information Governance

profilebgowthamb
Chapter12.pdf

241

E-mail is a major area of focus for information governance (IG) efforts: It is the most common business software application and the backbone of business com-munications today, and e-mail is the leading piece of evidence requested during the discovery phase of civil trials, so it is critically important to implement IG mea- sures for e-mail communications.

Employees utilize e-mail all day, including during their personal time, some- times mixing business and personal use of e-mail. Social media use has skyrocketed in recent years and actually has surpassed e-mail for personal use, but the fact remains that in business, knowledge workers rely on e-mail for almost all communications, including those of a sensitive nature. A 2013 survey of 2,400 corporate e-mail users worldwide found that nearly two-thirds stated that e-mail was their favorite form of business communication, surpassing not only social media but also telephone and in-person contact.1

These e-mail communications may contain discoverable information in litigation, and a percentage of them will be declared formal business records. E-mail often contains records, such as fi nancial spreadsheets and reports, product price lists, marketing plans, com- petitive analyses, safety data, recruitment and salary details, progressing contract ne- gotiations, and other information that may be considered as constituting a business record.

E-mail systems can be hacked, monitored, and compromised and cause far-reaching damage to a victimized organization. The damage may occur slowly and go undetected while information assets—and business value—are eroded.

In mid-2011, the “hacktivist” group AntiSec claimed responsibility for hacking a U.S. government contractor, Booz Allen Hamilton, and publicly exposing 90,000 military e-mail addresses and passwords from the contractor by posting them online. It was the second attack on a government defense contractor in a single week. 2

Booz Allen employees “maintain high government security clearances” while working with the defense sector (yet in 2013 another Booz Allen employee, Edward Snowden, gained access to secret communications monitoring programs that the U.S.

Information Governance for E-Mail and Instant Messaging*

C H A P T E R 12

* Portions of this chapter are adapted from Chapter 11 , Robert F. Smallwood, Managing Electronic Records: Methods, Best Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.s

242 INFORMATION GOVERNANCE

National Security Agency operated to capture metadata and other information from the private e-mail and telephone conversations of American citizens on a broad scale). AntiSec penetrated the communications systems with relative ease and noted there were “basically had no security measures in place.” 3 AntiSec was able to go even fur- ther, by running its own rogue application to steal software source code and to search and fi nd access credentials to steal data from other servers, which the group said would help it to infi ltrate other federal contractors and agencies. It even stated it might pass the security information on to other hackers.

The attack did not stop there. Later that week, another federal defense and FBI contractor, IRC Federal, was hacked, databases were invaded, the Web site was modi- fi ed, and information from internal e-mail messages was posted online. 4

Employees Regularly Expose Organizations to E-Mail Risk

A 2011 global e-mail survey, commissioned by a leading hosted e-mail services pro- vider, found that nearly 80 percent of all employees send work e-mail to and from their personal accounts, and 20 percent do so regularly, which means that critical informa- tion assets are exposed to uncontrolled security risks. 5

“Awareness of the security risks this behavior poses does not act as a deterrent” (emphasis” added). Over 70 percent of people questioned recognize that there is an additional risk in sending work documents outside the corporate e-mail environment, but almost half of “these same respondents feel it is acceptable to send work emails and documents to personal email accounts anyway.” According to the survey, the reasons for using personal e-mail accounts for work purposes range from working on documents remotely (71 percent), to sending fi les that are too big for the company mailbox (21 percent), to taking documents with them when they leave a company (18 percent), to simply not wanting to carry a laptop home (9 percent). The top two frustrations users had with work e-mail were restrictions on mailbox size, which has a negative impact on e-mail management, and the inability to send large attachments. This second issue often forces workers to use a personal account to send and receive necessary fi les. If size limits are imposed on mailboxes and attachments, companies must provide a secure alternative for fi le storage and transfer. Otherwise, employees are pushed into risking corporate information assets via personal e-mail. This scenario not only complicates things for e-mail administrators but has serious legal and regulatory implications. Clearly, as stated by Paul Mah in his “Email Admin” blog, “email retention and archival becomes an impossible task when emails are routed in a haphazard manner via personal accounts.”6

This means that security, privacy, and records management issues must be ad- dressed by fi rst creating IG policies to control and manage the use of e-mail. These policies can utilize the e-mail system’s included security features and also employ ad- ditional monitoring and security technologies where needed.

