E-mail is a major area of focus for information governance (IG) efforts: It is the most common business software application and the backbone of business communications today, and e-mail is the leading piece of evidence requested during the discovery phase of civil trials, so it is critically important to implement IG measures for e-mail communications.

Employees utilize e-mail all day, including during their personal time, sometimes mixing business and personal use of e-mail. Social media use has skyrocketed in recent years and actually has surpassed e-mail for personal use, but the fact remains that in business, knowledge workers rely on e-mail for almost all communications, including those of a sensitive nature. A 2013 survey of 2,400 corporate e-mail users worldwide found that nearly two-thirds stated that e-mail was their favorite form of business communication, surpassing not only social media but also telephone and in-person contact.¹

These e-mail communications may contain discoverable information in litigation, and a percentage of them will be declared formal business records. E-mail often contains records, such as financial spreadsheets and reports, product price lists, marketing plans, competitive analyses, safety data, recruitment and salary details, progressing contract negotiations, and other information that may be considered as constituting a business record.

E-mail systems can be hacked, monitored, and compromised and cause far-reaching damage to a victimized organization. The damage may occur slowly and go undetected while information assets—and business value—are eroded.

In mid-2011, the “hacktivist” group AntiSec claimed responsibility for hacking a U.S. government contractor, Booz Allen Hamilton, and publicly exposing 90,000 military e-mail addresses and passwords from the contractor by posting them online. It was the second attack on a government defense contractor in a single week.²

Booz Allen employees “maintain high government security clearances” while working with the defense sector (yet in 2013 another Booz Allen employee, Edward Snowden, gained access to secret communications monitoring programs that the U.S. National Security Agency operated to capture metadata and other information from the private e-mail and telephone conversations of American citizens on a broad scale). AntiSec penetrated the communications systems with relative ease and noted there were “basically had no security measures in place.”³ AntiSec was able to go even further, by running its own rogue application to steal software source code and to search and find access credentials to steal data from other servers, which the group said would help it to infiltrate other federal contractors and agencies. It even stated it might pass the security information on to other hackers.

The attack did not stop there. Later that week, another federal defense and FBI contractor, IRC Federal, was hacked, databases were invaded, the Web site was modified, and information from internal e-mail messages was posted online.⁴

Employees Regularly Expose Organizations to E-Mail Risk

A 2011 global e-mail survey, commissioned by a leading hosted e-mail services provider, found that nearly 80 percent of all employees send work e-mail to and from their personal accounts, and 20 percent do so regularly, which means that critical information assets are exposed to uncontrolled security risks.⁵

“Awareness of the security risks this behavior poses does not act as a deterrent” (emphasis added). Over 70 percent of people questioned recognize that there is an additional risk in sending work documents outside the corporate e-mail environment, but almost half of “these same respondents feel it is acceptable to send work emails and documents to personal email accounts anyway.” According to the survey, the reasons for using personal e-mail accounts for work purposes range from working on documents remotely (71 percent), to sending files that are too big for the company mailbox (21 percent), to taking documents with them when they leave a company (18 percent), to simply not wanting to carry a laptop home (9 percent). The top two frustrations users had with work e-mail were restrictions on mailbox size, which has a negative impact on e-mail management, and the inability to send large attachments. This second issue often forces workers to use a personal account to send and receive necessary files. If size limits are imposed on mailboxes and attachments, companies must provide a secure alternative for file storage and transfer. Otherwise, employees are pushed into risking corporate information assets via personal e-mail. This scenario not only complicates things for e-mail administrators but has serious legal and regulatory implications. Clearly, as stated by Paul Mah in his “Email Admin” blog, “email retention and archival becomes an impossible task when emails are routed in a haphazard manner via personal accounts.”⁶

This means that security, privacy, and records management issues must be addressed by first creating IG policies to control and manage the use of e-mail. These policies can utilize the e-mail system's included security features and also employ additional monitoring and security technologies where needed.

