One morning last fall, an employee of a large New England bank made the final keystroke of an E- mail message and clicked Send. Moments later, a box flashed on his PC screen: You have new mail. Startled, the employee opened the new message and saw the E-mail he had just sent–not only to its intended readers, but to himself and everyone else in the office. A bad prank had gone awry.
The message poked fun at the bank’s controller and was laced with personal innuendos and off-color jokes. What’s more, the employee had changed the name and E-mail address to make it appear the message was from the controller (a practice known as spoofing). But the address list showed he had mistakenly clicked All, thus routing the message to the entire office–including the object of ridicule. The E-mail was quickly traced, and the employee was fired that afternoon.
E-mail has become an indispensable business tool. According to International Data Corp., in Framingham, Massachusetts, in 1998 some 1.1 billion business E-mail messages were sent daily by 80 million U.S. workers. “We swear by it,” says Adam Sohn, a spokesperson for Microsoft Corp., which processes more than 3 million messages per day sent from or to its employees. “It’s the backbone of how we communicate with partners, vendors, customers, and each other.”
But like any powerful tool, E- mail can be hazardous to the user. As with the hapless bank employee, it can backfire on the sender. But the damage may not be limited to the individual. For instance, in 1995, Chevron Corp. had to pay female employees $2.2 million to settle a sexual harassment lawsuit stemming from inappropriate E-mail circulated by male employees (sample topic: “25 reasons why beer is better than women”).
As the Microsoft antitrust trial illustrates, E-mail can furnish plaintiffs with a trove of potentially damning information. (“Do we have a clear plan on what we want Apple to do to undermine Sun? ” read one missive from Bill Gates.) “There was a period of time when all the exhibits [in a trial] were faxes,” notes Pam Reeves, a partner at the law firm of Watson, Hollow & Reeves, in Knoxville, Tennessee. “Now, many of the exhibits are E-mails.”
It’s easy to see why. There’s something about E-mail that encourages users to shed their normal reserve and communicate with an unusual degree of candor–or recklessness. A message conveyed from screen to glowing screen seems just as intimate, and as private, as the behind-closed-doors variety. But to a court of law, an E-mail message is as formal as if it had been typed on company letterhead and sent by first-class mail.
To hackers, an E-mail message is the ideal medium for computer viruses. Last March, the Melissa virus infected well over 100,000 computers via E-mail; companies such as Lucent Technologies and Lockheed-Martin Corp. were forced to temporarily shut down their systems. And in April, the Chernobyl virus effectively destroyed entire PCs, although it was not nearly as widespread as Melissa.
But E-mail doesn’t have to be viral or defamatory to be costly. Much E-mail is simple, time-wasting junk. A recent study by Worldtalk Corp., a maker of E-mail security software in Santa Clara, California, reported that “potentially dangerous or nonproductive” messages account for fully 31 percent of all E-mail.
“The ability to communicate with E-mail has radically changed the way people are working, but it is fraught with abuse,” sums up Steve Behrens, CFO of Real 3D Inc., a three-dimensional-graphics company based in Orlando. “People send lots of trash around, and they forget there’s a human being at the other end.”
Put it in Writing
How can companies minimize E- mail abuse? A formal policy is the best way to start, although some companies worry that formal statements could be too confining.
“We don’t have any policy governing E-mail yet,” admits Behrens of Real 3D, which has 200 employees. “We encourage employees to go out and experiment. The danger in writing a very tight policy is that it could limit creativity, which is essential in our business.” Instead, Real 3D employees are encouraged to use common sense and good business judgment. “They are told to be careful what they put in writing,” Behrens says. “When you hit Send, you might as well put it up on a bulletin board.”
Likewise, Bell & Howell PSC, a Richfield, Ohio, provider of information systems services, doesn’t have a formal policy. “We haven’t really had any problems,” says CFO Rens Buchwaldt, who admits he sometimes frets that employees will spend too much time reading E-mail or sending personal E-mail. “We encourage our employees to use E-mail as a business tool, just like any other.”
Still, experts say a written policy is the best way for companies to protect themselves. A policy should state that E-mail and its contents are the property of the company, and that the company reserves the right to read any messages transmitted over its system, says attorney Reeves. “Employees need to understand that a company can access employees’ E-mail at any time without advance notice or consent,” she says.
The E-mail policy should be tied to the company’s sexual harassment policy, adds Reeves, who represents companies in such matters. “In many cases, there is a paper trail of rude, crude, and obnoxious E-mails,” she says. Since E-mail is the property of the company, there is the potential for a judge to rule that the use of E-mail in a sexual harassment case was part of the workplace environment.
