Send No Evil?

SAN FRANCISCO (03/07/2000) - E-mail can make powerful evidence in the courtroom. Because it's informal by nature, people jot things in e-mail that they'd never say in a letter, let alone to someone's face. But once an e-mail is sent, it's usually as good as cast in stone.

Most messages are stored on your e-mail server - where they can be retrieved by any customer with a grievance against your company and a search warrant.

Heavily regulated industries like financial services have long been required to monitor communications with customers to detect insider trading and fraud.

E-mail is only the latest in a long list of communications under surveillance.

But as more and more sophisticated information is transmitted by e-mail, concerns are being raised in other industries. In health care, for instance, secure and nonfraudulent transmission of prescription information and patient records is paramount. To stop potential lawsuits before they start, brokerages and other regulated companies are considering monitoring software.

Developed by linguistics specialists, lawyers and business experts, these programs "read" selected e-mail messages coming to and from your company and look for word patterns that might suggest a problem. For instance, a message from a broker saying "I guarantee that stock X will skyrocket tomorrow" might be flagged, as the phrase implies a price manipulation or insider trading scheme. The message could be sent to a lawyer or manager for review.

However, such rules-based software is only as good as the lexicon on which it's based. Implementing these tools could cost your employees their privacy - a breach that could open up another legal can of worms. So far, the early adopters are in industries that already use some form of surveillance. Even then, the companies using the software do so selectively - e-mail monitoring programs are so complex that scanning every iota of data is still too time consuming for even the most totalitarian companies.

GUESSING GAME

Right now there is no hard-and-fast legal standard for an employer's liability where e-mail is concerned. Not until 2001 or 2002 will sufficient cases have worked their way through the courts to indicate judges' views on employer liability. Monitoring software is currently in wide use only in the financial industry, which has long used surveillance techniques - like taping phone conversations - to comply with U.S. Securities and Exchange Commission rules.

Some analysts think e-mail monitoring will never make it in other industries, where people are more worried about privacy. Yet some estimate that within two years monitoring systems will appear in law and health care firms, especially for e-business. Brokerages were spurred by the SEC, which in 1997 effectively extended its rules to e-mail by requiring that firms monitor brokers' communications with their customers (to ensure nothing illegal is communicated) and to keep logs of all e-mail messages. Of course, reading a company's entire e-mail archive would require an army, so brokerages eagerly adopted monitoring software when it came on the market.

Brokerage-monitoring systems are primarily set up to detect insider trading, brokers who push risky investments to naive customers and other illegal trading schemes. But they can also signal red flags on foul language, sexually explicit remarks and ethnic discrimination. Monitoring systems can be configured to detect a variety of danger signs.

First Union Securities East installed Assentor from SRA International of Fairfax, Va., to keep an eye on brokers corresponding with clients via e-mail.

To develop its policy, the company consulted its legal and human resources officers. The firm also invited comments from branches before rolling out a pilot. The process wasn't fast but it was thorough. The software now scans 20,000 messages a day and is widely accepted by the brokers.

When First Union turned on the system, it slowed down business by calling attention to too many innocuous messages, which were then sent for review by staff for compliance. The system was adjusted so experienced brokers with clean track records get less stringent review than new brokers and brokers with a history of complaints.

Company executives say the system now runs more smoothly. Pacific West Securities in Renton, Wash., has 130 brokers and copes with the SEC surveillance requirement by automatically creating a copy of every outbound e-mail message and sending it to the firm's compliance office for manual review. The office makes a hard copy and files it. "With the size we are now, our procedure is doable," says Erin Ford, Pacific West's VP of marketing. "But as you grow, it's harder to get your arms around it."

The company is now looking at a monitoring system from Amicus Networks. Larger brokerages say they would not be able to use e-mail if it weren't for monitoring software. Scott & Stringfellow, a securities firm just down the road from SRA International, in Richmond, Va., also uses SRA's Assentor software, says Derek Brooks, manager of application development at the brokerage.

"We made the decision to adopt a system for e-mail compliance before we gave our retail reps Internet e-mail service," he recalls. "In mid-1997, when it looked like the exchange and regulating bodies would lean toward regulating electronic communications the same way they regulate paper-based correspondence, we decided to look at a technical solution." Now, he says, monitoring e-mail is part of doing business.

Assentor, which was installed with full backing of the business unit and compliance department, is running smoothly. Meanwhile, monitoring software is just starting to spread from Wall Street to Main Street. In central California, Clovis, population 50,000, installed a system from Elron Software as a precautionary measure. The system is set up to look for racist or sexually explicit remarks sent by any of the 350 city employees with computer access.

"We're trying to cover our assets," says John Vincent, Clovis' computer systems technician. "We don't want someone to come back and sue the city." So far, the system hasn't found any cause for alarm, though it does occasionally spot foul language. "But that's not our main concern," Vincent says.

