|
Over the last few years, the Sarbanes-Oxley (SOX) Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act of 1999 (GLBA) and the threats highlighted by the CAN-SPAM Act of 2003 and the Internet Spyware (I-SPY) Prevention Act of 2004 have driven major changes in the systems, processes and security inside organizations.
Some of these regulations are designed to stop the sources of spam, viruses and spyware. Others intend to make companies more responsible for the protection of customers’ privacy and for the safety of critical finance and identity information. All impose increased burdens of accountability: to shareholders for the substance of financial reports; to customers and partners as regards information usage, retention, and notification (particularly in the event that information privacy is compromised); to regulators and auditors for documenting processes used to manage information; and to the courts, in responding to discovery demands.
All have a pronounced effect on corporate email. While publicly-traded companies are the focus of SOX, financial services, health care and government organizations are at the center of information privacy regulation. But all organizations are under pressure to protect themselves and address increasing internal and external concerns and regulations around privacy, confidentiality and financial reporting. Email, the most-used and most unrestricted medium for business communications, is one important place where the rubber meets the road. The right solutions, along with proactive management, can pay huge dividends in compliance, risk-reduction, and improved efficiency. In this paper, we address both general and industry-specific business regulations and how they impact an organization’s email system.
EMAIL TOUCHES THE HEART OF YOUR ORGANIZATION
Email is about more than just sending messages – it’s often the primary groupware, personal information manager and file-sharing system for workers. In fact, a company’s email taken in aggregate probably contains traces of just about everything important to the company – from proprietary information such as financial reports and strategic executive communications (important to SOX) to sales correspondence and transactional negotiations (subject to SEC or other regulations). It can also include non-public information (NPI) (e.g., healthcare records, financial data, payment-card information) which may be subject to governmental regulations like HIPAA or GLBA, or to a host of emerging state and global regulations as well.
While the primary home of most of this important content may not be email, many employees do use their mailboxes as filing systems. Information also finds its way into the email system as employees communicate with each other or others outside the organization. Accidental forwarding, “replyto- all” and other common email behaviors can broadcast information and attached files far more widely than intended. These features are periodically implicated in horror stories, such as one reported in early February, 2008, by Katherine Eban at portfolio.com (Conde Nast Publications), in which counsel for Eli Lilly, due to an autocomplete error, accidentally sent documentation of a $1 billion negotiation to a financial reporter at the New York Times.
On the receiving end, copies of critical data and documents may persist, long term, in email inboxes and temporary directories on office PCs, laptops, home computers – even on mobile devices and in the databases of public webmail systems. If unencrypted, senders have no control over the security and confidentiality of this data, and stand perpetually at risk of its exposure.
The lesson is clear: organizations must take notice when this information is found in outgoing email. Unfortunately, unlike other applications and systems in your company that have well-defined authentication and access-control restrictions, email has been mostly unrestricted. Users may send any message they want, with any content they want, to any person they want. For many companies, email is an uncontrolled communication medium where unmanaged business activity—and in some cases, dangerous messages—can travel unchecked. Organizations are coming to recognize how important it is to manage, protect, audit and control outgoing email; and to do so proactively, with an eye to risk-reduction. The most heavily-regulated industries, of course, have long since gotten the message. Nearly a quarter of US firms with 20,000 or more employees – and the percentage is growing fast, according to Proofpoint and Forrester Consulting – employ people to monitor outbound email communications in realtime. But this solution is both costly and problematic — subject to human error in execution, in reporting, and in possible later testimony. Ultimately, as regulations grow more numerous and complicated and organizations explore new markets, the “live human” approach hits a natural scaling limit – becoming what security expert Bruce Schnier calls “security theatre,” rather than actually reducing or eliminating risk.
|
