E-Mail Controls: Learn How to Play the Game of Risk by Your Own Rules

Chris Bradley
September 16, 2009 | COMMENTS

Win the high stakes of enterprise e-mail controls by creating the right policies for your organization before it's too late.

The majority of organizations today are at risk with minimal or no policies in place to control data shared through every day communications. According to Enterprise Strategy Group (ESG), more than 65 percent of an average company's intellectual property is sent both internally and externally via e-mail and resides somewhere within the messaging infrastructure. In addition, according to Osterman Research December 2008 report, only about one-third of organizations have what they consider to be detailed and thorough e-mail policies, while the vast majority of organizations have only basic, relatively incomplete, policies in place.

It is clear that the majority of companies today do not have the necessary systems in place to implement the policies needed to protect the organization's data. If systems are in place, e-mail is often overlooked.

This situation can leave organizations in a more precarious situation than C-level executives initially realize, especially for those in highly regulated industries. After all, e-mail has replaced memos, voice mails and face-to-face meetings as a means of sharing information and getting work done. Many employees prefer e-mail over telephone conversations because of it allows for easy and efficient communication with multiple parties, with the added benefit of a paper trail that can be tracked and referenced as needed.

As e-mail further becomes a workflow tool, its relevance deteriorates in many ways. Most see e-mail as somewhat of a burden in the work day, despite it being a necessary communications tool. Users are copied and blind copied as both a courtesy and requirement. Other “opt-in” e-mail traffic, such as periodicals, newsletters, order confirmations and personal e-mails, only add to the volume of messaging activity. With e-mail now considered a legal business record, this growing volume of information signals a source of increased legal liability within the enterprise.

Underscoring the importance of properly categorized and managed e-mail archives, the Federal Rules of Civil Procedure (FRCP) requires that e-mail and other electronic communication be provided in a timely and organized manner during the litigation discovery process. With current regulations including SEC Rule 17a-4, SOX, FERC and HIPPA also posing an increased risk of violation to organizations lacking the necessary policy controls, C-level executives must find methods to comply with laws and regulations while keeping capital expenditures and operating budgets at a minimum. For example, some organizations have taken to targeted archiving: only archive the users that might be involved as custodians in the future. For many organizations this represents only a small fraction of the total user base. In any case, the best approach is a proactive one to avoid costly litigation fees or fines from triggering a regulatory violation.

With regulatory and e-discovery deadlines in full effect, organizations of all sizes are pressed to implement a proactive approach based on cost-effective e-mail retention and archiving policies that can be consistently enforced. Implementing enterprise e-mail risk management is a strategic priority that requires business driven polices and a flexible technology deployment to enforce them. To improve disclosures and safeguard against potential regulatory violations within enterprise e-mail traffic, consider integrating your IT, compliance, HR and legal departments into a cohesive team to implement an ongoing proactive strategic approach to regulatory risk management.

To get a start on an implementing an ongoing preventative approach to enterprise e-mail management, the following are suggested steps to help organizations address regulatory compliance risks by creating a true culture of compliance without additional expense in time or business interruption:

1. Manage intentional and unintentional employee misuse. While neither SOX nor the SEC's implementing regulations impose specific requirements for e-mail security, or IT security in general, the frameworks commonly used for assessing internal controls are still applicable to e-mail. The instant and casual nature of e-mail poses a risk for all organizations. To secure casual conversations and avoid routine routing of inappropriate e-mails to compliance departments, consider e-mail controls as a low-cost insurance and a critical component to preventing information from unauthorized use, disclosure or modification.

2. Practice smart archiving. Many companies try to retain all e-mails, but the huge and growing volume of e-mail impacts storage budgets and resources. With SEC Rule 17a-4, securities firms must retain their electronic documents, including e-mail, for five years and ensure that it is readily retrievable and reviewable in a short turnaround time. When e-mail is requested by a regulatory body, the retrieval time is immediate, usually within the next 24 hours. By applying real-time analysis through consistent e-mail archiving controls before messages enter the archive, companies can avoid costly e-discovery litigation fines.

3. Create e-mail controls and policies that can intercept at-risk e-mails. Under HIPAA, companies must maintain administrative, technical and physical safeguards to prevent intentional or unintentional disclosure of Protected Health Information (PHI). In order to maintain complete audit trails for any data leaving the company, look for a flexible policy engine that enables proactive management of information flow while mitigating insider threats, all in real-time.

4. Audit and profile e-mail usage in real time . To safeguard against any potential e-mail risks, build custom policies that look for specific criteria in e-mail attachments, including file formats and usage patterns. For example, FRCP requires the speedy recovery of electronically stored information, which is only possible with rapid search and retrieval capabilities, as well as the ability to audit operations. IT should have the ability to review e-mails and implement actions based on group affiliation, policies, as well as e-mail and attachment content and context in real-time within the live e-mail stream.

5. Provide real-time blocking and re-routing of outbound e-mails. Companies need a solution that can stop the risk of incident at ingestion of the e-mail and provides IT with the ability to review and monitor e-mails within the live e-mail stream through a network implementation. For utilities companies to meet FERC requirements, a proactive e-mail risk management approach is required in order to block and prevent restricted information contained within e-mail from ever reaching restricted individuals based on group designations, or the parameters of content in the message or attachment.

Beyond these suggested steps, consider how non-compliant activities impact an organization on many levels, ranging from reputation damage to legal liability to stock price declines. In the wake of recent Wall Street scandals, one leading firm saw its market capitalization decline by more than 25 percent when e-mails were released that revealed the inappropriate and unethical treatment of certain stocks. Firms that have public trust built into their share price run the risk of substantial declines if non-compliant activity is allowed to occur, and is then made available to the public in the form of e-mails.

Regulatory compliance is moving from being necessary to do business, to being essential to stay in business. The time has come for practical enterprise e-mail controls to become a strategic business priority as well. Companies can no longer ignore e-mail related risks and must take proactive measures to meet compliance mandates, safeguard intellectual property, maintain shareholder value and prevent embarrassing headlines. The key is to start with the issues that are most pressing from business perspective, and evaluate how they might translate into enforceable policies in electronic communications. Only then can enterprises build an effective culture of compliance within the organization to prevent recurring violations and implement an ongoing proactive strategic approach to e-mail derived risks.

Chris Bradley is vice president of marketing and business development at MessageGate, a provider of e-mail controls for enterprise risk management.