[ISN] E-mail cleanup

From: mea culpa (jerichoat_private)
Date: Sun Nov 01 1998 - 15:21:35 PST

  • Next message: mea culpa: "[ISN] NOT the Orange Book"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimeat_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981101162054.5667Iat_private>
    Forwarded From: darek milewski <darekmat_private>
    E-mail cleanup
    By Christy Walker
    If Microsoft Corp. followed Betty Zimmerman's example and tidied up its
    e-mail more often, the software developer might have an easier time
    defending itself against federal antitrust charges in Washington. 
    Every 18 months, Zimmerman sees to it that all 25,000 e-mail users at her
    company, Texaco Inc., know and follow the rules regarding retention,
    privacy, and the appropriate use and handling of e-mail messages. One of
    those rules: E-mail messages not specifically designated by users for
    retention are regularly deleted. 
    If Microsoft had done likewise, it's possible that internal e-mail
    messages related to a June 21, 1995, meeting between officials from
    Microsoft and Netscape Communications Corp. would never have been
    available to Department of Justice prosecutors. The government, however,
    was able to subpoena that and hundreds of other Microsoft e-mail messages
    found in backup files and is using them as pivotal pieces of evidence in
    its antitrust case against the Redmond, Wash., software developer. 
    Such high-profile cases are sending a wake-up call to IT managers: It's
    time to get serious about cleaning up enterprise e-mail.  In a business
    climate where open lines of communication are vital and e-mail has become
    the most important and pervasive desktop application, a clear corporate
    messaging policy is mandatory.  Such policies should clearly state not
    only how long an e-mail message will be kept but also how the enterprise
    will deal with other issues that e-mail misuse can bring, such as
    discrimination and harassment, copyright, defamation, spamming, employee
    privacy rights, and revelation of trade secrets (see chart, below).
    Without e-mail policies, corporations can be exposed to liability or, at
    the very least, a waste of computer resources. 
    Pulling no punches
    Some enterprises are already getting tough about enforcing e-mail
    policies. One Wall Street brokerage, Smith Barney (now Salomon Smith
    Barney Inc.), for example, fired two analysts in April for allegedly
    circulating pornographic material via the corporate e-mail system. The New
    York company's Employee Interim Handbook cautions that e-mail is subject
    to examination and that mishandling of the company's equipment could
    result in termination. 
    The handbook states: "Improper use includes but is not limited to any use
    of such equipment or services for the transmission or communication of
    images or text consisting of ethnic slurs, racial epithets, or anything
    that may be construed as illegally harassing or offensive to others based
    on an individual's race, national origin ..." 
    A policy should, first and foremost, spell out which e-mail messages are
    to be kept and which are to be thrown out. "Without a good retention
    policy, old e-mail records could be available to provide a smoking gun in
    litigation," said Eric Goldreich, IS director at Sheppard, Mullin, Richter
    & Hampton LLP, a Los Angeles law firm, where a messaging policy has been
    in place for about six years. 
    E-mail policies should also spell out what kind of message content is
    acceptable and what is not. Unless companies clearly state and enforce
    e-mail content policies, they may find themselves embroiled in a legal
    battle over e-mail issues such as harassment and racial discrimination. 
    MCI WorldCom Inc. can attest to that. Earlier this year, the
    telecommunications company, then WorldCom Corp., successfully defended
    itself against a suit charging it allowed racially harassing messages on
    its e-mail system. WorldCom's defense: It had in place an e-mail policy
    spelling out appropriate content, and the Jackson, Miss., company enforced
    Having a policy, however, is only half the battle. Businesses must let
    employees know about their policies by conducting frequent training and
    awareness seminars, said Michael Overly, special counsel to the IT group
    at Foley & Lardner, a Los Angeles law firm. 
    "Approximately 40 percent of large organizations still don't have a
    written policy in place or one that is adequate," said Overly.  "Companies
    are doing a disservice when they rush out with a two- or three-page policy
    and forget it. They need a well-written policy, followed up with adoption
    and training for employees." 
    Texaco's Zimmerman does exactly that. "All end users are notified of these
    policies via e-mail on a periodic basis ... as well as by continuous
    posting on the company intranet," said Zimmerman, who is technology leader
    for knowledge management at Houston-based Texaco. The oil company
    implemented its first e-mail policy in 1993. 
    One company, Private Business Inc., of Brentwood, Tenn., used a template
    from the Electronic Messaging Association--a membership forum for
    businesses interested in emerging messaging technologies--to build its
    e-mail policy and distribute it to users. 
    "We include our pagelong e-mail policy in the employees manual," said Rick
    Bryant, manager of sales force automation at Private Business. "It says
    e-mail is monitored periodically and subject to inspection at any time.
    ... Employees should use prudent judgment when [composing] messages and
    file attachments. But incidental personal use of e-mail is permitted." 
    Sheppard, Mullin, Richter & Hampton goes even further. Its employees are
    reminded daily of corporate messaging policies as they click through a
    log-in screen. It instructs them that their use of the computer system is
    subject to the corporate electronic communications policy. 
    Such a heavy-handed approach is not the norm in most organizations. A
    report released last month by American Management Association
    International found that only 20.2 percent of approximately 1,000
    organizations surveyed are involved in e-mail store-and-review practices. 
    A Microsoft spokesman declined to comment on the company's e-mail policies
    but said that, at more than 3 million messages a day, e-mail plays an
    important role at the company. "It facilitates transfer of important
    information so that good decisions can be made quickly," said spokesman
    Adam Sohn. 
    IT plays central role
    As businesses clean up their e-mail by designing and implementing
    policies, IT has a central role to play. One job will be to make sure all
    the other corporate departments, such as legal, human resources and even
    senior management, are involved. 
    "IT will certainly have to take a more aggressive stance in this," said
    Jonathan Penn, an analyst at Ferris Research Inc., of San Francisco. "More
    and more, it means that their job entails bringing in the legal counsel to
    plan IT policies, including message retention" or the size of outgoing
    e-mail messages. 
    IT will also need tools that can filter and monitor outbound and inbound
    e-mail messages. A growing number of such tools from ISVs can supplement
    existing messaging systems. 
    Brokerages have been among the leading adopters of such technology because
    of federal rules that require them to retain and review all communications
    with customers, including e-mail messages. 
    Advent Inc., for instance, uses SRA International Inc.'s Assentor e-mail
    message screening and archiving software to comply with Securities and
    Exchange Commission and National Association of Securities Dealers Inc.
    "[Assentor] introduces another layer of technology, but it provides us
    with a savings in time, since we don't need a human monitor for each
    message," said Eric Generous, chief financial officer at the Hartford,
    Conn., brokerage. 
    However, even many companies with strong e-mail policies are just
    beginning to look at tools that can help automate enforcement. 
    "[Our] policy is fully implemented but not fully automated," said
    Zimmerman. Texaco recently thinned down its messaging infrastructure from
    13 mail systems to Microsoft's Exchange Server. The company, which uses
    Documentum Inc.'s document management application for e-mail archiving,
    relies on individual users to specify e-mail messages for retention. 
    More important, corporations must start with strong e-mail policies that
    are widely and regularly communicated and strongly enforced. Those that
    don't may be faced with a messy trail of lawsuits. 
    "Freewheeling, casual, flippant, hyperbolic or simply careless e-mails are
    no-nos in dealing with situations presenting potential liabilities," said
    attorney Stephen Brock, of Christie, Pabarue, Mortensen and Young, in
    Philadelphia. "There are no 100 percent guarantees of confidentiality." 
    Just ask Microsoft. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:09:47 PDT