Risky e-mail use: What government and corporate users need to know

Clear policies, high-tech tools can help protect organizations

Whether it's government officials or company employees, e-mail users who send messages outside their official networks could be putting their organizations at risk for legal action, regulatory compliance problems, intellectual property thefts and more.

Last week's decision by the U.S. House Committee on Oversight and Government Reform to look at the apparent use of outside e-mail accounts by some high-ranking White House staff members illustrates such worries in government, but the issue should also be very much on the minds of corporate leaders, experts said.

The House committee this week plans to interview White House counsel Fred Fielding and the chairmen of the Republican National Committee and the 2004 Bush-Cheney re-election campaign to learn more about the use of outside e-mail accounts and whether the messages on them were archived.

The White House has said that the outside e-mail accounts were used for political communications that would not have been permissible under federal law using the official White House e-mail system. The Hatch Act prohibits federal employees from being involved in political activities through their workplaces.

"What's come to light are individuals not being clear which roles they're performing when they're logged into different e-mail accounts," said Richi Jennings, an e-mail security analyst at San Francisco-based Ferris Research Inc. "It actually turns out to be quite difficult for all the people all the time to be disciplined enough to use the right e-mail address for the right role."

The problem is exacerbated by the normal pattern of an e-mail exchange between two or more users, where the original topic can ebb and flow into wider topics as a message thread expands, Jennings said. "It could start out with government topics and then become something more political. People have to have their antennas up, to say, 'Maybe we should stop talking about this subject now and switch to the official e-mail system.'

"People are going to get it wrong," he added. "I think it's inevitable that someone's going to look at this."

One answer for government and corporate users is to have clear policies in place to let users know what is expected of them at all times to protect their organizations, Jennings said, and to have technological controls to be able to monitor and control the way users send and receive e-mails.

Clive Horton, CEO of e-mail security consultancy ReSoft International LLC in New Canaan, Conn., said such issues are "an interesting dilemma for a lot of companies, because a lot of companies think they're not under any regulatory requirements" for e-mail retention, archiving and controls. But if an employee sends some kinds of messages, including information on corporate secrets, intellectual property and other sensitive subjects, then such controls could be necessary, Horton said.

"In many cases, it's not necessarily malicious," he said, but it still may be something companies wouldn't want their employees sending outside of their corporate networks.

A wide range of software tools are available to help companies control what goes in and out of their e-mail systems, including software that can scan messages and categorize them based on their subject for analysis. Some applications can allow companies to lock out external consumer e-mail accounts such as Yahoo Mail, AOL's AIM mail, Microsoft's Hotmail and Google Inc.'s Gmail. But with myriad free account services available on the Web, it's likely that not all of the free services can be locked out, he said.

Corporate users can choose the appropriate e-mail protection systems, from archiving and tracking software to access lockdowns and perimeter filters that watch what comes in and out and send alerts and other notifications to administrators.

The concern is that if company communications are being conducted outside official corporate e-mail systems, there's no way to control their security, preservation or use.

Recommind Inc. specializes in electronic legal discovery software that can categorize data from millions of e-mails and other files and automatically look for similarities and patterns, helping investigators find information. Craig Carpenter, a spokesman for San Francisco-based Recommind, said that the company's MindServer Legal software allows companies to determine what is in their e-mails, documents and other corporate databases to better protect themselves in the event of lawsuits or regulatory inquiries. New federal court rules on legal discovery also make it more important for companies to have access to such information more quickly, Carpenter said.

"You want software that literally looks at all the words in an e-mail or document and that can search based on a sender, recipient, concepts or on words or numbers," Carpenter said. "That's what an investigator would use our software to do."

Autonomy Corp.'s Aungate division sells software that monitors enterprise communications in real time to assure compliance and provide detailed records trails in the event of legal actions, compliance investigations or other scenarios.

Anna Catalana, a spokeswoman for Cambridge, England-based Autonomy, said the software allows corporate users to see communications patterns in e-mails, voice mails, blogs, video and documents so that the context and content can be indexed, archived, researched and analyzed. "You can set it up for your specific corporate policies," Catalana said. "It will stop things from going out."

Kroll OnTrack Inc. offers its OnTrack First View tools, which can be used to analyze corporate data -- including e-mails -- to get graphical representations of subjects and the number of communications on specific dates and topics, and to track messages by senders and other criteria. "This is almost like a spider web," said Michele Lange, a staff attorney for the Eden Prairie, Minn.-based vendor.

The company also offers computer forensics experts to come in and dig deeply into corporate data systems to find "digital fingerprints" related to what messages were sent, when they were sent and who sent them, to aid in investigations, she said.

Copyright © 2007 IDG Communications, Inc.

  
Shop Tech Products at Amazon