The High Cost of Discovery
Along with a policy for use, a company should establish a policy for E-mail retention–how long messages are saved before they are automatically deleted by network managers. Some employees may resist such a policy, notes Jim Browning, analyst at IT advisory firm GartnerGroup. “It’s a tug of war,” he says. “End users are pack rats, while the legal department wants to get rid of things in a hurry.” Browning says retention policies of 30 to 90 days are typical.
A routine sweep of all but the most essential E-mails can also fend off hefty discovery costs. Corporate defendants are responsible for making E-mail available to plaintiffs if it is subpoenaed–and that mail can date from a period of years. John Jessen, president and CEO of Electronic Evidence Discovery Inc., in Seattle, says many lawsuits are settled because the cost of providing E- mails in discovery would be higher than the settlement.
“Unmanaged electronic data is the biggest unfunded liability that companies face today,” asserts Jessen. Recently, a court ordered one of his clients, a Fortune 500 company, to turn over any E- mail that mentioned the name of a former employee, who was suing the company for improper termination. Since the company had no policy for purging E-mail, it faced the prospect of searching more than 20,000 backup tapes, filled with millions of messages, at the cost of $1,000 per tape–a total of $20 million. The company expects to convince the court that 89 tapes would be sufficient, based on initial searches conducted by Jessen.
More and more companies will have their mountains of E-mail turn into legal handicaps, predicts Jessen. “Companies that don’t manage their E-mail will lose every litigation case just because of the cost of discovery,” he warns. Protecting themselves will require companies to start thinking about E-mail differently. “It’s a great way to move information around a company, but it makes a lousy record- retention system,” says Jessen. “And yet that’s how most companies are using it.”
Getting rid of E-mail can save money on information systems, too. One large financial services company in New York will save approximately $7 million a year on backup-tape management alone by drastically cutting down on the E-mails it saves, notes Jessen.
Still, even deleted E-mail messages can come back to haunt defendants, thanks to computer-forensics experts. “Delete rarely means delete, especially with E-mail,” explains Jessen. Most E-mail systems simply hide messages from view when they are deleted. Also, copies of messages may exist elsewhere–in a home PC, perhaps, or handheld computer. “Chances are, an expert will find that message somewhere,” says GartnerGroup’s Browning.
Despite Microsoft’s antitrust tussles, Sohn says the company hasn’t changed any of its policies about how its employees save E-mail. “We let them make their own decisions about what they keep,” he says. Space limitations require the IT department to delete old E-mail on servers and backup systems, says Sohn, but he insists Microsoft isn’t worried about messages showing up in litigation. “More often then not, E-mail helps us make our case,” he says.
In the end, discretion is the better part of E-mail use. Craig Bodette, controller of Root Learning Inc., a Perrysburg, Ohio, manufacturer of organizational maps and learning visuals, never sends important financial data over E-mail. “It’s just way too easy to send it to the wrong people, or have it end up in the hands of those it isn’t intended for,” says Bodette. “And once you hit Send, it’s gone.” If he needs to send key information to the CFO, CEO, or company president, he prints it out–and has it hand delivered.
You’ve Got Junk Mail
31% of Internet E-mail is either hazardous or a waste of time
- Spam (unsolicited E-mail) 10%
- Violates corporate policy 9%
- Bulk mail 4%
- Contains profanity 4%
- Contains jokes 2%
- Contains viruses 2%
Source: Worldtalk Corp.
Internet E-mail Corporate Usage Report
E-Mail Do’s and Don’ts
DO institute a written company E-mail policy. Include warnings that E-mail can be read by company officials at any time.
DO establish E-mail retention periods and centralized archives. Experts say 90 days is long enough to keep most messages.
DO read the updates from your company’s network and security managers. You don’t want to miss the warning about the latest virus that will destroy your hard drive.
DON’T reply to junk E-mail. A reply only lets spammers know they have a live address.
DON’T give your E- mail address in Internet chat rooms or discussion groups. Programs automatically collect addresses from them for direct E- mailers.
DON’T execute attachments of uncertain origin. If in doubt, contact the sender or your network manager. (Viruses are frequently propagated by E-mail. However, receivers must execute the attachment sent with the message to activate the virus.)
DON’T send confidential messages over an insecure network. E-mail sent over the Internet is the electronic equivalent of postcards; any hacker with a little know-how can intercept messages.