The e-mail survey also found an overall lack of clear e-mail policies and weak communication of existing guidelines. This means a lack of IG. Nearly half of the respondents stated either that their company had no e-mail policy or that they were unaware of one. Among those aware of a corporate e-mail policy, 4 in 10 think it could be communicated better. Among companies that have a policy, most (88 percent) deal with the appropriate use of e-mail as a business tool, but less than one-third (30 percent) address e-mail retention from a security standpoint.

Generally, employees are aware that sending work documents outside of their corporate network is unsafe, yet they continue to do so. It is abundantly clear that e-mail policies have to be updated and upgraded to accommodate and manage the increasingly sophisticated and computer-savvy generation of users who are able to find ways to work around corporate e-mail restrictions. (These users have been dubbed Generation Gmail.) In addition, new e-mail monitoring and security technologies need to be deployed to counter this risky practice, which exposes information assets to prying eyes or malicious attacks.

E-Mail Polices Should Be Realistic and Technology Agnostic

E-mail policies as part of your IG program must not be too restrictive. It may be tempting to include catchall policies that attempt to tamp down user behavior, but such efforts cannot succeed.⁷ An important step is consulting with stakeholders to understand their usage patterns and needs and then going through a series of drafts of the policy, allowing for input. It may be determined that some exceptions and changes in technologies need to be factored in and that some additional technology is needed to accommodate users while keeping information assets safer and meeting compliance and legal demands. Specifics of these policies and tools should be progressively tightened on a regular basis as the process moves forward.

These new IG guidelines and policies need to refer to technology in a generic sense—a “technology-neutral” sense—rather than specifying proprietary software programs or features.⁸ That is to say, they should be written so that they are not in need of revision as soon as new technologies are deployed.

Developing organization-wide IG policies is time consuming and expensive; they are a defensive measure that does not produce revenue, so managers, pressed for performance, often relegate policy making to the low-priority list. Certainly, it is a tedious, difficult task, so organizations should aim to develop policies that are flexible enough to stand the test of time. But it is also necessary to establish a review process to periodically revise policies to accommodate changes in the business environment, the law, and technology.

Here is an example of a technology-agnostic policy directive:

This statement does not specify the technology to be used, or the mode of transmission. The policy is neutral enough to cover not only e-mail and instant messaging (IM) but also social media, cloud computing, mobile computing, and other means of communication. The policy also does not specify the method or brand of the encryption technology, so the organization can select the best method and technology available in the future without adapting the policy.⁹

E-Record Retention: Fundamentally a Legal Issue

Considering the massive volume of e-mail exchanged in business today, most e-mail messages do not rise to the level of being formal business records. But many of them do and are subject to IG, regulatory compliance, and legal requirements for maintaining and producing business records.

Although often lumped in with other information technology (IT) concerns, the retention of e-mail and other e-records is ultimately a legal issue. Other departments, including records management and business units, should certainly have input and should work to assist the legal team to record retention challenges and archiving solutions. But e-mail and e-record retention is “fundamentally a legal issue,” particularly for public or highly regulated companies. According to Nancy Flynn of the ePolicy Institute, “It is essential for the organization's legal department to take the lead in determining precisely which types of email messages will be preserved, exactly how and where data will be stored, and specifically when—if ever—electronically stored information [ESI] will be deleted”¹⁰ (emphasis added).

Since they are often shot out in the heat of battle, many times e-mail messages are evidence of a smoking gun in lawsuits and investigations. In fact, they are the most requested type of evidence in civil litigation today. The content and timing of e-mail messages can provide exonerating information too.

In January 2010, a U.S. House of Representatives committee probing bailout deals subpoenaed the Federal Reserve Bank of New York for e-mail and other correspondence from Treasury Secretary Timothy Geithner (former president of the New York Federal Reserve Bank) and other officials. The House Oversight and Government Reform Committee was in the process of examining New York Fed decisions that funneled billions of dollars to big banks, including Goldman Sachs Group and Morgan Stanley.¹¹

This is just one example of how crucial e-mail messages can be in legal investigations and how they play an important role in reconstructing events and motives for legal purposes.

