|
Mitigating the Risks of Messaging
By Maurene Caplan Grey
In any single day, millions of e-mail messages are sent and received within and outside of the organization – and, near daily, the press and broadcast media details the latest scandal to be uncovered through an e-mail message.
In most cases, the scandal arises as a result of a financial-transaction wrongdoing – in which those involved get caught. The evidence is often found in e-mail message conversations.
Protecting the organization from the damage that non-compliance can cause is paramount in today’s regulatory-ridden business environment. Many organizations start by securing e-mail for compliance purposes. We agree it is a necessary step – but a tactical one that pursues only the “e-mail-as-evidence” pain point. Forward-thinking organizations are only at the cusp of realizing the magnitude of this quandary. The risks are not married solely to business regulations or to e-mail as a messaging medium.
Compliance
Due to stringent SEC and NASD regulations on managing e-mail messages and instant messaging, US financial service providers have been at the forefront of adopting compliance practices. Other vertical industries have been equally impacted. For example within the US healthcare community, the Health Insurance Portability and Accountability Act (HIPAA) set the standards for securing the privacy of patient information.
A dynamic influx of US and non-US regulations and legislation – vertical and horizontal - has paralyzed business activities. As stated in the 16 June 2005 Wall Street Journal, the cost of complying with the US Sarbanes-Oxley Act has been reported to range from “$1.6 million to $4.4 million per company each year.” A graduate student at the University of Rochester, Ivy Xiying Zhang, gained global media coverage from her event analysis of the July 2002 Senate and House debates. Zhang postulated that the debates led to investor uncertainty resulting in falling stock prices and market losses of $1.4 trillion. Based on the type of analysis used, the total cost of compliance for any mandate will differ wildly. Undisputable, however, is the financial drain to become compliant, as well as the financial drain should an audit reveal areas of noncompliance.
Many argue that, though the cost of becoming compliant is high, the upside is well-structured accountability, improved organizational creditability and customer protection. Capitalizing on that backdrop, vendors across-the-board have declared that they have the solution. In the case of e-mail messaging and instant messaging management, the solution may take the form of policy-based filtering, categorizing, indexing, archiving, document management or record management software – which turns the unstructured message body into a “record.” Outsourcers can host all or part of the solution. Professional services firms can design the implementation of the technical and business processes. The e-mail messaging and instant messaging compliance market is undergoing tremendous consolidation; however, no vendor today can provide a holistic, integrated solution.
Privacy
Country- and regional-privacy legislation dictates the degree of privacy required for customer- and employee-sensitive information. For example, student-record information is protected in many school districts. Communications held between an attorney and a client are protected as privileged information. Federal and local Freedom of Information Acts control the processes by which citizens can obtain government-held information about themselves. Organizations that wish to do business globally must understand how to get through the maze of complex and changing privacy mandates.
Civil Actions
Amidst confusion about best practices to manage messaging for compliance, organizations must also mitigate the risks of civil lawsuits and corporate embarrassment – often initiated by employees exhibiting poor judgment.
Love on the Internet. In December 2000, Claire Swire sent a sexually explicit e-mail message to her boyfriend, Bradley Chait. Chait, a lawyer with the London-based law firm Norton Rose, forwarded the e-mail message to several friends, who forwarded it to several of their friends, and so on. What Swire intended as a private message found its way, according to the media, to 10 million mailboxes across the Internet. Swire suffered personal embarrassment, to be sure. But beyond that, Norton Rose’s reputation was victimized by global ridicule because Chait forwarded the original message from his Norton Rose e-mail account. (Chait was suspended temporarily and his year-end bonus, along with those of nine of his friends, was revoked.)
Love Leads to Federal Indictment. The case of the United States v. Kammersell, 196 F.3d 1137 (10th Cir. 1999) examines an incorrect method for dating. Utah resident, Matthew Kammersell wanted to spend some time with his girlfriend, who also resides in Utah. So Kammersell used America Online Instant Messenger (AIM) to send a bogus bomb threat to his girlfriend’s AIM account. His goal was to cause her office to close for the day so that they could enjoy some time together. Kammersell never imagined that he would be in violation of US Interstate Commerce Commission (ICC) regulations. Kammersell’s instant message traveled the Internet through AOL’s servers in Virginia. Kammersell was indicted and found guilty of violating of ICC 18 U.S.C. § 875(c), which makes it a crime to transmit a threatening communication through interstate commerce.
Blog Transgressions Are Poor Career Moves. On 28 January 2005, Mark Jen was fired from Google because he discussed Google’s financial performance and future products in his blog. (Read Mark’s feedback at http://www.simplyfired.com/feature.php, in which he discusses the infamous blog faux pas.)
How Start-ups Fall Down. In 2005, the Canadian Imperial Bank of Commerce (CIBC) filed suit against Genuity Capital Markets. Genuity was established by six former CIBC executives. The suit maintains that the former CIBC executives sent CIBC-confidential information via BlackBerry PIN-to-PIN messaging to improperly recruit CIBC employees to Genuity (see Note 1). CIBC had used PIN-to-PIN management software to capture the incriminating messages - which were subpoenaed by the court to prove CIBC’s case against Genuity.