The e-mail survey also found an overall lack of clear e-mail policies and weak communication of existing guidelines. This means a lack of IG. Nearly half of the respondents stated either that their company had no e-mail policy or that they were unaware of one. Among those aware of a corporate e-mail policy, 4 in 10 think it could be communicated better. Among companies that have a policy, most (88 percent) deal with the appropriate use of e-mail as a business tool, but less than one-third (30 percent) address e-mail retention from a security standpoint.

INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT MESSAGING 243

Generally, employees are aware that sending work documents outside of their corporate network is unsafe, yet they continue to do so. It is abundantly clear that e-mail policies have to be updated and upgraded to accommodate and manage the increasingly sophisticated and computer-savvy generation of users who are able to fi nd ways to work around corporate e-mail restrictions. (These users have been dubbed Generation Gmail. ) In addition, new e-mail monitoring and security technologies need to be deployed to counter this risky practice, which exposes information assets to prying eyes or malicious attacks.

E-Mail Polices Should Be Realistic and Technology Agnostic

E-mail policies as part of your IG program must not be too restrictive. It may be tempting to include catchall policies that attempt to tamp down user behavior, but such efforts cannot succeed. 7 An important step is consulting with stakeholders to understand their usage patterns and needs and then going through a series of drafts of the policy, allowing for input. It may be determined that some exceptions and changes in technologies need to be factored in and that some additional technology is needed to accommodate users while keeping information assets safer and meeting compliance and legal demands. Specifi cs of these policies and tools should be progressively tight- ened on a regular basis as the process moves forward.

These new IG guidelines and policies need to refer to technology in a generic sense—a “technology-neutral” sense—rather than specifying proprietary software programs or features. 8 That is to say, they should be written so that they are not in t need of revision as soon as new technologies are deployed.

Developing organization-wide IG policies is time consuming and expensive; they are a defensive measure that does not produce revenue, so managers, pressed for performance, often relegate policy making to the low-priority list. Certainly, it is a tedious, diffi cult task, so organizations should aim to develop policies that are fl exible enough to stand the test of time. But it is also necessary to establish a review process to periodically revise policies to accommodate changes in the business environment, the law, and technology.

Here is an example of a technology-agnostic policy directive:

All confi dential information must be encrypted before being transmitted over the Internet.

This statement does not specify the technology to be used, or the mode of trans- mission. The policy is neutral enough to cover not only e-mail and instant messaging (IM) but also social media, cloud computing, mobile computing, and other means of communication. The policy also does not specify the method or brand of the encryp- tion technology, so the organization can select the best method and technology avail- able in the future without adapting the policy.9

E-Record Retention: Fundamentally a Legal Issue

Considering the massive volume of e-mail exchanged in business today, most e-mail messages do not rise to the level of being formal business records. But many of them do and are subject to IG, regulatory compliance, and legal requirements for maintain- ing and producing business records.

244 INFORMATION GOVERNANCE

Although often lumped in with other information technology (IT) concerns, the retention of e-mail and other e-records is ultimately a legal issue. Other departments, including records management and business units, should certainly have input and should work to assist the legal team to record retention challenges and archiving solutions. But e-mail and e-record retention is “fundamentally a legal issue,”l particularly for public or highly regulated companies. According to Nancy Flynn of the ePolicy Institute, “It is essential for the organization’s legal department to take the lead in determining precisely which types of email messages will be preserved, exactly how and where data will be stored, and specifi cally when —if ever—electronically stored information [ESI] will be deleted” 10 (emphasis added).

Since they are often shot out in the heat of battle, many times e-mail messages are evidence of a smoking gun in lawsuits and investigations. In fact, they are the most requested type of evidence in civil litigation today. The content and timing of e-mail messages can provide exonerating information too.

In January 2010, a U.S. House of Representatives committee probing bailout deals subpoenaed the Federal Reserve Bank of New York for e-mail and other correspon- dence from Treasury Secretary Timothy Geithner (former president of the New York Federal Reserve Bank) and other offi cials. The House Oversight and Government Reform Committee was in the process of examining New York Fed decisions that fun- neled billions of dollars to big banks, including Goldman Sachs Group and Morgan Stanley.11

This is just one example of how crucial e-mail messages can be in legal investiga- tions and how they play an important role in reconstructing events and motives for legal purposes.

