E-mail's popularity creating a glut of legal issues
October 30, 2000
There's a monster in your corporate e-mail.
It's in your in-box and your servers. It was born in the bowels of e-mail's popularity, which is being churned out by the 275 million corporate mailboxes in use today, according to the newsletter "Messaging Online."
If you think the monster is a virus, think again.
It is the liability contained in billions of messages, a sort of digital paper trail growing larger every day in every corporate environment. It includes everything from executive wheeling and dealing to potentially liable employee chitchat. And it will only get more acute as digital signatures and transactions, such as bill payment, are passed in e-mail.
In regulated industries, such as securities trading, comprehensive record retention is a legal requirement. But unregulated industries must now get onboard, according to experts. On average, one-third of a company's critical business information is stored in the messaging system, according to Palo Alto research firm Creative Networks. The bottom line is that firms must manage it with retention and deletion policies to protect themselves.
Just ask Microsoft's Bill Gates, who was stung during the first phase of his company's antitrust trial in the form of e-mails that backed claims of Microsoft's corporate aggression.
"E-mail can become a corporate liability," says Ken Shear, vice president of technology and law for Electronic Evidence Discovery in Seattle, which helps companies recover electronic data. "Awareness is rising, but the solutions are complex and involve getting people to work together and getting the right technology in place."
Technology for destroying e-mail, such as shredding, and for archiving and records management are now available but must be used as part of a corporate policy to meet legal guidelines. The answer is not to save everything or destroy everything because corporate e-mail can be as much a help as a hindrance when trying to prove intent or innocence.
"You don't want to kill the monster, you want to tame it," Shear says. "Saving everything is the same as saving nothing because you can't possibly manage it."
Shear points to a client that was forced to settle a case because it could not comply with an order to recover and index some 200 million e-mail messages.
What corporate customers need is a digital records management policy that governs the deletion and retention of e-mail, and technology that automates enforcement as much as possible.
The e-mail administrator, human resources executives and corporate legal department all must be party to the policy, Shear says. The next step is to apply technology.
"Right now, the policy we have is that e-mail is owned by the company and employees should not expect privacy," says Ryan Breding, IT manager for Bluecurrent, a technology asset management company in Boston. That policy is born from the Electronic Communications Privacy Act, passed in 1986, that says all e-mail sent or received using a company's mail system is company property.
Breding says the glut of e-mail his company produces, up to 20,000 per day, is demanding additional policies for retention and deletion, but the big question is, "What resources are needed to manage it as a corporate record?"
That's the tricky step.
There are plenty of technology-based options, including shredding and archiving.
Companies such as Authentica, Disappearing, Inc., Interosa, Infraworks, Sagaba and ZipLip offer ways to send secure e-mail and destroy the record by having the mail expire after a certain amount of time.
"It's about dealing with business conversations and controlling those conversations," says Geoff Mulligan, CEO of Interosa in Colorado Springs, Colo. "We want Interosa to be like the phone - when you hang up the conversation goes away."
But shredding e-mail can be a liability. Individual workers selectively shredding e-mail they deem sensitive or inflammatory can haunt a company. Legally the practice is called spoliation, or intentionally destroying company records.
Disappearing has added a centralized console that lets e-mail administrators set retention policies.
"With our software, I think the legal questions are as answered as they can be until it is tested in court," says Dave Marvit, co-founder of Disappearing.
But industry analysts say the issue is a slippery slope.
"Shredding is less well-defined than archiving, and it is not clear yet what kind of guidelines enterprises should have," says Sara Radicatti, president of Radicatti Group in Palo Alto. She does not recommend any form of shredding.
Archiving, however, is starting to get some traction, and Radicatti estimates about 8% of companies have set archiving policies. Unlike bulk back-up utilities, archiving is focused on indexing messages for easy retrieval.
Some companies, such as TrustData Solutions and iWitness, offer more sophisticated digital records management software that lets users automate e-mail retention policies.
"It's all about risk management protection," says Frank Lambert, founder of iWitness in Boulder, Colo. "We create an index of messages and attachments in a central repository that is searchable and manageable."
Manageable is a key word, and some observers believe the solution lies in the corporate infrastructure.
"A secure infrastructure is probably the way this should head, but I don't know when we will see that," says Nina Burns, president of Creative Networks. "The driver will be transactional e-mail such as bill payment or presentment. But the policy and business rules need to be integrated with the technology."
JOHN FONTANA, Network World