Whether it’s government officials or company employees, e-mail users who send messages outside their official government or corporate networks could be putting their organizations at risk for legal action, regulatory compliance problems, intellectual property thefts and more.
Last week’s decision by the U.S. House Committee on Oversight and Government Reform to look at the apparent use of outside e-mail accounts by some high-ranking White House staff members illustrates such worries in government, but the issue should also be very much on the minds of corporate leaders, experts say.
The House committee this week plans to interview White House counsel Fred Fielding and the chairmen of the Republican National Committee and the 2004 Bush-Cheney re-election campaign to learn more about the use of the outside e-mail accounts and whether the messages on them were archived.
The White House has said that the outside e-mail accounts were used for political communications that would not have been permissible under federal law using the official White House e-mail system. The Hatch Act prohibits federal employees from being involved in political activities through their workplaces.
“What’s come to light are individuals not being clear which roles they’re performing when they’re logged in to different e-mail accounts,” said Richi Jennings, an e-mail security analyst with San Francisco-based Ferris Research Inc. “It actually turns out to be quite difficult for all the people all the time to be disciplined enough to use the right e-mail address for the right role.”
The problem is exacerbated by the normal pattern of an e-mail exchange between two or more users, where the original topic can ebb and flow into wider topics as the message thread expands, Jennings said. “It could start out with government topics and then become something more political. People have to have their antennas up, to say ‘maybe we should stop talking about this subject now and switch to the official e-mail system.'”
“People are going to get it wrong,” he said. “I think it’s inevitable that someone’s going to look at this.”
One answer for government and corporate users is to have clear policies in place to let users know what is expected of them at all times to protect their organizations, he said, and to have technological controls to be able to watch and control the way users send and receive e-mails.
Clive Horton, CEO of e-mail security consultants ReSoft International LLC in New Canaan, Conn., said such issues are “an interesting dilemma for a lot of companies because a lot of companies think they’re not under any regulatory requirements” for e-mail retention, archiving and controls. But if an employee sends some kinds of messages, including information on corporate secrets, intellectual property and other sensitive subjects, then such controls could be necessary, Horton said.
“In many cases, it’s not necessarily malicious,” he said, but is still something companies wouldn’t want their employees sending outside of their corporate networks.
A wide range of software tools are available to help companies control what goes in and out of their e-mail systems, including software that can scan messages and categorize them into subjects for analysis. Some applications can allow companies to lock out external consumer e-mail accounts such as Yahoo! Mail, AOL’s AIM mail, Microsoft’s Hotmail and Google Inc.’s Gmail. But with a myriad of free account services available on the Web, not all of the free services can likely be locked out, he said.
Corporate users can choose the appropriate e-mail protection systems, from archiving and tracking software to access lock-downs and perimeter filters that watch what comes in and out and send alerts and other notifications to administrators.
The concern is that if company communications are being conducted outside official corporate e-mail systems, there’s no way to control their security, preservation or use.