Forwarded From: darek milewski <darekm@cmeasures.com>
http://www.zdnet.com/pcweek/stories/printme/0,4235,364129,00.html
E-mail cleanup
By Christy Walker
If Microsoft Corp. followed Betty Zimmerman's example and tidied up its
e-mail more often, the software developer might have an easier time
defending itself against federal antitrust charges in Washington.
Every 18 months, Zimmerman sees to it that all 25,000 e-mail users at her
company, Texaco Inc., know and follow the rules regarding retention,
privacy, and the appropriate use and handling of e-mail messages. One of
those rules: E-mail messages not specifically designated by users for
retention are regularly deleted.
If Microsoft had done likewise, it's possible that internal e-mail
messages related to a June 21, 1995, meeting between officials from
Microsoft and Netscape Communications Corp. would never have been
available to Department of Justice prosecutors. The government, however,
was able to subpoena that and hundreds of other Microsoft e-mail messages
found in backup files and is using them as pivotal pieces of evidence in
its antitrust case against the Redmond, Wash., software developer.
Such high-profile cases are sending a wake-up call to IT managers: It's
time to get serious about cleaning up enterprise e-mail. In a business
climate where open lines of communication are vital and e-mail has become
the most important and pervasive desktop application, a clear corporate
messaging policy is mandatory. Such policies should clearly state not
only how long an e-mail message will be kept but also how the enterprise
will deal with other issues that e-mail misuse can bring, such as
discrimination and harassment, copyright, defamation, spamming, employee
privacy rights, and revelation of trade secrets (see chart, below).
Without e-mail policies, corporations can be exposed to liability or, at
the very least, a waste of computer resources.
Pulling no punches
Some enterprises are already getting tough about enforcing e-mail
policies. One Wall Street brokerage, Smith Barney (now Salomon Smith
Barney Inc.), for example, fired two analysts in April for allegedly
circulating pornographic material via the corporate e-mail system. The New
York company's Employee Interim Handbook cautions that e-mail is subject
to examination and that mishandling of the company's equipment could
result in termination.
The handbook states: "Improper use includes but is not limited to any use
of such equipment or services for the transmission or communication of
images or text consisting of ethnic slurs, racial epithets, or anything
that may be construed as illegally harassing or offensive to others based
on an individual's race, national origin ..."
A policy should, first and foremost, spell out which e-mail messages are
to be kept and which are to be thrown out. "Without a good retention
policy, old e-mail records could be available to provide a smoking gun in
litigation," said Eric Goldreich, IS director at Sheppard, Mullin, Richter
& Hampton LLP, a Los Angeles law firm, where a messaging policy has been
in place for about six years.
E-mail policies should also spell out what kind of message content is
acceptable and what is not. Unless companies clearly state and enforce
e-mail content policies, they may find themselves embroiled in a legal
battle over e-mail issues such as harassment and racial discrimination.
MCI WorldCom Inc. can attest to that. Earlier this year, the
telecommunications company, then WorldCom Corp., successfully defended
itself against a suit charging it allowed racially harassing messages on
its e-mail system. WorldCom's defense: It had in place an e-mail policy
spelling out appropriate content, and the Jackson, Miss., company enforced
it.
Having a policy, however, is only half the battle. Businesses must let
employees know about their policies by conducting frequent training and
awareness seminars, said Michael Overly, special counsel to the IT group
at Foley & Lardner, a Los Angeles law firm.
"Approximately 40 percent of large organizations still don't have a
written policy in place or one that is adequate," said Overly. "Companies
are doing a disservice when they rush out with a two- or three-page policy
and forget it. They need a well-written policy, followed up with adoption
and training for employees."
Texaco's Zimmerman does exactly that. "All end users are notified of these
policies via e-mail on a periodic basis ... as well as by continuous
posting on the company intranet," said Zimmerman, who is technology leader
for knowledge management at Houston-based Texaco. The oil company
implemented its first e-mail policy in 1993.
One company, Private Business Inc., of Brentwood, Tenn., used a template
from the Electronic Messaging Association--a membership forum for
businesses interested in emerging messaging technologies--to build its
e-mail policy and distribute it to users.
"We include our pagelong e-mail policy in the employees manual," said Rick
Bryant, manager of sales force automation at Private Business. "It says
e-mail is monitored periodically and subject to inspection at any time.
... Employees should use prudent judgment when [composing] messages and
file attachments. But incidental personal use of e-mail is permitted."
Sheppard, Mullin, Richter & Hampton goes even further. Its employees are
reminded daily of corporate messaging policies as they click through a
log-in screen. It instructs them that their use of the computer system is
subject to the corporate electronic communications policy.
Such a heavy-handed approach is not the norm in most organizations. A
report released last month by American Management Association
International found that only 20.2 percent of approximately 1,000
organizations surveyed are involved in e-mail store-and-review practices.
A Microsoft spokesman declined to comment on the company's e-mail policies
but said that, at more than 3 million messages a day, e-mail plays an
important role at the company. "It facilitates transfer of important
information so that good decisions can be made quickly," said spokesman
Adam Sohn.
IT plays central role
As businesses clean up their e-mail by designing and implementing
policies, IT has a central role to play. One job will be to make sure all
the other corporate departments, such as legal, human resources and even
senior management, are involved.
"IT will certainly have to take a more aggressive stance in this," said
Jonathan Penn, an analyst at Ferris Research Inc., of San Francisco. "More
and more, it means that their job entails bringing in the legal counsel to
plan IT policies, including message retention" or the size of outgoing
e-mail messages.
IT will also need tools that can filter and monitor outbound and inbound
e-mail messages. A growing number of such tools from ISVs can supplement
existing messaging systems.
Brokerages have been among the leading adopters of such technology because
of federal rules that require them to retain and review all communications
with customers, including e-mail messages.
Advent Inc., for instance, uses SRA International Inc.'s Assentor e-mail
message screening and archiving software to comply with Securities and
Exchange Commission and National Association of Securities Dealers Inc.
regulations.
"[Assentor] introduces another layer of technology, but it provides us
with a savings in time, since we don't need a human monitor for each
message," said Eric Generous, chief financial officer at the Hartford,
Conn., brokerage.
However, even many companies with strong e-mail policies are just
beginning to look at tools that can help automate enforcement.
"[Our] policy is fully implemented but not fully automated," said
Zimmerman. Texaco recently thinned down its messaging infrastructure from
13 mail systems to Microsoft's Exchange Server. The company, which uses
Documentum Inc.'s document management application for e-mail archiving,
relies on individual users to specify e-mail messages for retention.
More important, corporations must start with strong e-mail policies that
are widely and regularly communicated and strongly enforced. Those that
don't may be faced with a messy trail of lawsuits.
"Freewheeling, casual, flippant, hyperbolic or simply careless e-mails are
no-nos in dealing with situations presenting potential liabilities," said
attorney Stephen Brock, of Christie, Pabarue, Mortensen and Young, in
Philadelphia. "There are no 100 percent guarantees of confidentiality."
Just ask Microsoft.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sun Nov 1 21:15:43 1998