New Messaging Mediums: New Risks
Each new type of messaging invites a new level of casualness. For example, the language used in an instant message is generally less guarded than that used in an e-mail message. Behind casual communication lurks the danger of unintentionally or willfully providing information that should not be shared. Further complications can arise when different types of messaging intermix.
An e-mail message, which was intended to be viewed only by the sender and recipient, was posted by the recipient to a blog. Worse yet, the blog posting (of the e-mail message) contained copyrighted material without the consent of the copyright owner. The sender requested that the blog entry be removed by the Internet Service Provider hosting it. (See http://www.chillingeffects.org/dmca512/notice.cgi?NoticeID=2093.) Although this example involves individuals, the blog posting could as easily been a supposedly private e-mail message discussing an organization’s intellectual property. Blogs are informal online journals. In this context, legal liability issues are complex. See http://www.eff.org/bloggers/lg/ for the Electronic Frontier Foundation’s guidelines.
Any messaging medium can carry incriminating information. In a proactive move, Web conferencing vendors have started to release adjunct applications that captures, indexes and archives specified content. For example in June 2005, WebEx Communications, Inc. announced the release of WebEx Retention Solution to manage chat, presentations, audio, video and other meeting content.
What You Need To Do Now
A messaging quagmire is underfoot in the majority of organizations. New messaging technologies are entering the organization at a grassroots level and at a faster pace than the IT organization or the business units can handle. As discussed, e-mail messaging (and increasingly instant messaging) has come under unusual scrutiny. Organizations should expect that the same scrutiny will, over time, be applied to other types of messaging. Implement some simple steps now to prepare for the inevitable.
§ The organization’s Code of Conduct should clearly state that the language used in and distribution of electronic messaging and communications of all types must follow the same ethics as apply to employee face-to-face communication and professional behavior.
§ Most organizations have an e-mail policy. The policy should be renamed to “electronic communications” policy. Specific to ethics, it should reference the Code of Conduct. Additionally, the electronic communications policy should address such communication-specific issues as:
o The organization’s handling of spam and the employee’s responsibilities in curtailing spam.
o Message retention practices. Retention handling will differ specific to industry (e.g., financial services) and to employee role (e.g., broker/dealers). Retention handling may not apply to some types of electronic communications (e.g., Web conferencing) but apply to other types (e.g., instant messaging). The implications of detailing which types of electronic communications are or are not managed for retention need to be discussed with the organization’s internal legal counsel and compliance officer.
o The policy should state whether the organization includes specific types of electronic communications (e.g., e-mail and instant messaging) into their document management or record management systems.
o Depending on the organization’s geographical location (e.g., within a European Union country) legislative privacy issues may need to be addressed. Similarly, the organization’s market sector (e.g., higher education) may need to address how message management is balanced against free speech – particularly for faculty (university employees) and students (not employees of the university).
Electronic messaging and communication etiquette does not belong in the electronic communications policy – which is a legal agreement between the employer and employee. The etiquette document, however, can be referenced in the policy document.
§ Messaging management point products are converging – often as a result of acquisitions. For example over the past two years, storage vendor EMC Corporation acquired Documentum, Inc. (content management) and Legato Software (e-mail archiving). Prior to the EMC acquisition, Documentum had acquired eRoom Technology Inc. (team collaboration) and TruArc Corporation (records management). Organizations should evaluate product selection decisions against market trends, short-term needs and strategic goals.
§ Educate employees. It is the responsibility of employees to think before they type – if it feels wrong, it probably is.
§ Before implementing any business practices or policies, organizations must seek the advice of its internal legal counsel and compliance officer.
Note 1: PIN-to-PIN Defined
BlackBerry devices are each assigned a unique Personal Identification Number (PIN). BlackBerry users can exchange messages with each other through PIN addressing – i.e., the sender and recipient are identified by each others PIN. PIN-to-PIN messages do not pass through a server. BlackBerry users may send messages containing sensitive information to other BlackBerry users under the misconception that PIN-to-PIN messaging cannot be captured and logged.
Maurene Caplan Grey is the founder of Grey Consulting – which is dedicated to the messaging, collaboration and human communication market spaces. Prior to starting an independent practice, Ms. Grey was Gartner’s lead analyst on messaging, calendaring/scheduling and human communications. Earlier, she headed United Parcel Service’s worldwide messaging environment. Ms. Grey is a globally recognized advisor to enterprises and vendors, with over 20 years of experience in the IT industry. Ms. Grey earned her undergraduate degree from the University of Pittsburgh, summa cum laude, with a major in Communications and has completed graduate coursework in computer science from Fairleigh Dickinson University.
[ Back To TMCnet.com's Homepage ]
|
INDUSTRIES
Activate Email 
INDUSTRIES
Find Solutions for Enterprises, SMBs & Service Providers at the INTERNET TELEPHONY Conference and EXPO West, September 1-3, 2009. Los Angeles, CA.
