDLP, which emails are quarantined. These policies provide a vital service to customers by identifying and protecting sensitive information in emails and attachments. Enjoy the Q&amamp;A below and feel free to leave comments if you have additional questions.
- Could you tell us the role of the ZixResearch Center within the company?
We have four people here to create and update specialized policy filters for types of words and terms. We created them when we first started in 2001/2002 and have been the owners and overseers ever since.
- In laymen’s terms, how would you describe a policy?
A policy is the instruction that tells our filter, ZixGateway, what to look for in emails. So, let’s say you’re reading an email message and you see a nine digit number (123456789). At a quick glance, you might think this is a social security number. Our policy-based instruction would see that nine digit number but would then look around the number for clues that tell the filter it’s actually a social security number. For, example, it would say, “John Doe’s SSN is 123456789.” Drilling down into that type of detail makes our policies more sophisticated than others.
- How are these instructions developed? How are they developed to specifically address regulatory requirements like HIPAA?
We created our first policy before the passage of HIPAA (the Health Insurance Portability and Accountability Act). We knew HIPAA was coming, and so we started looking at what would be included in it.
We created experimental materials and then actually took real email messages from a large health organization and read every single message. Then we put them in a box or a file and determined whether a message should or should not be encrypted. Based on that, we created what we called the jury standard for what should be sensitive, and then we actually used a different set of messages to tune the instructions to see how it was working.
- Do you get permission to use client messages?
We sure do. We also have messages that clients send us for analysis or creation of specific policies for their businesses.
- We've talked about the healthcare policy, but what other policies does ZixCorp use to identify sensitive information?
We also have policies for insurance, personal finance, corporate finance and profanity.
- How do ZixCorp’s policies compare to what other vendors are doing?
I work with a lot of clients who have used other products. One of the major differences our customers highlight is that our policies seem to be much more specific than other vendors.
- Do you come across any interesting/surprising stats on lexicons that you would be able to share?
Specifically for healthcare, when we first created its policies almost all customers were focused on limiting false positives.
Then in 2008, when the HIPAA regulations actually came into play, it was a shocking difference … people were saying they didn’t want to miss anything.
- How do you see policies and filters evolving in the future?
One trend we expect to see is a federal version of state breach regulations. The federal government is working on a bill that will replace state regulations. In a similar respect, we also expect policies to become more global as the market begins to address more global regulations.