Biggest E-Mail Blunders of 2003

Experts Offer Tips to Avoid Devastating E-Mail Gaffes in 2004

San Ramon, CA—December 12, 2003—Corporate e-mail gaffes triggered costly disasters in 2003, from high-profile lawsuits and million-dollar regulatory fines to humiliating public revelations about employees’ private lives. In hopes that this year’s expensive e-mail gaffes will serve as a wake-up call for business, The ePolicy Institute and Clearswift have identified the Biggest E-Mail Blunders of 2003, featuring the year’s top five e-mail mistakes and tips for avoiding similar disasters in 2004.

According to Nancy Flynn, executive director of The ePolicy Institute and author of E-Mail Rules (Amacom 2003), the Biggest E-Mail Blunders of 2003 underscore the need for organizations to establish e-mail policies, educate employees about e-mail risks and rules, and enforce e-mail policy with software.

“Careless clicks can—and do—sink corporate ships,” said Flynn, noting that embarrassing headlines, six-figure lawsuits, and other e-mail-related disasters can strike any organization that fails to manage e-mail strategically.

Top Five E-Mail Blunders of 2003

The ePolicy Institute and Clearswift have identified five common and costly errors as the Biggest E-Mail Blunders of 2003—and offer advice for those eager to avoid similar on-the-job disasters.

#1. Failing to Keep Content Clean, Compliant, and Corporate: Enron Employees Learn a Hard Lesson About Keeping Personal and Business E-Mail Separate.

Because Enron employees regularly used the company’s e-mail system for personal communication, private messages were retained alongside Enron’s electronic business records. Consequently, employees’ personal e-mail was collected as evidence during the Federal Energy Regulatory Commission (FERC) investigation of Enron’s alleged energy-market manipulation.

When in 2003 FERC posted 1.6 million Enron e-mails online, employees’ private correspondence went on public display. Employee romances, affairs, and marriages were discussed—with senders’ and receivers’ names attached. Executive salary packages and employee performance reviews were transmitted—with senders’ and receivers’ names attached. Employees’ bank records and Social Security numbers were displayed—with senders’ and receivers’ names attached.

FERC eventually removed e-mails containing Social Security numbers and employee performance evaluations. But not before the Enron e-mail disaster was covered by the national business media, and millions of curious readers (including identity thieves and other malicious outsiders) jumped online to sort through the goldmine of Social Security numbers, personal dirt, and other “goodies.”

A cautionary tale for all corporate e-mail users, the Enron e-mail disaster drives home an important lesson for employees. Never use your employer’s e-mail system to transmit personal, sensitive, or confidential information that would embarrass you or harm your loved ones were it made public. For employers, the Enron e-mail disaster clearly illustrates why it is so important to distinguish business record e-mail from inconsequential messages, and to purge all e-mail that need not be retained for business, legal, or regulatory purposes.

#2. Failing to Retain Business Record E-Mail: Investment Banker Frank Quattrone Discovers It’s Illegal to Destroy E-Mail Evidence.

Investment Banker Frank Quattrone was accused in 2003 of obstructing federal grand jury and SEC investigations after he forwarded an e-mail urging members of his technology-sector banking group at Credit Suisse First Boston (CSFB) to “clean up” their files. At the time he sent the e-mail, the grand jury and regulators were investigating whether CSFB accepted kickbacks from hedge funds in exchange for hot IPOs. The file-cleanup e-mail was just one of several e-mails that prosecutors used as evidence in the high-profile, widely publicized case against Quattrone.

The case, which ended in a mistrial, gives individual e-mail users a new reason for alarm. Under the legal principle of vicarious liability, employers are typically held responsible for the wrong acts of employees. In the Quattrone case, however, the individual, not CSFB, was held responsible for ordering the deletion of e-mail files.

Quattrone’s trial illustrates why corporate e-mail users should strictly adhere to the organization’s e-mail retention strategy, and never destroy e-mail evidence after an inquiry begins. Employers have been slow to learn this lesson in spite of growing scrutiny from courts and regulators. According to the 2003 E-Mail Rules, Policies, and Practices Survey from American Management Association (AMA), The ePolicy Institute, and Clearswift, only 34% of employers have written e-mail retention and deletion policies in place. That’s the same figure reported in 2001, a year before five Wall Street brokerages were fined $8.25 million by the SEC for failing to retain e-mail in accordance with regulations.

#3. Failing to Educate Employees: Merrill Lynch Experiences the Sting of Negative E-Mail-Related Publicity.

“Ask yourself: How would I feel if this message appeared on the front page of a newspaper?” Two senior executives of Merrill Lynch experienced the sting of negative publicity first-hand when an e-mail message in which they cautioned 50,000 employees to be mindful of e-mail content was covered by the national business media.

Don’t leave employee education to chance. Cover content, confidentiality, and compliance concerns in your e-mail training program. You never know when a disgruntled employee or vengeful ex-employee will share a confidential internal e-mail message with the media, competitors, or other outsiders. Unfortunately, only 48% of organizations offer e-policy education to employees, and merely 27% train staff about e-mail retention rules. That’s according to the 2003 E-Mail Rules, Policies, and Practices Survey from AMA, The ePolicy Institute, and Clearswift.

E-mail training is central to sound e-risk management. Not only is an educated workforce more likely to comply with written e-mail rules, but the courts and regulators tend to respond favorably to policy and training consistently applied. The U.S. Supreme Court has made it clear that, through the development and enforcement (including employee training) of comprehensive e-mail policies, an organization may be able to create a defense against sexual harassment or hostile work environment liabilities stemming from employee e-mail.

#4. Failing to Monitor Employees’ E-mail Use: Big Brother Watches as American Family Insurance Employee Wilts.

