|
Introduction
Hardly a day goes by without another example surfacing of how a break- down in corporate compliance is linked to email. No wonder, with 103 billion corporate emails a day projected for 20081. The sheer volume of electronic correspondence guarantees literally every company will experience a serious incident of non-compliance resulting from their use of email ? whether they know about it or not!
Any uncontrolled use of email can lead to violations of both government regulations and internal corporate policies, with consequences that can range from employee lawsuits, to substantial government penalties, even to irreparably damaged brand and corporate reputation affecting sales and customer retention. Protecting your organization against all these risks, liabilities and costs is crucial.
A truly effective compliance strategy is proactive and preventative in scope and would, by necessity, require every email message be managed with consideration for both regulatory and corporate policy. Yet, most organizations have focused their email compliance efforts on only their inbound and outbound traffic?a mere 15% of their total corporate email volume!
Why Internal Email Control Is Needed
If there were only one reason internal email control is needed it would simply be because there's 8 times as much of it (i.e. email between employees) as all other inbound and outbound traffic combined. Put another way, a corporate security or compliance policy violation is 8 times more likely to occur within internal email than outgoing.
Of course, volume isn't the only reason. While outbound email control currently occupies the publicity spotlight, and for valid reasons, many of the driving factors that have pushed it to the forefront of corporate attention substantiate the immediate need for internal email monitoring and control as well.
Consider, for instance, the following:
- According to IDC's 2005 Security Survey, employees following security polices was rated as the second-highest security challenge organizations will face over the next 12 months
- Less than half of email users always comply with corporate email policies
- Trusted employees deliberately or inadvertently distributing sensitive information are quickly becoming a major concern in many organizations
- Nearly 50% of corporate email users have sent or received inappropriate content
- A 2004 survey by the American Management Association and the ePolicy Institute revealed that 20% of responding companies have had employee email subpoenaed in the course of a lawsuit or regulatory investigation?and if you think this is just a big company issue ? wrong, 51% of respondents have fewer than 500 employees
- Regulations relating to Sarbanes-Oxley, SEC and NASD, impose requirements that reach inside the organization and impact internal email communications ? such as the requirement to restrict information between analysts and brokers, or demonstrate "evidence of control" for financial information distribution, or the protection of personal confidential information
Bottom line, including internal email monitoring and control to the scope of your compliance strategy and efforts is the only way to achieve 100% compliance and peace of mind.
Internal Email Control As It Relates To:
Regulatory Compliance
Various laws and regulations, such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA), Health Insurance Portability and Accountability (HIPAA) and NASD 2711 have been enacted with the goal of not only enhancing corporate governance but restricting the flow of confidential or private information.
Initial efforts directed at regulatory compliance have focused on preventing external leaks, accidental or otherwise, of sensitive information. However, as organizations gain more experience and understanding concerning the full scope of these imposed regulations they discover their regulatory obligations extend to their internal communications as well.
SOX, for instance, requires demonstrable "evidence of control" over the processing, reporting and distribution of, in particular, financial information. Email is the de facto form of intra-company communication. To guarantee financial data is not revealed to persons (including other employees) that shouldn't have it requires that the content of internal email be monitored and its distribution managed in accordance with regulatory and company policy.
|
