E-mail as evidence: threat or opportunity?

In today's business environment, IT managers are increasingly being asked to monitor and create policies on the use of enterprise technology and information. The use of e-mail within a company falls within this ambit and, because e-mail correspondence can have more and more of a legal implication, IT managers are having to make decisions with legal or ethical implications relating to e-mail content.

Kevin Isaac, 's regional manager for Middle East and Africa, says an important way of helping IT managers who may find themselves in this kind of position is to establish e-mail policies and procedures.

"This should help make their decisions easier, encourage safe, productive Internet use and promote a positive workplace," he adds.

E-mail may be available for scrutiny long after it has been sent, whereas verbal or physical communications may become convoluted in re-telling, which means they may not be as credible or that participants may remember them differently. Therefore, e-mail is often considered to be highly valuable evidence in investigations.

But why would an employer or third-party want to review an employee's e-mail - personal or professional? Common situations in which e-mail is used as evidence in investigations include:

• Claims of sexual harassment. In such cases, the company may be required to produce e-mail logs of the individuals directly involved as well as anyone else who may have had a role in the incident. Companies may also be asked to produce evidence of any previous complaints.
• Claims of discrimination. E-mail may contain remarks that could be construed as discrimination, racial and otherwise - often as a result of the casual, conversational style people adopt when writing e-mail. For example, a number of major corporations have been sued by African-American employees over messages that allegedly contained racist jokes.
• Employee productivity. Employee productivity is "this year's biggest e-mail issue" according to an IDC analyst. If an employee is spending company time using e-mail or the Internet for personal activities, the company is losing money. That's the bottom line. But how much time is too much, and where does a company draw the line? One company caught an employee using one of its computers to run a personal business. Another company fired an employee who sent a religious holiday message to 60 000 of its employees - with return receipts. That single e-mail crashed the enterprise network and cost the company hundreds of thousands of dollars in productivity. A third firm brought Internet surfing by employees down from 15 000 hours a month to 1 500 when it started monitoring employee Web usage.
• Information leaks. Approximately 20% of corporations were the victim of electronic information theft - either by employees or third parties - in 1999, according to the 2000 Computer Security Institute/FBI Computer Crime and Security Survey. E-mail can be used to steal company secrets. Though inside spies use a variety of methods (eg wiretapping or saving documents to removable media) to obtain proprietary information, e-mail is often chosen because it is so fast and easy to send multiple documents to an outside e-mail box. For the insider, it can be done with little suspicion-even during work hours.
• Business practices. If, for any reason, your company comes under scrutiny for a questionable business practice, your corporate e-mail could be called as evidence. Employees may communicate marketing plans and ideas that, even if never put into place, could be recorded in an e-mail message that could negatively affect your company.
• Employee personal litigation. Like it or not, if a company employee has used his or her e-mail system for personal communication or activity, that content may be evidence in any sort of legal situation.

So what can your company do to manage e-mail-related risks? First, says Isaac, companies should have policies in place that clarify employees' privacy expectations and provide e-mail usage guidelines. "Such policies should make it clear to employees that online activity will be monitored, and that the employees can be disciplined for inappropriate content or other usage," he explains.

Guidelines include:

• comprehensive and easily understood; let the employee know whether or not the company will be broadly monitoring e-mail, or simply subjecting it to random or systematic scans.
• written in a tone that doesn't mimic that of "Big Brother," but clearly states repercussions. Employees should know what potential situations might warrant their e-mail coming under scrutiny.

"When creating and implementing policies, include all the necessary players: IT, human resources, legal departments and others. "Last, but not least, have your employees sign and date a copy of the policy, so you have a record of their acknowledgement."

Another way to manage e-mail risks is to use technology to tighten e-mail content security. Some 27% of large US firms have begun checking employee e-mail, according to the American Management Association. One large entertainment company was able to cancel an order for a T3 line after monitoring and limiting audio and video files e-mailed to employees. The company saved itself $20 000-$50 000 per month.

Industry analysts have found that in most companies, e-mail accounts for about 70% of all network traffic, yet only about 10% is protected by security measures. This gap is unnecessary since there is automatic monitoring and filtering software available to monitor and block certain kinds of e-mail messages.

Says Isaac: "Automated e-mail content filtering software helps to create a productive, safe Internet environment for all employees. Since every enterprise has unique challenges and business objectives, effective e-mail filtering software is customisable. IT managers configure e-mail content filtering software according to enterprise e-mail policy."

For instance, e-mail content filtering solutions can prevent e-mail messages that are labeled "confidential" from going outside the company's network, or it can be used to control and trace e-mail traffic. It may be used to block or alert specified personnel to content containing certain types of inappropriate or confidential information.

In investigations, such for inappropriate behaviour, e-mail content logs provide an ample concrete trail of evidence. If an organisation chooses to, it can also use filtering software to extend different levels of e-mail and Internet privileges to different employees. This feature can help to maximise Internet resources as well as productivity. E-mail monitoring solutions can help to indemnify corporate liability in litigation, especially for discrimination or harassment. E-mail monitoring shows courts that an enterprise has made a reasonable attempt to enforce e-mail and Internet policies-which usually prohibits inappropriate content.

"For today's computing environment, keeping track of the electronic paper trail is just as important as storing physical files of memos and documents used to be," Isaac stresses. "Whether the incident concerns proprietary data theft, employee productivity or harassment, e-mail content monitoring can be used to minimise enterprise risk or recoup losses. E-mail policies, along with e-mail content monitoring solutions, help IT departments to manage e-mail content effectively and efficiently."