Can Company Avoid Becoming Evidence Mail?

Transcription

1 Can Company Avoid Becoming Evidence Mail? Frank Cavaliere Lamar University College of Business;, Beaumont, Texas Phone: Purnendu Mandal Lamar University College of Business;, Beaumont, Texas Phone: Cynthia Barnes Lamar University College of Business;, Beaumont, Texas Phone: ABSTRACT s pose a liability risk and can cause considerable damage to a company s reputation if not handled correctly. is no longer just a method of communicating in business; it is a way of doing business. Companies are finding it critically important to address issues such as legal liability, forensics, policies, etc. wisely and judiciously if they want to avoid a lawsuit. This paper provides a technical underpin to managerial understanding of issues and a guide towards framing an policy. INTRODUCTION Electronic mail, or , is the most popular form of communication since the telephone, but it wasn't that long ago that attorneys were still debating whether communication with clients was secure enough to be considered ethical (ABA, 1999). has become the plague of defense counsel who refer to it as the cockroach of litigation. Plaintiff's lawyers bless the coming of "evidence mail," which is often the smoking gun they need to sway juries or wrest a healthy settlement from defendants. The failure to retain communications can bring about a variety of legal sanctions such as one that resulted in five major brokerdealers agreeing to pay fines totaling $8.25 million. In a 1999 Fen-Phen case from Massachusetts, a motion to produce volumes of believed to be buried in mountains of back-up tapes was approved despite being characterized by defendants as a "multi-million dollar fishing expedition." The judge had little sympathy, declaring that the cost involved was "one of the risks taken on by companies which have made the decision to avail themselves of the computer technology now available to the business world." The corporate scandals of the past several years have spawned increased burdens on companies to preserve records, including . Section 802 of the Sarbanes-Oxley Act of 2002, for instance, was intended to address the destruction or fabrication of evidence and the preservation of "financial and audit records." That section directs the SEC to promulgate rules related to the retention of records relevant to the audits and reviews of financial statements that issuers file with the Commission. According to the SEC's Final Rule 239

2 dealing with "Retention of Records Relevant to Audits and Reviews": "We are adopting rules requiring accounting firms to retain for seven years certain records relevant to their audits and reviews of issuers' financial statements." The new Rule, which is incorporated into federal regulations at 17 CFR Part 210 states: The records to be retained include those relevant to the audit or review, including workpapers and other documents that form the basis of the audit or review and memoranda, correspondence, communications, other documents, and records (including electronic records), which are created, sent or received in connection with the audit or review, and contain conclusions, opinions, analyses, or financial data related to the audit or review. Records described in the rule would be retained whether the conclusions, opinions, analyses, or financial data in the records support the final conclusions reached by the auditor, or contain information or data, relating to a significant matter, that is inconsistent with the final conclusions of the auditor on that matter or the audit or review. The required retention of audit and review records should discourage the destruction, and assist in the availability, of records that may be relevant to investigations conducted under the securities laws, Commission rules or criminal laws (Cavaliere, 2003). Failure by a stockbroker to properly maintain relevant communications constitutes a violation of 1934 Securities Exchange Act 17(a) and the SEC's Rule 17a-4. The SEC has held that this Rule includes relevant communication. Rule 17a-4(b)(4) requires each member, broker and dealer to preserve business-related for 3 years, the first 2 years in an accessible place. Companies that have been unable to comply with this requirement have suffered substantial penalties (Cavaliere, 2003). Recent history is replete with infamous gaffes that had come back to haunt their senders, such as this one by Bill Gates that was unearthed during the Microsoft antitrust litigation: "How much do we need to pay you to screw Netscape?" (Microsoft Antitrust Case; CNN.com, 2002). Another devastating from Bill Gates in an intraoffice about a competitor - An embarrassing unearthed during Monica Lewinsky case ( from Monica Lewinsky to Linda Tripp) reads like this: 240

