There are two problems with E-mail: how to lose what you want to hide and how to find what you need to retrieve. Merrill Lynch's Henry Blodget and Andersen's Nancy Temple can attest to the hazards of the former, after discoveries of their E-memos led to federal prosecution. Untold numbers of less notorious but equally harried employees have complained about the latter when forced to rifle through dozens of irrelevant messages in search of the one that holds a critical nugget of information.
Many companies have policies requiring employees to delete E-mail messages, but such policies are often ignored. And deleting a message, it turns out, is much tougher than it seems. Simply hitting the "delete" key rarely does the trick, since copies may still reside on the sender's or recipient's hard drive, or with anyone to whom the sender or recipient may have forwarded the message. Experts in forensic computing have proved adept at recovering E-mail messages that employees thought they had vaporized.
One potential solution comes from software that can "expire" both sent and received E-mail, or restrict a recipient's ability to forward or print the material. Products from such companies as Atabok, Authentica, Omniva Policy Systems, and Tumbleweed Communications let senders encrypt outgoing E-mail and then provide recipients with conditional access to the decryptor key, which stays on the sender's server. "We have no notion of where someone might have stored an E-mail or on what servers copies might be residing," says Jim Hickey, vice president of marketing for Authentica. "But our product gives you an opportunity to expire the key at the server, so it doesn't matter."
That means, in theory, that everything from personal notes to top-secret product specs can be deleted after a specified time. With most products, a company can set global deletion rules based on sender or recipient characteristics, or keywords. Some, like Authentica, let senders themselves decide, and even revoke a recipient's viewing privileges ad hoc, should a relationship change. The products can also be set to delete E-mail received internally, based on company-specified rules and keywords, although this leaves untouched copies the sender keeps or sends to others.
Not for Everyone
Unfortunately, these software products are not panaceas. "There is absolutely a need for them, but they're a hassle to implement," says David Ferris of Ferris Research, a San Francisco-based market research firm. It takes significant upfront work to configure a system to filter all E-mail and automatically delete certain types, he says. Permitting employees to individually determine expirations requires absolute confidence in employee compliance, and can be time-consuming. Furthermore, recipients of encrypted E-mail may need to have special software installed to read the messages, or may have to access them via a third-party Web site. Even Authentica's Hickey admits, "This is not something you'd put on everyone's desktop." Nor does he suggest all E-mail be encrypted for future control. "Probably 10 to 15 percent of correspondence would merit this."
But the software is useful for protecting obviously sensitive documents that are carried in E-mail, such as sales strategies, business plans, and due-diligence information pertaining to an acquisition. Matthew Kovar, director of Security Solutions & Services at the Yankee Group, expects "secure content delivery" technologies and services to be an $800 million market this year, more than quadruple what it was just two years ago. The market may get an additional boost as vendors make the products easier to use. This month Omniva will launch a new product that can be integrated into the corporate E-mail directory and gives companies more control over who can and can't receive certain E-mail. Recent privacy legislation, such as Gramm-Leach-Bliley in the financial-services sector and HIPAA in health care, has also prompted companies to take a look at E-mail management tools.
Should It Stay or Should It Go?
Costs for such software vary widely. Authentica charges between $30,000 and $50,000 for a perpetual license for the first 1,000 users. Tumbleweed, which charges on a per-CPU basis, says its average deal is around $500,000. Buyers need to be cautious when selecting a vendor, since many of them are new and attempting to establish themselves at a time when most companies are watching every penny. Tumbleweed, one of the few public companies in this space, has yet to turn a profit; it lost more than $114 million last year as revenues dropped 22 percent.
For companies not subject to industry regulations, retaining E-mail for long periods of time is probably not necessary, says Michael Overly, an attorney with Foley & Lardner, and the author of Document Retention in the Electronic Workplace. Two-thirds of companies have a formal E-mail management policy, which sometimes includes parameters for deletion, if only to save storage space and keep system response times high.
However, he cautions that companies should be ready to suspend deletion activity as soon as litigation looms. "At times, destroying E-mail, even if it contains nothing damaging, can lead to legal problems," he says. For example, says Overly, Hughes Aircraft was once held liable for $90,000 for destruction of evidence, partially as a result of accidentally overwriting E-mail relevant to the case after the former employee's lawyer had notified them.
Reader Comments» Post a comment