THE HEAT OF THE MOMENT

Just about anyone who owns a computer has, at some point, fired off an e-mail and then regretted it. Something in the nature of e-mail encourages spontaneity, says Claude Stern, a partner at Fenwick & West in Palo Alto, Calif., who chairs the firm's technology and software group. "Users of e-mail tend to be much less filtered than in other media, so you often see spontaneous, not particularly well thought out, often highly emotional comments."

Which, of course, are exactly the sort of messages that end up in court.

Exhibit A: "Cut off their air," the e-mail comment made by a Microsoft employee proposing a solution to competition from Netscape. Offhand or not, the remark ended up as part of the federal government's antitrust case against Microsoft.

And yet a figurative phrase like that probably wouldn't be picked up by monitoring software, which is usually single-mindedly rules-based.

One solution for that sort of e-mail is good-old policy, says Joyce Graff, VP and research director for e-mail at the Gartner Group. She recalls a time when she was working at Digital when a memo circulated asking employees to refrain from military terms when discussing the competition. That was 10 years ago, she points out, yet the idea of using discretion in e-mail still is not widespread.

"I don't have a single case right now where my clients are being sued or are suing where e-mail is not causing some problem for somebody," attorney Stern says. "There have always been smoking-gun documents in legal cases, but the number of such documents and their intensity has surged with e-mail. When people pick up a dictaphone or go to the typewriter, there is just much more deliberation and they're apt to go through drafts.

E-mail doesn't work that way - it's right there at your fingertips." Because the widespread use of e-mail is a relatively recent phenomenon, laws governing e-mail and e-mail monitoring are still evolving. While employers generally can't monitor workers' phone conversations unless they announce the policy and sound a beeping signal on the line to indicate that the conversation is being taped, no such restrictions apply to e-mail. In court cases so far, employers have been given wide latitude in monitoring e-mail. "Employers have the right to monitor the content of communications without even providing notice to employees, although most do give notice," says Dave Banisar, an attorney in Silver Spring, Md., who specializes in privacy issues.

With Congress unwilling to act to protect privacy in this area, the initiative passes to the states. In November the California legislature passed a bill requiring employers to give notice if they're going to intercept employee communications, but companies fiercely complained and the governor vetoed the bill. "I think we'll see Congress continue to sit on its hands," Banisar says.

"But we will see more states passing laws to place limits on interceptions because there are far too many cases where e-mail is being collected for no good reason except to embarrass the employees."

Dan Gassman, a senior research analyst at Gartner, says excessive e-mail eavesdropping can lead to lawsuits against managers. Case in point: A woman with breast cancer who used the Internet at work to look for information on her disease was annoyed to be questioned by her manager, who was alerted when monitoring software picked up the word "breast." In another instance of smart software producing dumb results, a prestigious law firm found that bragging about its attorneys' successful academic careers - their magna cum laude or summa cum laude degrees, for instance - in e-mail was flagged as pornographic commentary.

NO BIG BROTHER

Some organizations elect to use monitoring software sparingly, or only when there are other indications that a problem exists. The National Eye Institute installed Elron software primarily to guard against viruses and doesn't use it to check on employee e-mail.

"This is a government organization," says the institute's chief technologist, who asked not to be named. "It isn't personal e-mail." If an employee has a problem with, say, sexually harassing e-mail, the simple solution is for the employee to save it and pursue the matter with management, he suggests.

Morrison & Forester, a San Francisco-based law firm with 767 attorneys, has a similar take: It doesn't use its Worldtalk monitoring software to check employee e-mail unless there's a personnel problem. "We treat our people like professionals," says Jo Harif, the firm's CTO. Managers ask for e-mail monitoring less than once a month, she adds. "We manage by productivity - what you get done." If an attorney works until 10 p.m. every night on a big case and uses the Internet to order a birthday present for his mom, that's not an issue.

"It comes down to respect. We respect our employees and they respect us."

Most employees will understand monitoring if their employer explains it up front and if there's a legitimate reason for it - only to find out if people are doing something illegal, for instance, or threatening company assets, says Marc Rotenberg, executive director of the Electronic Privacy Information Center. "That's OK, but widespread monitoring without any restrictions, without believing a person is doing something wrong, that's a problem.

People do have some privacy rights to some personal communication from their place of work, although that may vary from a high-tech startup in Silicon Valley where the rules are probably different than a defense contractor in D.C.," Rotenberg says. Companies knew they had problems with e-mail content, but had limited tools to meet the challenge. Today the solutions are available, and someday not doing anything could make you liable.

Join the newsletter!

Error: Please check your email address.

More about APTElectronic Privacy Information CenterElron SoftwareFenwick & WestFirst UnionGartnerGartnerMicrosoftSECSecurities and Exchange CommissionSRA InternationalWall StreetWorldtalk

Show Comments