3 Even another in civil right case ( from the arresting officer in the Rodney King beating) reads: (Source: Haag, Cummings and McCubbrey, 2004) These and other revelations in lawsuits alerted attorneys, for both plaintiffs and defendants, of the significance of as perhaps the most prolific source of evidence in litigation. Despite that understanding, the use of in the courtroom is unabated. In just the last year, has been instrumental in high profile legal defeats suffered by Morgan Stanley and Merck. This paper addresses one of the most critical unanswered questions in American business today: Can be rendered safe? Each business using or considering using at work must ask itself if the perceived benefits of unrestricted use of by company employees are worth the proven risks associated with such behavior. Many decisions must be made in order to answer that question intelligently. Foremost among them is whether placing restrictions on usage is worth the cost. Placing restrictions on involves the making of numerous business decisions, including whether to permit at all, whether to adopt a formal policy and what terms it should contain, and how to educate employees to use in ways that will not harm the company in court. INTRODUCTION TO COMPUTER FORENSICS has now established a strong foothold in our society and in business communications. Some suggests that in 2004 over four billion s were sent every day in the United States, 1 billion instant 241

4 messages, and millions of spreadsheets and database files. According to a Datalink white paper (Datalink, 2005) : Gartner Group estimates 60% of business-critical data is now contained within systems; Enterprise Strategy Group suggests 75% of intellectual property is contained in ; Osterman Research determines that 79% companies accept as written confirmation; AIIM International and Kahn Consulting finds out that 71% of companies use to negotiate contracts and agreements, 69% use to exchange invoices, statements, and payment information, and 93% use to communicate with customers. has become ubiquitous, and in many ways it has become a substitute for using the telephone. Unlike the unrecorded telephone conversation, is recorded for posterity. An is recorded at least in four different computers: the sender s computer, the sender s server, the recipient s server, and the recipient s computer. (Source: Haag, Cummings and McCubbrey, 2004) Electronic information is subject to the discovery process during litigation. Courts have held that companies that suspect a lawsuit is forthcoming have a duty to preserve and retain evidence. Failure to do so can result in a so-called legal spoliation claim. In one recent case, where Morgan Stanley was held liable for $1.5 billion in damages, the company failed to turn over all s and the judge instructed the jury to assume the missing would have been damaging to the company. As lawyers and judges have become more familiar with the benefits associated with copious discovery into company electronic archives, a new industry has been spawned - the computer forensic investigator. These computer experts do not limit themselves to collecting stored files. Additional sources for damning communications include back-up data files, including tapes and hard drives, deleted files that can often be recovered, so-called "file slack," which is the residue of old information that can remain in a file cluster after the cluster has been overwritten, and hidden "metadata" that identifies a variety of information about the origination and history of documents such as and word processing documents. With appropriate software, computer experts can recover virtually any kind of information from any storage medium. Following is a list of files or documents that could be recovered by the computer experts: Files - messages - Deleted messages Program Files and Data Files - Word (.doc) and backup (.wbk) files - Excel files - Deleted files of all kinds - Files hidden in image and music files - Encrypted files - Compressed files Web Activity Files 242

5 - Web history - Cache files - Cookies Network Server Files - Backup files - Other backup and achieved files - System history files - Web log files MANAGEMENT SYSTEMS It is important that an organization develops and maintains a robust system for safe handling of s. Otherwise s would be lost, could reach the hands of unauthorized persons leading to exploitation of company secrets, or could be irretrievable at a time of urgency. Datalink (2005) suggests a framework for management challenges, which consists of five hierarchy levels as shown in Figure 1 below. An organization will have a credible capability of meeting the regulatory compliance only when it has a sound archive system. The regulatory compliance must address issues and documents which are required under legal rules or regulatory agencies such as SEC Rule 17a-4, Sarbanes-Oxley Act. The compliance would require indexing of data, storing, and periodic auditing. s must be routinely audited and deleted when the retention dates are reached. Figure 1: System Capability Hierarchy (Source: Datalink, 2005, modified) 243