Preserve E-Mail Integrity and Admissibility with Automatic Archiving

Most users are not aware that e-mail contents and characteristics can be changed—“and rendered legally invalid”—by anyone with malicious motives, including those who are essentially “covering their tracks.” Not only can the content be edited, but metadata that includes such information as the time, date, and total number of characters in the message can also be changed retroactively.¹²

To offset this risk and ensure that spoliation (i.e., the loss of proven authenticity of an e-mail) does not occur, all messages, both inbound and outbound, should be captured and archived automatically and in real time. This preserves legal validity and forensic compliance. Additionally, e-mail should be indexed to facilitate the searching process, and all messages should be secured in a single location. With these measures, e-mail records can be assured to be authentic and reliable.

E-Mail Archiving Rationale: Compliance, Legal, and Business Reasons

There are good reasons to archive e-mail and retain it according to a specific retention schedule that follows your organization's IG policies. Having a handle on managing voluminous e-mail archives translates to being able to effectively and rapidly search and retrieve exactly the right messages, which can provide a significant legal advantage. It gives your legal team more and better information and more time to figure out how to leverage it in legal strategy sessions. This means the odds are tipped in your organization's favor in the inevitable litigation arena. Your legal opponent may be driven to settle a weak claim when confronted with indisputable e-mail evidence, and, in fact, “email often produces supportive evidence that may help ‘save the day’ by providing valuable legal proof” of innocence.¹³ This evidence may stop frivolous lawsuits in their tracks. Further, reliable e-mail evidence also can curtail lengthy and expensive lawsuits, and prevail. And if your company is public, Sarbanes–Oxley regulations require the archiving of e-mail.

Don't Confuse E-Mail Archiving with Backup

All backups are not created equal. There is a big difference between traditional system backups and specialized e-mail archiving software.

Backups are huge dumps to mass storage, where the data is stored sequentially and not compressed or indexed.¹⁴ It is impossible to search backups except by date, and even doing that would mean combing through troves of raw, non-indexed data.

The chief executive may not be aware of it, but without true e-mail archiving, system administrators could spend long nights loading old tapes and churning out volumes of data, and legal teams will bill hourly for manual searches through troves of data. This compromises your enterprise's legal position and not only increases raw costs but also leads to less capable and informed legal representation. According to one study, fully one-third of IT managers state they would have difficulty producing an e-mail that is more than one year old. “A backup system is no substitute for automatic archiving technology”¹⁵ (emphasis added).

No Personal Archiving in the Workplace

Employees are naturally going to want to back up their most important files, just as they probably do at home. But for an overall IG information-security program to be effective, personal archiving at work must be prohibited. This underground archiving results in hidden shadow files and is time consuming and risky. According to Flynn, “Self-managed email can result in the deletion of electronic records, alteration of email evidence, time-consuming searches for back-up tapes, and failure to comply with legal discovery demands” (emphasis added). Also, users may compromise formal electronic records, or they may work from unofficial records, which therefore by definition might be inaccurate or out-of-date, posing compliance and legal ramifications.¹⁶

Are All E-Mails Records?

Are e-mail messages records? This question has been debated for years. The short answer is no, not all e-mail messages constitute a record. But how do you determine whether certain messages are a business record or not? The general answer is that a record documents a transaction or business-related event that may have legal ramifications or historic value. Most important are business activities that may relate to compliance requirements or those that could possibly come into dispute in litigation. Particular consideration should be given to financial transactions of any type.

Certainly evidence that required governance oversight or compliance activities have been completed needs to be documented and becomes a business record. Also, business transactions, in which there is an exchange of money or the equivalent in goods or services, are also business records. Today, these transactions are often documented by a quick e-mail. And, of course, any contracts (and any progressively developed or edited versions) that are exchanged through e-mail become business records.

The form or format of a potential record is irrelevant in determining whether it should be classified as a business record. For instance, if a meeting of the board of directors is recorded by a digital video recorder and saved to DVD, it constitutes a record. If photographs are taken of a ground-breaking ceremony for a new manufacturing plant, the photos are records too. If the company's founders tape-recorded a message to future generations of management on reel-to-reel tape, it is a record also, since it has historical value. But most records are going to be in the form of paper, microfilm, or an electronic document.

Here are three guidelines for determining whether an e-mail message should be considered a business record:

1. The e-mail documents a transaction or the progress toward an ultimate transaction where anything of value is exchanged between two or more parties. All parts or characteristics of the transaction, including who (the parties to it), what, when, how much, and the composition of its components, are parts of the transaction. Often seemingly minor parts of a transaction are found buried within an e-mail message. One example would be a last-minute discount offered by a supplier based on an order being placed or delivery being made within a specified time frame.
2. The e-mail documents or provides support of a business activity occurring that pertains to internal corporate governance policies or compliance to externally mandated regulations.
3. The e-mail message documents other business activities that may possibly be disputed in the future, whether it ultimately involves litigation or not. (Most business disputes actually are resolved without litigation, provided that proof of your organization's position can be shown.) For instance, your supplier may dispute the discount you take that was offered in an e-mail message and, once you forward the e-mail thread to the supplier, it acquiesces.¹⁷

Destructive Retention of E-Mail

Destructive retention is an approach to e-mail archiving where e-mail messages are retained for a limited time (say, 90 days or six months), followed by their permanent manual or automatic deletion of messages from the company's network, so long as there is no litigation hold or the e-mail has not been declared a record in accordance with IG and records management policies. Implementing this as a policy may shield the enterprise from retaining potentially libelous or litigious e-mail that is not a formal business record (e.g., off-color jokes or other personnel violations).

For heavily regulated industries, such as health care, energy, and financial services, organizations may need to archive e-mail for longer periods of time.

Instant Messaging

Instant messaging (IM) use in enterprises has proliferated—despite the fact that frequently proper policies, controls, and security measures are not in place to prevent e-document and data loss. There are a variety of threats to IM use that enterprises must defend against to keep their information assets secure.

The first basic IM systems, which came into use in the mid-1960s, had real-time text capabilities for routing messages to users logged on to the same mainframe computer. Early chat systems, such as AOL Instant Messenger, have been in use since the late 1980s, but true IM systems that included buddy list features appeared on the scene in the mid-1990s, followed by the release of Yahoo! and Microsoft IM systems. The use of these personal IM products in the workplace has created new security risks.¹⁸

More secure enterprise instant messaging (EIM) products can be deployed. Leading EIM installed systems include IBM Lotus Sametime, Microsoft Office Communications Server, Cisco Unified Presence, and Jabber XCP. In the financial sector, Bloomberg Messaging and Reuters Messaging are leading platforms.

By the year 2000, it was estimated that nearly 250 million people worldwide were making use of IM, and today estimates are that more than 2 billion people use IM, with the addition of hundreds of millions of users in China.

As with many technologies, IM became popular first for personal use, then crept into the workplace—and exploded. IM is seen as a quicker and more efficient way to communicate short messages than engaging in a telephone conversation or going through rounds of sending and receiving endless e-mail messages. The problem with IM is that many organizations are blind to the fact that their employees are going to use it one way or another, sometimes for short personal conversations outside the organization. If unchecked, such messaging exposes the organization to a myriad of risks and gives hackers another way to compromise confidential information assets.

Best Practices for Business IM Use

Employing best practices for enterprise IM use can help mitigate its security risks while helping to capitalize on the business agility and velocity benefits IM can provide. Best practices must be built in to IG policies governing the use of IM, although “the specifics of these best practices must be tailored for each organization's unique needs.”

A methodology for forming IM-specific IG policies and implementing more secure use of IM must begin with surveying and documenting the proliferation of IM use in the organization. It should also discover how and why users are relying on IM—perhaps there is a shortcoming with their available IT tools and IM is a work-around.

