Seek and/or Destroy

Better E-mail management may not save your company. Then again...
Scott Leibs and Alix StuartJuly 1, 2002

There are two problems with E-mail: how to lose what you want to hide and how to find what you need to retrieve. Merrill Lynch’s Henry Blodget and Andersen’s Nancy Temple can attest to the hazards of the former, after discoveries of their E-memos led to federal prosecution. Untold numbers of less notorious but equally harried employees have complained about the latter when forced to rifle through dozens of irrelevant messages in search of the one that holds a critical nugget of information.

Many companies have policies requiring employees to delete E-mail messages, but such policies are often ignored. And deleting a message, it turns out, is much tougher than it seems. Simply hitting the “delete” key rarely does the trick, since copies may still reside on the sender’s or recipient’s hard drive, or with anyone to whom the sender or recipient may have forwarded the message. Experts in forensic computing have proved adept at recovering E-mail messages that employees thought they had vaporized.

One potential solution comes from software that can “expire” both sent and received E-mail, or restrict a recipient’s ability to forward or print the material. Products from such companies as Atabok, Authentica, Omniva Policy Systems, and Tumbleweed Communications let senders encrypt outgoing E-mail and then provide recipients with conditional access to the decryptor key, which stays on the sender’s server. “We have no notion of where someone might have stored an E-mail or on what servers copies might be residing,” says Jim Hickey, vice president of marketing for Authentica. “But our product gives you an opportunity to expire the key at the server, so it doesn’t matter.”

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

That means, in theory, that everything from personal notes to top-secret product specs can be deleted after a specified time. With most products, a company can set global deletion rules based on sender or recipient characteristics, or keywords. Some, like Authentica, let senders themselves decide, and even revoke a recipient’s viewing privileges ad hoc, should a relationship change. The products can also be set to delete E-mail received internally, based on company-specified rules and keywords, although this leaves untouched copies the sender keeps or sends to others.

Not for Everyone

Unfortunately, these software products are not panaceas. “There is absolutely a need for them, but they’re a hassle to implement,” says David Ferris of Ferris Research, a San Francisco-based market research firm. It takes significant upfront work to configure a system to filter all E-mail and automatically delete certain types, he says. Permitting employees to individually determine expirations requires absolute confidence in employee compliance, and can be time-consuming. Furthermore, recipients of encrypted E-mail may need to have special software installed to read the messages, or may have to access them via a third-party Web site. Even Authentica’s Hickey admits, “This is not something you’d put on everyone’s desktop.” Nor does he suggest all E-mail be encrypted for future control. “Probably 10 to 15 percent of correspondence would merit this.”

But the software is useful for protecting obviously sensitive documents that are carried in E-mail, such as sales strategies, business plans, and due-diligence information pertaining to an acquisition. Matthew Kovar, director of Security Solutions & Services at the Yankee Group, expects “secure content delivery” technologies and services to be an $800 million market this year, more than quadruple what it was just two years ago. The market may get an additional boost as vendors make the products easier to use. This month Omniva will launch a new product that can be integrated into the corporate E-mail directory and gives companies more control over who can and can’t receive certain E-mail. Recent privacy legislation, such as Gramm-Leach-Bliley in the financial-services sector and HIPAA in health care, has also prompted companies to take a look at E-mail management tools.

Should It Stay or Should It Go?

Costs for such software vary widely. Authentica charges between $30,000 and $50,000 for a perpetual license for the first 1,000 users. Tumbleweed, which charges on a per-CPU basis, says its average deal is around $500,000. Buyers need to be cautious when selecting a vendor, since many of them are new and attempting to establish themselves at a time when most companies are watching every penny. Tumbleweed, one of the few public companies in this space, has yet to turn a profit; it lost more than $114 million last year as revenues dropped 22 percent.

For companies not subject to industry regulations, retaining E-mail for long periods of time is probably not necessary, says Michael Overly, an attorney with Foley & Lardner, and the author of Document Retention in the Electronic Workplace. Two-thirds of companies have a formal E-mail management policy, which sometimes includes parameters for deletion, if only to save storage space and keep system response times high.

However, he cautions that companies should be ready to suspend deletion activity as soon as litigation looms. “At times, destroying E-mail, even if it contains nothing damaging, can lead to legal problems,” he says. For example, says Overly, Hughes Aircraft was once held liable for $90,000 for destruction of evidence, partially as a result of accidentally overwriting E-mail relevant to the case after the former employee’s lawyer had notified them.

But it may be the “save” key rather than the “delete” key that poses the biggest problems. E-mail archives often act as a handy filing system, until you have to find a piece of information buried in a particular message. Bellevue, Washington-based Applied Discovery Inc. is one of several companies (others include Fios, Electronic Evidence Discovery, and Tumbleweed) that help clients find the needle in the E-mail haystack. The company categorizes, manages, searches, and reviews electronic data (E-mail, documents, and other “unstructured” data) from clients via a secure online “reading room.”

Applied Discovery is helping Enron organize its electronic files, including E-mail, into a central, searchable repository for the plethora of lawyers and regulatory bodies looking to build their cases. “This way, Enron has to process the information only once,” says Applied Discovery CEO Michael Weaver. A customer typically ends up paying about 20 cents per page for information managed this way, as opposed to $1.30 for the traditional method of coding and scanning.

Laurel, Delaware-based KVS Inc., which sells an E-mail search agent for Microsoft Exchange, says calls from investment houses and energy companies have kept its phone “ringing off the hook” in recent months — presumably the one form of non-E-mail contact the company embraces.

Instant Success

Even as companies grapple with the billions of E-mail messages they generate each year, a new form of communication is competing for corporate mindshare and dollars. Instant messaging, which began as an enhanced way for consumers to chat on AOL, has taken hold in the business world at an astounding pace: Ferris Research estimates there are 100 million users worldwide. Jupiter Media Metrix estimates that 16.9 million U.S. business users were IM’ing, as it’s known, since this past April. More significant than the actual number is the growth: Dozens of companies now offer IM software and services, and analysts expect IM to be as ubiquitous as E-mail within a few years.

IM comprises several functions, but the two most useful are the ability to have a real-time E-mail conversation in a pop-up window and to see at a glance who else is “present”; that is, at their PC and available to IM.

IM often comes into companies through the back door, as savvy employees simply download free software from AOL or Yahoo. But the many private companies vying to become leaders in IM argue that the bare-bones IM functionality that can be plucked from the Internet for free poses major security and privacy risks, and doesn’t include a host of administrative capabilities essential to managing the growing volume of IM content. As IM becomes a popular way both for employees to chat and for companies to talk to customers and suppliers, these purveyors argue that today’s freebie will ultimately exact a high price. “But the free versions are actually good for us,” says Ryan Alexander, president and COO of Omnipod Inc., which sells a suite of IM and file-sharing software, “because the security concerns prompt companies to suspend its use, but employees balk, so companies decide to buy products that meet their needs.”

Alexander says IM will soon become a commodity, so he and other newer vendors are in a race to bundle it with other services and capabilities. Given that competitors include Microsoft and Lotus, smaller firms have plenty of motivation to innovate.

4 Powerful Communication Strategies for Your Next Board Meeting