6 archive system could be managed by the users or the system administrators. archiving will certainly be influenced by availability (conversely by down time). infrastructure such as server clustering, hot remote sites, etc plays a critical role in system availability for users. recovery is another critical area of management system. The organization must have the ability to make backups of s periodically and then load the backups in cases of failures due to data corruption, data tampering, data loss or accidental deletion. The recovery system should also consider unforeseen events such as site disaster. From a technical standpoint, a consolidated and tiered storage infrastructure for management makes the recovery process easier and timely. Overall, an organization would desire a centralized environment. This could be achieved by consolidating the storage network devices and optimizing the number of servers and storage systems. SYSTEM AVAILABILITY AND COMPUTER SECURITY In addition to internal use (or abuse) of s, businesses must protect their computer systems to safe guard systems from external attacks. As with other aspects of business, management must establish policies and implementation strategies for computer security. Without organizational policies and procedures, security measures will be poorly coordinated making the organization more vulnerable to attack by intruders (and abuse by existing and former employees). Key elements of the security policy include defining the security perimeter, which users have what access rights, system accountability, and an audit/monitoring function. The security perimeter defines the internal network from the external world such as the Internet. The application of a firewall is dependent on defining the security perimeter: where should the firewall is placed. Determining access rights for each user is crucial for the long-term integrity of the security system. If all employees have complete access to the entire information system, the probability increases that an intruder will be able to gain access to confidential information (any employee password will allow complete access) or that an existing or former employee will abuse the system. Properly trained employees are critical for developing and maintaining the security system. It is recommended that one person be accountable for implementing the security system; but that other organizational personnel audit the security system. The organization should have systems in place that require periodic review of computer security policies and procedures. If there is an incident (e.g., password abuse, virus attack), the organization should investigate the root cause and determine the appropriate corrective action. There should be an ongoing effort to assess the organization s computer systems for vulnerabilities and attacks. The following simple recommendations may give the user and organization an edge over intruders and abusers: - Use strong passwords: choose passwords that are difficult to guess. Take advantage of the full number of characters allowed by the system. Use different passwords for each account. - Ensure that information is being properly backed-up. Organizations must have a policy and schedule defined to backup their systems. Daily and full backups weekly are recommended. - Use virus protection software in the following manner: Ensure it is loaded on the computer and is active; continually updating the virus library; all the files on the computer are being scanned periodically. - Use a firewall as a gatekeeper between the computer and private network and the Internet. 244

7 - Do not keep computers online when not in use: either turn them off or physically disconnect them from the Internet. - Do not open attachments from strangers. Also be aware of any unexpected attachments that seem suspicious. Remember that viruses and worms can send infected e- mails to users listed in an address book. - Monitor and download security patches from software suppliers. The following questions may be reviewed in framing computer security policies in an organization: What is the organizational policy for computer security? Who is accountable for implementing the policy? Are their adequate organizational resources to meet the policy requirements? Who determines what security tools are needed to meet the policy objectives? Who audits the procedures and security tools for effectiveness? How are former employees handled? The next section of the paper will discuss why it s important for companies to have written electronic communication policies in place and the benefits for having them. Some sample policies will also be provided that could be customized to fit an organization s particular environment. THE NEED FOR ELECTRONIC COMMUNICATION POLICIES IN TODAY S CORPORATE ENVIRONMENT makes possible almost instant communication with one s co-workers without leaving your desk, a quick note to a family member who lives far away, but also has a very annoying downside such as junk mail. Since the introduction of the Internet, has been one of its primary uses. The fact that it is a fast, cheap, and easy means of communication makes a great business tool. But there are also a series of threats for employers associated with usage. threats such as confidentiality breaches, legal liability, lost productivity, and damage to reputation cost organizations millions of dollars each year. In the majority of cases, companies are held responsible for all the information transmitted on or from their systems. As a result, inappropriate s can result in multi-million dollar penalties in addition to other costs. For example, a Federal Communications Commission (FCC) employee unintentionally sent a dirty joke entitled Nuns in Heaven to 6,000 journalists and government officials on the agency's group list. This employee's lapse in judgment and electronic mistake resulted in negative publicity and national embarrassment for the FCC. In the US, Chevron settled a case filed by four female employees for $2.2 million. The employees alleged that sexually harassing s sent through the company s system caused a threatening work environment. One of the sexually offensive messages was a joke sheet titled 25 reasons why beer is better than women. A company can also be liable if one of its employees sends an containing a virus (AntiSpamLeague.org, 2005). Confidentiality breaches can be accidental, for instance when an employee selects a wrong contact name in the To: field, or intentional, such as the case where an employee uses his corporate account to send confidential information to one of the company s competitors. In the latter case, both the employee and the recipient could be charged with trade secret theft. Nonetheless, whether it is by mistake or on purpose, the result of the loss of confidential data is the same. 245

8 Lost productivity due to inappropriate use of a firm s system is becoming a growing area of concern. A recent survey revealed that 86 per cent of workers used their company to send and receive personal s. Given that it has become very hard in our modern world to segregate people's personal lives outside of the workday, companies struggle to find effective ways of balancing employee freedoms and corporate protection. In addition to personal s, unwanted spam messages are a significant time waster. Spam and personal abuse of can also cause a corporation s system to waste valuable bandwidth resources. A Gartner Group study held under 13,000 users found that 90 percent receive spam at least once a week, and almost 50 percent get spammed more than 6 times a week. Personal s cause network congestion since they are not only unnecessary, but tend to be mailed to a large list of recipients and often include large attachments such as mp3, executable or video files that users do not zip. Adopting an antispam system alone has not proven effective to stop spam. The combination of spam- blockers with other methods of spam control technologies such as SIDF, SPF, Bayesian Filters, Blacklists, Whitelists, Anomaly Detection, and Spam Signatures has proven to be much more effective. There are also special organizations such as the AntiSPAMLeague.org that give Internet users the chance to report those individuals and companies that are responsible of spamming (AntiSpamLeague.org, 2005). How can a company protect itself from these threats? The first step in securing an organization is to create an usage policy. Every company needs to establish a policy regarding use of and access to company systems, and then tell all employees what its policy is. After the policy has been created, one must make sure it is actually implemented. This can be done by providing regular training and by monitoring employees using some type of security software. The policy should be made available and easily accessible to all employees and should be included in employee handbooks and company intranets. It is best to include the policy, or a short statement regarding the policy, in employment contracts. In this way the employee must acknowledge in writing that he/she is aware of the policy and of the obligation to adhere to it. BENEFITS OF HAVING AN POLICY What are some of the benefits of having a clear and effective policy? First, it helps prevent threats, since it makes the staff aware of the corporate rules and guidelines. Second, it can help stop any misconduct at an early stage by asking employees to come forward as soon as they receive an offensive . Keeping the incidents to a minimum can help avoid legal liability. For example, in the case of Morgan Stanley, a US investment bank that faced an employee court case, the court ruled that a single communication - a racist joke, in this case - cannot create a hostile work environment and dismissed the case against them. Third, if an incident does occur, an policy can minimize the corporation s liability for the employee s actions. Previous cases have proven that the existence of an policy can prove that the company has taken steps to prevent inappropriate use of the system and therefore can be freed of liability. Fourth, if a company is going to use filtering software to check the contents of its employees s, the company must have an policy that states this clearly. Some employees may argue that by monitoring their s, companies are violating their privacy rights. However, court cases have shown that if the employer has warned the employee beforehand that their might be monitored, the employer has a right to do so. People usually respond better when they know where they stand and what is expected of them. Because the bulk of information in most corporations is created, stored, transmitted and maintained electronically, IT departments are responsible for ensuring that sound practices, including corporate wide 246

9 information security policies and enforced implementation of those policies, are in place for employees at all levels. Information security policies should govern the following items: Network security Access controls Authentication Encryption Logging Monitoring and alerting Forensics Pre-planning coordinated incident response Given that developments in and the Internet are changing so rapidly, it is essential to review the policy at least once every quarter. Organizations should keep an eye on new developments in and Internet law so that they are aware of any new regulations and opportunities. When companies release new updates, it is preferable to have each user sign as acknowledgment that they received the policy. A generic policy is given on the following page which could be modified to fit any company s particular environment, depending on their philosophy concerning usage. This sample policy is a short one; a second sample policy can be viewed at This one is longer and more comprehensive. Bennett-Alexander and Hartman (2007) also provide examples of policy. A Sample Policy Policy The purpose of this policy is to ensure the proper use of [Company] s system. All messages distributed via the company s system, even personal s, are [Company] s property. You must have no expectation of privacy in anything that you create, store, send or receive on the company s system. Your s can be monitored without prior notification if [Company] deems this necessary. If there is evidence that you are not adhering to the guidelines set out in this policy, the company reserves the right to take disciplinary action, including termination and/or legal action. If you have any questions or comments about this Policy, please contact your supervisor. It is strictly prohibited to: Send or forward s containing libelous, defamatory, offensive, racist or obscene remarks. If you receive an of this nature, you must promptly notify your supervisor. Forward a message or copy a message or attachment belonging to another user without acquiring permission from the originator first. Send unsolicited messages or chain mail. Forge or attempt to forge messages, or disguise or attempt to disguise your identity when sending mail. Duty of care Users must take the same care in drafting an as they would for any other communication. Confidential information should not be sent via . Personal usage Although the company s system is meant for business use, [Company] allows personal usage if it is reasonable and does not interfere with work. 247

10 Disclaimer All messages will be appended with the following disclaimer: This message is intended only for the named recipient. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Declaration I have read, and agree to comply with, the guidelines set out in this policy and understand that failure to do so might result in disciplinary or legal action. Signature: Date: Printed Name: (source: -policy.com, 2005) If companies want to reduce electronic risks in the workplace, they must take the initiative. Electronic disasters can ruin businesses, sink careers, send stock prices plummeting, and generate public relations nightmares. Do not wait for a disaster to strike; prevention is always your best defense. Effective policies minimize or keep disasters from happening. CONCLUSION is a very popular and useful form of communication but has limitations. is not confidential, poses a liability risk, and can cause considerable damage to a company s reputation if not handled correctly. After several high profile lawsuits with multi-million dollar penalties concerning the contents of corporate s, companies are increasingly aware that by simply using , they are exposing themselves to legal threats. To resolve this problem, many companies are implementing and enforcing policies and using mail filtering and anti-virus software while adding legal disclaimers. Additionally, companies are providing etiquette training to all employees to improve the quality and perceptions of all s sent. Enron s that were released by the Federal Energy Regulatory Commission (FERC) revealed the culture that led to Enron s downfall. With the onset of legislations such as HIPAA and Sarbanes-Oxley, corporations can be held accountable for such communications, making employers responsible for the wrongful acts of an employee. Salman (1999) suggests few simple rules for busy executives to practice: Rule 1: Write the truth Rule 2: Think first, then write Rule 3: Revise and Edit Rule 4: Let counsel review the writing Rule 5: Don t make the case for the other side. is no longer just a method of communicating in business; it is a way of doing business. Companies are finding it critically important to address the previously mentioned issues (legal liability, forensics, policies, etc.) wisely and judiciously if they want to avoid a lawsuit. 248

11 REFERENCES Datalink (2005). Overcoming Storage and Content Management Challenges. (White paper by Datalink, Inc), October Haag, S., Cummings, M., and McCubbrey, D. (2004). Management Information Systems for the Information Age. McGraw Hill. (2005). Corporate Policies Lower Unnecessary Legal and Security Risks. (2004). policy: Why Your Company Needs One. ABA (1999). American Bar Association Standing Committee on Ethics and Professional Responsibility Formal Opinion No (march 10, 1999) Protecting the Confidentiality of Uncrypted E- mail ; available online at Salman, R. R. (1999) Writing for the Busy Executive: Avoiding the Smoking Gun. The Practical Lawyer, March 1999, pgs Cavaliere, F.J. (2003). Electronic Mail or Evidence Mail?. The Practical Lawyer, June 2003, pgs 9-10, 61. Microsoft Antitrust Case Filings, U.S. Department of Justice, available online at CNN.Com (2002). More Embarrassing Microsoft , available online at Bennett-Alexander, D. D. and Hartman, L. P. (2007). Employment Law for Business. McGraw-Hill/Irwin, Boston, MA. 249