There are two problems with e-mail: how to lose what you want to hide and how to find what you need to retrieve. Merrill Lynch’s Henry Blodget and Andersen’s Nancy Temple can attest to the hazards of the former, after discoveries of their E-memos led to federal prosecution. Untold numbers of less notorious but equally harried employees have complained about the latter when forced to rifle through dozens of irrelevant messages in search of the one that holds a critical nugget of information.
Many companies have policies requiring employees to delete E-mail messages, but such policies are often ignored. And deleting a message, it turns out, is much tougher than it seems. Simply hitting the “delete” key rarely does the trick, since copies may still reside on the sender’s or recipient’s hard drive, or with anyone to whom the sender or recipient may have forwarded the message. Experts in forensic computing have proved adept at recovering E-mail messages that employees thought they had vaporized.
One potential solution comes from software that can “expire” both sent and received E-mail, or restrict a recipient’s ability to forward or print the material. Products from such companies as Atabok, Authentica, Omniva Policy Systems, and Tumbleweed Communications let senders encrypt outgoing E-mail and then provide recipients with conditional access to the decryptor key, which stays on the sender’s server. “We have no notion of where someone might have stored an E-mail or on what servers copies might be residing,” says Jim Hickey, vice president of marketing for Authentica. “But our product gives you an opportunity to expire the key at the server, so it doesn’t matter.”
That means, in theory, that everything from personal notes to top-secret product specs can be deleted after a specified time. With most products, a company can set global deletion rules based on sender or recipient characteristics, or keywords. Some, like Authentica, let senders themselves decide, and even revoke a recipient’s viewing privileges ad hoc, should a relationship change. The products can also be set to delete E-mail received internally, based on company-specified rules and keywords, although this leaves untouched copies the sender keeps or sends to others.
Not For Everyone
Unfortunately, these software products are not panaceas. “There is absolutely a need for them, but they’re a hassle to implement,” says David Ferris of Ferris Research, a San Franciscobased market research firm. It takes significant upfront work to configure a system to filter all E-mail and automatically delete certain types, he says. Permitting employees to individually determine expirations requires absolute confidence in employee compliance, and can be time-consuming. Further-more, recipients of encrypted E-mail may need to have special software installed to read the messages, or may have to access them via a third-party Web site. Even Authentica’s Hickey admits, “This is not something you’d put on everyone’s desktop.” Nor does he suggest all E-mail be encrypted for future control. “Probably 10 to 15 percent of correspondence would merit this.”