Preserve E-Mail Integrity and Admissibility with Automatic Archiving

Most users are not aware that e-mail contents and characteristics can be changed— “and rendered legally invalid”—by anyone with malicious motives, including those who are essentially “covering their tracks.” Not only can the content be edited, but metadata that includes such information as the time, date, and total number of charac- ters in the message can also be changed retroactively. 12

To offset this risk and ensure that spoliation (i.e., the loss of proven authenticity of an e-mail) does not occur, all messages, both inbound and outbound, should be captured and archived automatically and in real time. This preserves legal validity and forensic compliance. Additionally, e-mail should be indexed to facilitate the searching process, and all messages should be secured in a single location. With these measures, e-mail records can be assured to be authentic and reliable.

Managing e-records is primarily a legal issue, especially for public and heavily regulated companies.

INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT MESSAGING 245

E-Mail Archiving Rationale: Compliance, Legal, and Business Reasons

There are good reasons to archive e-mail and retain it according to a specifi c retention schedule that follows your organization’s IG policies. Having a handle on managing voluminous e-mail archives translates to being able to effectively and rapidly search and retrieve exactly the right messages, which can provide a signifi cant legal advantage. It gives your legal team more and better information and more time to fi gure out how to leverage it in legal strategy sessions. This means the odds are tipped in your organization’s favor in the inevitable litigation arena. Your legal opponent may be driven to settle a weak claim when confronted with indisputable e-mail evidence, and, in fact, “email often produces supportive evidence that may help ‘save the day’ by providing valuable legal proof” of innocence.13 This evidence may stop frivolous lawsuits in their tracks. Further, reliable e-mail evidence also can curtail lengthy and expensive lawsuits, and prevail. And if your company is public, Sarbanes–Oxley regulations require the archiving of e-mail.

Don’t Confuse E-Mail Archiving with Backup

All backups are not created equal. There is a big difference between traditional system back- ups and specialized e-mail archiving software.

Backups are huge dumps to mass storage, where the data is stored sequentially and not compressed or indexed. 14 It is impossible to search backups except by date, and even doing that would mean combing through troves of raw, non-indexed data.

The chief executive may not be aware of it, but without true e-mail archiving, system administrators could spend long nights loading old tapes and churning out volumes of data, and legal teams will bill hourly for manual searches through troves of data. This compromises your enterprise’s legal position and not only increases raw costs but also leads to less capable and informed legal representation. According to one study, fully one-third of IT managers state they would have diffi culty producing an e-mail that is more than one year old. “A backup system is no substitute for automatic archiving technology”15 (emphasis added).

No Personal Archiving in the Workplace

Employees are naturally going to want to back up their most important fi les, just as they probably do at home. But for an overall IG information-security program to be effective, personal archiving at work must be prohibited. This underground archiving results in hidden shadow fi les and is time consuming and risky. According to Flynn, “Self-managed email can result in the deletion of electronic records, alteration of email evidence, time-consuming searches for back-up tapes, and failure to comply with legal discovery demands” (emphasis added). Also, users may compromise formal electronic records, or they may work from unoffi cial records, which therefore by defi nition might be inaccurate or out-of-date, posing compliance and legal ramifi cations. 16

Are All E-Mails Records?

Are e-mail messages records? This question has been debated for years. The short answer is no, not all e-mail messages constitute a record. But how do you determine

246 INFORMATION GOVERNANCE

whether certain messages are a business record or not? The general answer is that a record documents a transaction or business-related event that may have legal rami- fi cations or historic value. Most important are business activities that may relate to compliance requirements or those that could possibly come into dispute in litigation. Particular consideration should be given to fi nancial transactions of any type.

Certainly evidence that required governance oversight or compliance activities have been completed needs to be documented and becomes a business record. Also, business transactions, in which there is an exchange of money or the equivalent in goods or services, are also business records. Today, these transactions are often documented by a quick e-mail. And, of course, any contracts (and any progressively developed or edited versions) that are exchanged through e-mail become business records.

The form or format of a potential record is irrelevant in determining whether it should be classifi ed as a business record. For instance, if a meeting of the board of directors is recorded by a digital video recorder and saved to DVD, it constitutes a record. If photographs are taken of a ground-breaking ceremony for a new manufac- turing plant, the photos are records too. If the company’s founders tape-recorded a message to future generations of management on reel-to-reel tape, it is a record also, since it has historical value. But most records are going to be in the form of paper, microfi lm, or an electronic document.