A 2003 undercover investigation of the Yahoo! “Candyman” e-group led the FBI to suspect that an employee of American Family Insurance was using the company’s e-mail system to receive child pornography. When the employee tried to suppress evidence found during the FBI’s search of his work computer, the court ruled that he had no expectation of privacy, given his employer’s computer-related rules, policies, and procedures.

American Family Insurance had a log-in notice that warned of possible monitoring or searching, and required users to click “OK” to proceed. Every time the defendant accessed his work computer, he consented to his employer searching his computer. The company also posted e-policies on its Intranet site and sent e-mail notices to employees reminding them of the policies

The court stated: “An employee cannot claim a justified expectation of privacy in computer files where the employer owns the computer; the employee uses that computer to obtain access to the Internet and e-mail through the employer’s network; the employee was explicitly cautioned that information flowing through or stored on computers within the network cannot be considered confidential; and where computer users were notified that network administrators and others were free to view data downloaded from the Internet.”

Savvy employers are catching on to the wisdom of monitoring external e-mail communications. According to the 2003 E-Mail Rules, Policies, and Practices Survey from AMA, The ePolicy Institute, and Clearswift, 51% of employers monitor incoming e-mail, and 39% keep an eye on outgoing e-mail. Where employers drop the ball, however, is with the internal e-mail communications that take place among employees. Only 19% of organizations monitor internal employee e-mail.

“Management’s failure to monitor internal e-mail discussions among employees is a potentially costly oversight,” said Greg Hampton, Vice President at Clearswift. “E-mail messages between employees are exactly the type of casual, off-the-cuff communications that tend to contain inappropriate, offensive content that may trigger claims of a hostile work environment, sexual harassment, or racial discrimination,” Hampton said. Don’t leave e-risk management to chance. Keep online employees in-line by: (1) Establishing written e-mail rules and policies; (2) Educating all employees, from entry-level staff to the CEO; and (3) Installing policy-based content filtering software such as Clearswift’s MIMEsweeper and ENTERPRISEsuite, designed to work in conjunction with the organization’s written e-mail policies.

#5. Failing to Recognize—and Manage—Instant Messaging as a High-Risk Business Tool: IM Is Used in 90% of Offices—Without Management’s Knowledge or Authorization.

An internal survey revealed that more than half of the 1,300 employees of regional stock brokerage firm Stifel Nicolas had downloaded free IM software from the Web, without management’s knowledge or approval. Brokers were using IM without the authorization of the firm’s compliance department, which is charged with ensuring that the firm adheres to recently tightened SEC, NASD, and NYSE regulations covering the management, monitoring, and retention of Instant Messages.

The government and industry regulators who oversee financial services firms are serious about IM and e-mail compliance. Five Wall Street brokerages were fined $8.25 million for violating SEC e-mail retention rules in 2002. Securities firms that violate regulators’ IM rules, intentionally or accidentally, should expect to be hit with equally robust penalties.

Stifel Nicolas is not alone. It’s estimated that IM is used in 90% of offices. In many cases, employees have downloaded free software from the Web and are IM-ing clients, competitors, and colleagues without management’s knowledge, without written rules and policies to guide usage, and without IT-approved technology to help prevent security breaches and control overall risk.

Regulated or not, it is imperative for organizations large and small to take control of IM risks today, or face potentially costly consequences tomorrow. Instant Messaging is a form of turbocharged e-mail that creates a written business record that can be subpoenaed and used as evidence in litigation or regulatory investigations.

As detailed in Nancy Flynn’s forthcoming book, Instant Messaging Rules (Amacom 2004), employers who mistakenly view IM as “emerging” technology can no longer afford to remain in the dark about employees’ IM use. Organizations must act now to uncover and control renegade IM use. Fail to manage IM today, and you’ll likely face potentially costly risks on the security, privacy, legal, regulatory, productivity, compliance, and technology fronts tomorrow.

Unmanaged E-Mail and IM Use Is Simply Bad Practice
Don’t wait for a high-profile, potentially costly e-disaster to strike your organization. Take action now by developing and implementing e-mail and Instant Messaging rules and policies that clearly spell out how your employees may (and may not) use your computer system. Back up written policy with comprehensive employee education to ensure that senior executives and staff understand e-mail and IM risks, and recognize the importance of complying with e-policy. Finally, enforce your policy and training program with policy-based content filtering software that works in concert with your written e-mail and IM policies.

According to The ePolicy Institute and Clearswift, employers cannot afford to treat e-mail and Instant Messaging merely as convenient communications tools like the telephone. The electronic equivalent of DNA evidence, e-mail and IM produce written business records that must be managed, monitored, retained, and archived.

As illustrated by the Biggest E-Mail Blunders of 2003, the risks inherent in unmanaged e-mail and IM use range from lawsuits and loss of confidential data, to security breaches and lost productivity—disasters that are too potentially costly to be ignored.

About Clearswift

Clearswift simplifies content security.

Our products help organizations enforce best-practice email and web use, ensuring all traffic complies with internal policy and external regulations.

Our range of content filtering solutions makes it easy to deploy, manage and maintain no-compromise email and web security for both inbound and outbound traffic.

Clearswift is the only vendor to offer comprehensive, policy-based content security in all three deployment methods: as software, as an appliance and as a managed service.

All three platforms are designed to take the hassle out of securing internet traffic, with a clear, intuitive management interface; automatic, 'zero-touch' updates; powerful reporting and common-sense policy management.

Twenty years of experience across 17,000 organizations has helped us raise security standards while simplifying security management at the same time.

We've helped many of the world's most successful organizations use the internet with confidence and are committed to staying ahead of the market and helping our customers defend against all emerging threats.

For further details, please contact: