The All-Knowing, All-Seeing Eye
By Melisa LaBancz-Bleasdale, Messaging News
February 2008
Representations of an all-seeing eye can be traced back to Egyptian mythology. But is an omnipresent eye watching over all a comfort or a concern? The advent of email monitoring brought with it a wave of misunderstanding. The idea that organizations would actually "spy" on its own employees seemed Orwellian. Some felt it was Doomsday masquerading as a network application. To organizations, it is the means to a sometimes unpleasant end. To the courts, it is an increasingly important part of litigation.
Email monitoring has evolved from paranoid, back room Voodoo, to a par-for-the-course technology and process with far-reaching implications. Companies routinely monitor communications for reasons ranging from suspicion of misdeeds to fear of litigation. Going beyond email, modern monitoring technology also keeps a watch on new media such as instant messaging, text messaging, social networks and the blogosphere. If you are using the company network or property to send anything, anywhere it is likely captured on a log somewhere.
The Enron debacle was the start of a new era; the catalyst for stricter, more wide-reaching regulations surrounding messaging content and archiving. Shredding boxes of sensitive documents became an unacceptable pastime. Corporate malfeasance on a grand scale brought about significant, business-altering compliance requirements felt on a global scale. Throughout the past several years there have been numerous iterations of these rules, resulting in mind-bending complexity and endless interpretation. Times change and the rules and accompanying technology are a-changin’ too.
A Business Requirement
Today, there are many different electronic content archiving requirements at both the state and federal levels. Some are specific to industry vertical and some are specific to type of content. All carry with them the threat of enormous penalties and quite a lot of bad press. Among the federal mandates calling for email preservation and retention are: the Federal Rules of Civil Procedure (FRCP), requiring organizations to pay closer attention to their electronic information; Sarbanes-Oxley (SOX), which places greater emphasis on retaining business records for corporate governance; the Health Insurance Portability and Accountability Act (HIPAA), requiring Protected Health Information (PHI) to remain confidential; and the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions that hold personal information to transmit and store it in a way that it cannot be compromised.Matt Smith, president of LiveOffice, uses the financial services industry as a prime example of a compliance requirement becoming an every day business requirement. "The securities regulators came down very hard on financial services and instituted tight rules and guidelines for the archiving and monitoring of email," explains Smith. "There was grumbling in the beginning, but they are well past that point. It is understood that anything archived in email, can come back to haunt them, if inappropriate or problematic."
The Eye in the Sky
Email monitoring and retention are now critical aspects of corporate governance. It is the CCTV of software. Although quiet and unobtrusive, people often fear what they cannot see, smell, or touch. Being watched, no matter what the form, conjures up images of a totalitarian police state. Regardless of how negative the connotation, email monitoring is critical to business survival."We’ve been conducting a survey in conjunction with the American Management Association (AMA) every year since 2001," says Nancy Flynn, director of the ePolicy Institute. "Consistently, employers have told us that their number one concern, when it comes to email and Internet use, is fear of legal liability." Simply said, employers are afraid of being sued. "Email messages, Web surfing, blog posts, text messages, you name it; it all creates the electronic equivalent of DNA. When companies end up in litigation, there is absolutely no doubt that email is going to be part of the discovery process."
Flynn explains that on December 1, 2006, the federal courts announced amended rules to the FRCP. In essence all Electronically Stored Information, (ESI)—a new term coined by the federal court—is subject to discovery in a federal lawsuit. Therefore, if a company is hit by a sexual harassment or discrimination or hostile work environment claim and they end up in federal court, all of their ESI is discoverable. "All of the emails, text messages, IM, blogs, on and on, can be used as evidence for or against the company. That’s the number one reason we see employers monitoring email."
The August 2007 Osterman Research whitepaper, A Guide to Understanding Hosted and Managed Messaging, makes the point that organizations must increasingly focus on creating and enforcing email and electronic content policies. These policies should be designed to protect an organization from liability in the context of regulations and legal rulings, which requires appropriate transmission, retention and management of the content.
According to Smith, having an email policy is step one. "Business owners, shareholders and the Board of Directors should really be sensitive to the fact that they are responsible for the information that’s in email," Smith says. Step two is actually enforcing it. "That’s where people are going to get into a lot of trouble—having a policy in place that they don’t do anything about. Especially when there are so many solutions in the marketplace today that put enforcement well within reason, if not a best practice."
"An excellent way to monitor electronic risk is to apply what we call the three E’s," advises Flynn:
- Establish a policy
- Educate your workforce
- Enforce your policy with a combination of discipline and technology tools, which includes monitoring
It is easy to assume that with the amount of negative media coverage that exposed email, IM and text messages have received, people might be a tad more discreet when describing personal body parts. Interestingly, they are not. The prevailing belief is that the First Amendment guarantees individual freedom of speech and expression when it comes to electronic communications. It does, but not at work, and not on company computers. "The First Amendment only applies to government control of speech," warns Flynn. "You can write whatever you want, whenever you want, about whomever you want, but you might get fired."
Employers, notes Flynn, would do themselves a favor if they would just educate their employees. "As part of that training, employers need to tell employees that in the United States, the Electronic Communications Privacy Act gives employers the right to monitor all computer activity. The other side of the coin is that employees have absolutely no reasonable expectation of privacy when they are using the company system."
Smith believes that legal precedent and case law will drive the adoption of email monitoring and retention solutions. He also thinks the inherent benefits of the technology, such as having old emails easy to find and at your fingertips, will lead to increased functionality that businesses are going to demand. "The real progress is yet to come. We’ll see it in all organizations when the value proposition is understood by businesses. Having a system in place to rely on can be a good strategy."
2007 Electronic Monitoring and Surveillance Survey
The results of the 2007 Electronic Monitoring and Surveillance Survey, from the American Management Association (AMA) and the ePolicy Institute, show that monitoring is no longer just a part-time operation.Key Findings:
- Percentage of employers that monitor time spent, content, or keystrokes entered by employees: 45 percent.
- Percentage of companies that store and then review employee computer files at a later date: 44 percent.
- Percentage of employers that have fired employees for Internet abuse: 30 percent.
- Percentage of employers that have fired employees for email abuse: 28 percent. Of that number, 62 percent said it was for inappropriate language or content; 26 percent because of excessive personal use of the system; and 22 percent for breach of confidentiality rules.