Here are three guidelines for determining whether an e-mail message should be considered a business record:

1. The e-mail documents a transaction or the progress toward an ultimate trans- action where anything of value is exchanged between two or more parties. All parts or characteristics of the transaction, including who (the parties to it), what, when, how much, and the composition of its components, are parts of the transaction. Often seemingly minor parts of a transaction are found bur- ied within an e-mail message. One example would be a last-minute discount offered by a supplier based on an order being placed or delivery being made within a specifi ed time frame.

2. The e-mail documents or provides support of a business activity occurring that pertains to internal corporate governance policies or compliance to externally mandated regulations.

3. The e-mail message documents other business activities that may possibly be disputed in the future, whether it ultimately involves litigation or not. (Most business disputes actually are resolved without litigation, provided that proof of your organization’s position can be shown.) For instance, your supplier may dispute the discount you take that was offered in an e-mail message and, once you forward the e-mail thread to the supplier, it acquiesces. 17

Destructive Retention of E-Mail

Destructive retention is an approach to e-mail archiving where e-mail messages are retained for a limited time (say, 90 days or six months), followed by their permanent manual or automatic deletion of messages from the company’s network, so long as there is no litigation hold or the e-mail has not been declared a record in accordance with IG and records management policies. Implementing this as a policy may shield

INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT MESSAGING 247

the enterprise from retaining potentially libelous or litigious e-mail that is not a formal business record (e.g., off-color jokes or other personnel violations).

For heavily regulated industries, such as health care, energy, and fi nancial services, organizations may need to archive e-mail for longer periods of time.

Instant Messaging

Instant messaging (IM) use in enterprises has proliferated—despite the fact that fre- quently proper policies, controls, and security measures are not in place to prevent e-document and data loss. There are a variety of threats to IM use that enterprises must defend against to keep their information assets secure.

The fi rst basic IM systems, which came into use in the mid-1960s, had real-time text capabilities for routing messages to users logged on to the same mainframe com- puter. Early chat systems, such as AOL Instant Messenger, have been in use since the late 1980s, but true IM systems that included buddy list features appeared on the scene in the mid-1990s, followed by the release of Yahoo! and Microsoft IM systems. The use of these personal IM products in the workplace has created new security risks. 18

More secure enterprise instant messaging (EIM) products can be deployed. Leading EIM installed systems include IBM Lotus Sametime, Microsoft Offi ce Com- munications Server, Cisco Unifi ed Presence, and Jabber XCP. In the fi nancial sector, Bloomberg Messaging and Reuters Messaging are leading platforms.

By the year 2000, it was estimated that nearly 250 million people worldwide were making use of IM, and today estimates are that more than 2 billion people use IM, with the addition of hundreds of millions of users in China.

As with many technologies, IM became popular fi rst for personal use, then crept into the workplace—and exploded. IM is seen as a quicker and more effi cient way to communicate short messages than engaging in a telephone conversation or going through rounds of sending and receiving endless e-mail messages. The problem with IM is that many organizations are blind to the fact that their employees are going to use it one way or another , sometimes for short personal conversations outside the organization.r If unchecked, such messaging exposes the organization to a myriad of risks and gives hackers another way to compromise confi dential information assets.

Best Practices for Business IM Use

Employing best practices for enterprise IM use can help mitigate its security risks while helping to capitalize on the business agility and velocity benefi ts IM can provide. Best practices must be built in to IG policies governing the use of IM, although “the specifi cs of these best practices must be tailored for each organization’s unique needs.”

A methodology for forming IM-specifi c IG policies and implementing more secure use of IM must begin with surveying and documenting the proliferation of IM use in the organization. It should also discover how and why users are relying on IM—perhaps there is a shortcoming with their available IT tools and IM is a work-around.

Typically, executives will deny there is much use of IM and that if it is being used, its impact is not worth worrying about. Also, getting users to come clean about

248 INFORMATION GOVERNANCE

their IM use may be diffi cult, since this may involve personal conversations and vio- lations of corporate policy. A survey is a good place to start, but more sophisticated network monitoring tools need to be used to factually discover what IM systems are actually in use.

Once this discovery process has concluded and the use of IM is mapped out, the IG team or steering committee must create or update policies to: decide which IM systems it will allow to be used, how, when, and by whom; decide what restrictions or safeguards must be imposed; and create guidelines as to appropriate use and content. As a part of an overall IG effort, Quest Software determined that a successful IM policy will:

■ Clearly and explicitly explain the organization’s instant messaging objectives. Users should know why the organization permits IM and how it is expected to be used.