Typically, executives will deny there is much use of IM and that if it is being used, its impact is not worth worrying about. Also, getting users to come clean about their IM use may be difficult, since this may involve personal conversations and violations of corporate policy. A survey is a good place to start, but more sophisticated network monitoring tools need to be used to factually discover what IM systems are actually in use.

Once this discovery process has concluded and the use of IM is mapped out, the IG team or steering committee must create or update policies to: decide which IM systems it will allow to be used, how, when, and by whom; decide what restrictions or safeguards must be imposed; and create guidelines as to appropriate use and content. As a part of an overall IG effort, Quest Software determined that a successful IM policy will:

• Clearly and explicitly explain the organization's instant messaging objectives. Users should know why the organization permits IM and how it is expected to be used.
• Define expectations of privacy. Users should be made aware that the organization has the right to monitor and log all IM sessions for corporate compliance, safety, and security reasons.
• Detail acceptable and unacceptable uses. An exhaustive list of permitted and forbidden activities may not be necessary, but specific examples are helpful in establishing a framework of IM behaviors for users.
• Detail content and contact restrictions (if any). Most organizations will want to limit the amount of idle IM chat that may occur with family, friends, and other nonbusiness-related contacts. There may also be additional issues related to information confidentiality and privacy. Some businesses may choose to block the distribution of certain types of information via live IM chat session or file transfer.
• Define consequences for violations of the policy. Users should be advised of the consequences of policy violations. Generally these should be aligned with the company's personnel and acceptable use policies.

The use of a standard disclaimer, to be inserted into all users' IM sessions, can remind employees of appropriate IM use and that all chat sessions are being monitored and archived, and can be used in court or compliance hearings.

The next major step is to work with the IT staff to find the best and most appropriate security and network monitoring tools, given the computing environment. Alternatives must be researched, selected, and deployed. In this research and selection process, it is best to start with at least an informal survey of enterprises within the same industry to attempt to learn what has worked best for them.

The key to any compliance effort or legal action will be ensuring that IM records are true and authentic, so the exact, unaltered archiving of IM messages along with associated metadata should be implemented in real time. This is the only way to preserve business records that may be needed in the future. But in addition, a policy for deleting IM messages after a period of time, so long as they are not declared business records, must be formulated.

IG requires that these policies and practices not be static; rather, they must be regularly revisited and updated to reflect changes in technology and legal requirements and to address any shortcoming or failure of the IG policies or technologies deployed.

Technology to Monitor IM

Today, it has been estimated that as much as 80 percent of all IM used by corporate employees comes from free IM providers like Yahoo!, MSN, or AOL. These programs are also the least secure. Messages using these IM platforms can fly around the Internet unprotected. Any monitoring technology implemented must have the capability to apply and enforce established IM use policies by constantly monitoring Internet traffic to discover IM conversations. Traffic containing certain keywords can be monitored or blocked, and chat sessions between forbidden users (e.g., those who are party to a lawsuit) can be stopped before they start. But this all necessarily starts with IG and policy formulation.

Tips for Safer IM

Organizations should assume that IM is being used, whether they have sanctioned it or not. And that may not be a bad thing—employees may have found a reasonable business use for which IM is expedient and effective. So management should not rush to ban its use in a knee-jerk reaction. Here are some tips for safer use of corporate IM:

• Just as e-mail attachments and embedded links are suspect and can contain malicious executable files, beware of IM attachments too. The same rules governing e-mail use apply to IM, in that employees should never open attachments from people they do not know. Even if they do know them, with phishing and social engineering scams, these attachments should first be scanned for malware using antivirus tools.
• Do not divulge any more personal information than is necessary. This comes into play even when creating screen names—so the naming convention for IM screen names must be standardized for the enterprise. Microsoft advises, “Your screen name should not provide or allude to personal information. For example, use a nickname such as SoccerFan instead of BaltimoreJenny.”¹⁹
• Keep IM screen names private; treat them as another information asset that needs to be protected to reduce unwanted IM requests, phishing, or spam (actually spim, in IM parlance).
• Prohibit transmission of confidential corporate information. It is fine to set up a meeting with auditors, but do not attach and route the latest financial report through unsecured IM.
• Restrict IM contacts to known business colleagues. If personal contacts are allowed for emergencies, limit personal use for everyday communication. In other words, do not get into a long personal IM conversation with a spouse or teenager while at work. Remember, these conversations are going to be monitored and archived.
• Use caution when displaying default messages when you are unavailable or away. Details such as where an employee is going to have lunch or where their child is being picked up from school may expose the organization to liability if a hacker takes the information and uses it for criminal purposes. Employees may be unknowingly putting themselves in harm's way by giving out too much personal information.
• Ensure that IM policies are being enforced by utilizing IM monitoring and filtering tools and by archiving messages in real time for a future verifiable record, should it be needed.
• Conduct an IM usage policy review at least annually; more often in the early stages of policy development.

Notes

1. “Research Finds that Restrictive Email Policies are Creating Hidden Security Risks for Businesses,” BusinessWire, March 9, 2011, www.businesswire.com/news/home/20110309005960/en/Research-Finds-Restrictive-Email-Policies-Creating-Hidden.

2. Elizabeth Montalbano, “AntiSec Hacks Booz Allen, Posts Confidential Military Email,” Information-Week, July 12, 2011, www.informationweek.com/news/security/attacks/231001418?cid=nl_IW_daily_2011-07-12_html.

3. Ibid.

4. Mathew J. Schwartz, “AntiSec Hacks FBI Contractor,” InformationWeek, July 11, 2011, www.informationweek.com/news/security/attacks/231001326.

5. Quotes from this survey are from “Research Finds That Restrictive Email Policies Are Creating Hidden Security Risks for Businesses.”

6. Paul Mah, “How to Reduce the Email Security Risks to Your Business,” EmailAdmin, March 10, 2011, www.theemailadmin.com/2011/03/how-to-reduce-the-email-security-risks-to-your-business/.

7. Blair Kahn, Information Nation: Seven Keys to Information Management Compliance (Silver Spring, MD: AIIM International, 2004), pp. 98–99.

8. Ibid, pp. 95–96.

9. Ibid.

10. Nancy Flynn, The E-Policy Handbook: Rules and Best Practices to Safely Manage Your Company's E-Mail, Blogs, Social Networking, and Other Electronic Communication Tools, 2nd ed. (New York: AMACOM, 2009), 20.

11. Hugh Son and Andrew Frye, “Geithner's E-mails, Phone Logs Subpoenaed by House (update3),” January 13, 2010, www.bloomberg.com/apps/news?pid=newsarchive&sid=aGzbhrSxFlXw,.

12. Flynn, E-Policy Handbook, p. 37.

13. Flynn, E-Policy Handbook, pp. 40–41.

14. Nancy Flynn and Randolph Kahn, Email Rules, A Business Guide to Managing Policies, Security, and Legal Issues for E-Mail and Digital Communication (New York: AMACOM, 2003), pp. 81–82.

15. Flynn, The E-Policy Handbook, p. 41.

16. Ibid., p. 43.

17. Robert F. Smallwood, Taming the Email Tiger: Email Management for Compliance, Governance, & Litigation Readiness (New Orleans, LA: Bacchus Business Books, 2008).

18. This discussion is based on Quest Software White Paper, “Best Practices in Instant Messaging Management” (October 2008), http://media.govtech.net/Digital_Communities/Quest%20Software/Best_Practices_in_Instant_Messaging_Management.pdf, p. 5.

19. M. Adeel Ansari, “10 Tips for Safer IM Instant Messaging,” July 6, 2008, http://adeelansari.wordpress.com/tag/safer-im-instant-messaging/.

* Portions of this chapter are adapted from Chapter 11, Robert F. Smallwood, Managing Electronic Records: Methods, Best Practices, and Technologies,© John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.