■ Defi ne expectations of privacy. Users should be made aware that the organiza- tion has the right to monitor and log all IM sessions for corporate compli- ance, safety, and security reasons.

■ Detail acceptable and unacceptable uses. An exhaustive list of permitted and forbidden activities may not be necessary, but specifi c examples are helpful in establishing a framework of IM behaviors for users.

■ Detail content and contact restrictions (if any). Most organizations will want to limit the amount of idle IM chat that may occur with family, friends, and other nonbusiness-related contacts. There may also be additional issues related to information confi dentiality and privacy. Some businesses may choose to block the distribution of certain types of information via live IM chat session or fi le transfer.

■ Defi ne consequences for violations of the policy. Users should be advised of the consequences of policy violations. Generally these should be aligned with the company’s personnel and acceptable use policies.

The use of a standard disclaimer, to be inserted into all users’ IM sessions, can remind employees of appropriate IM use and that all chat sessions are being moni- tored and archived, and can be used in court or compliance hearings.

The next major step is to work with the IT staff to fi nd the best and most appropriate security and network monitoring tools, given the computing environ- ment. Alternatives must be researched, selected, and deployed. In this research and selection process, it is best to start with at least an informal survey of enterprises within the same industry to attempt to learn what has worked best for them.

The key to any compliance effort or legal action will be ensuring that IM records are true and authentic, so the exact, unaltered archiving of IM messages along with associated metadata should be implemented in real time. This is the only way to

Documenting IM use in the organization is the fi rst step in building IG policies to govern its use. Those policies must be tailored to the organization and its IM use.

INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT MESSAGING 249

preserve business records that may be needed in the future. But in addition, a policy for deleting IM messages after a period of time, so long as they are not declared busi- ness records, must be formulated.

IG requires that these policies and practices not be static; rather, they must be reg- ularly revisited and updated to refl ect changes in technology and legal requirements and to address any shortcoming or failure of the IG policies or technologies deployed.

Technology to Monitor IM

Today, it has been estimated that as much as 80 percent of all IM used by corporate employees comes from free IM providers like Yahoo!, MSN, or AOL. These programs are also the least secure. Messages using these IM platforms can fl y around the Inter- net unprotected. Any monitoring technology implemented must have the capability to apply and enforce established IM use policies by constantly monitoring Internet traffi c to discover IM conversations. Traffi c containing certain keywords can be monitored or blocked, and chat sessions between forbidden users (e.g., those who are party to a lawsuit) can be stopped before they start. But this all necessarily starts with IG and policy formulation.

Tips for Safer IM

Organizations should assume that IM is being used, whether they have sanctioned it or not. And that may not be a bad thing—employees may have found a reasonable business use for which IM is expedient and effective. So management should not rush to ban its use in a knee-jerk reaction. Here are some tips for safer use of corporate IM:

■ Just as e-mail attachments and embedded links are suspect and can contain ma- licious executable fi les, beware of IM attachments too. The same rules governing s e-mail use apply to IM, in that employees should never open attachments from people they do not know. Even if they do know them, with phishing and social engineering scams, these attachments should fi rst be scanned for malware using antivirus tools.

■ Do not divulge any more personal information than is necessary. This comes into play even when creating screen names—so the naming convention for IM screen names must be standardized for the enterprise. Microsoft advises, “Your screen name should not provide or allude to personal information. For example, use a nickname such as SoccerFan instead of BaltimoreJenny.” 19

■ Keep IM screen names private ; treat them as another information asset that needs to be protected to reduce unwanted IM requests, phishing, or spam (actually spim , in IM parlance).

Records of IM use must be captured in real time and preserved to ensure they are reliable and accurate.

250 INFORMATION GOVERNANCE

■ Prohibit transmission of confi dential corporate information. It is fi ne to set up a meeting with auditors, but do not attach and route the latest fi nancial report through unsecured IM.

■ Restrict IM contacts to known business colleagues. If personal contacts are allowed for emergencies, limit personal use for everyday communication. In other words, do not get into a long personal IM conversation with a spouse or teen- ager while at work. Remember, these conversations are going to be monitored and archived.

■ Use caution when displaying default messages when you are unavailable or away. Details such as where an employee is going to have lunch or where their child is being picked up from school may expose the organization to liability if a hacker takes the information and uses it for criminal purposes. Employees may be un- knowingly putting themselves in harm’s way by giving out too much personal information.