Email rules, but who's following them?

By David Braue

Apr 11, 2005: In today's business climate, everybody uses email. Most companies, however, still lack formal policies governing its usage. David Braue asks why we're still struggling to manage this fundamental technology.

As provider of the world's most used email tools, you'd think Microsoft would have its email management policies perfected. Yet even Microsoft, like companies the world over, is still coming to grips with the best way to manage its employees' email usage in the face of stricter corporate governance requirements and steadily increasing email volumes.

Globally, Microsoft processes 4 million internal emails and more than 1.6 million external emails every day-around 2 billion messages a year. Even though its 725-strong Australasian workforce accounts for just a fraction of that email load, Microsoft's recent global consolidation of email, to just four sites, has made email accessibility and appropriate use a critical issue here as elsewhere.

One of the biggest challenges facing Microsoft's internal IT team is the need to maintain the integrity of the historical email record even though employees often archive their mails in personal .PST files that aren't automatically copied onto central servers.

Although it reduces the strain on central servers by keeping users below their email storage space allotment, .PST archiving also means those old emails can easily fall out of the corporate record.

Michael Lane, CIO for Australia-New Zealand with Microsoft, has worked closely with the company's legal and HR departments, among others, to assess just what implications this, and other email related issues, could have on the company's overall governance structures.

The company will soon publish for its employees a formal set of policies governing issues such as what type of content is appropriate to send internally and externally; when it is appropriate to forward emails outside the company; how to make sure messages don't go to the wrong people; and what kind of email retention policies must be implemented.

Microsoft currently keeps six months' worth of emails online for employees' access, but this policy is on the table as discussions with legal and HR representatives have revealed a host of related issues and, invariably, related problems. For example, barring employees from creating .PSTs, and increasing the size of the email inbox instead, would keep messages out of unreachable .PST files but could flood internal networks due to the synchronisation of massive client-based email files with email servers.

Working with other parts of the organisation to develop meaningful policies is key to establishing successful email policy, says Lane: "Both legal and HR have specific requirements when it comes to email," he explains. "When employees come onboard, these things need to be clearly documented. When it comes to general IT security policies, they are often well thought out; for example, it is well spelled out what happens if you install a rogue WLAN access point. But when it comes to email, things are still a bit fluid in terms of what the consequences are."

The close working relationship between Microsoft's IT, HR and legal team has given IT an ongoing role in the company's monthly half-day update meetings, where the IT team is given some time to teach users about current technology changes and related usage policies. Employees can also access canned Employee Productivity Education modules-a range of presentations discussing corporate email policy and productive email usage-but these are voluntary so Lane concedes it's hard to depend on them for policy dissemination.

Lack of definition

Business policy is always an evolving entity, and email has proved to be no exception. Yet while most companies have very clear rules about how to handle issues like holiday leave, sexual harassment and security of building keys, intra-organisational conflict and unclear lines of responsibility have in many cases left employees without clear guidance about their email rights and responsibilities.

In some cases, this is simply because email-and the idea that people intrinsically know how to use it-is being taken for granted. "Most people who approach us are aware they should be doing something [about corporate governance and email policy], but aren't aware of what that should be," says David Hanrahan, line of business manager for platforms with systems integrator Dimension Data, whose responsibility includes sitting down with customers to hash out clear email policies.

"Corporate entities seem to expect that users have awareness of policies and what should be done, but when we talk to users we often find they have no idea."

That's led to some worrying practices: storage provider StorageTek, for one, found in a survey of medium and large Australian companies that 70.5 percent of companies impose mailbox size limitations, forcing users to decide what goes and what stays. Around 8 percent of users simply deleted read messages hoping they wouldn't need them again; 20 percent stored messages on their own computers; 23.5 percent deleted their oldest messages altogether; and less than half of respondents carefully chose which messages to delete or move.

Those are worrying statistics given that those deleted or moved messages could one day be the key to a legal discovery order. People make mistakes, and policies should both recognise that fact and work around it. What happens when a user inadvertently forwards the company's latest profit figures to someone outside the company, who then sells them to a competitor? Can the employee be blamed if the company didn't have a clear policy about what can and can't be emailed? Without clear and acknowledged guidelines about email usage, he would technically have done nothing wrong.

A good guideline when formulating email policy is to match it to existing business policies in other areas. Another thing to remember is that email isn't the only way of communicating information outside the company. Instant messaging, in particular, has come into wide use and provides an often unmonitored way for sensitive information to flow out of the organisation without a trace.

Another activity demanding clear policies is blogging. The past year has seen myriad cases of loose-lipped employees being sacked after disclosing just a little too much information about the company's activities in public forums. Microsoft, for example, recently sacked a contractor for posting pictures of Apple Computer G5 systems being unloaded at its campus.

In an ironic twist in August, social networking dot-com Friendster laid off a contractor who characterised the site's performance as "pokey" after she was brought on to rewrite the J2EE code in PHP. In September, Delta Airlines air hostess Ellen Simonetti, also known as the 'Queen of Sky', was shown the door after management discovered her blog called 'Diary of a Flight Attendant' and protested her use of what they called "inappropriate' pictures. Simonetti could find no Delta policies that prohibited what she had done, and is currently appealing her case.

The technological rat race

Such seemingly arbitrary sackings highlight the need for clear and well communicated policies about email, IM, blogging and the myriad other forms of instant communications that have emerged in the age of the Internet. To some extent, the problem is simply that technology has evolved faster than the policies to govern it. Yet if companies had broad and appropriate policies in the first place, the specifics of the technology theoretically shouldn't matter.

Interestingly, it is the growing awareness of business requirements, such as the US Sarbanes-Oxley Act and pending similar legislation in Australia, that has finally broken the dam in terms of awareness of corporate governance requirements. Executives realise that inattention to email, and corporate information management in general, is simply no longer acceptable-and broadcast missives to develop clear policies.

In many cases, this results in the implementation of tailor-made email archiving solutions that automatically optimise and age emails across various storage media. Storage vendors have taken to calling these types of solutions ILM (information lifecycle management), yet they are only half solutions. While they can help optimise the usage of hard disk space by email systems, they are no substitute for clear policies that spell out banned and prohibited policies.

Enforcing those policies is another thing altogether: in many cases, companies may not even know that policies have been violated, much less what to do about the act. Here, technology promises to be of some assistance: digital rights management (DRM) servers from Microsoft and other providers are providing the ability for senders to limit what can be done with their messages. Printing, forwarding, copying, and so on can all be managed down to a highly granular level, reducing the possibility that the wrong kind of content can be distributed inappropriately.

There's only one problem: current technology basically stops at the edge of the company; once mail goes onto the Internet, there's no guarantee that receiving systems will adhere to security policies. Recipients' email clients can be forced to apply to the originating email server for a key to read the mail, but anybody that's not known to the company's directory service-and that typically means everyone-will be knocked back and will find themselves with an unreadable email.

One solution is to add every possible recipient into the internal directory service, tracking profiles and effectively making them pseudo employees for the purposes of handling email. This, however, is both impractical and questionable from a security perspective. This year, expect federated identity management systems to provide a more effective and secure way of transporting identity information between organisations-thereby allowing preservation of DRM control anywhere the mail travels.

These tools, of course, serve no purpose without policies for them to mirror. Even as many companies step into better information management using email archiving tools, it is incumbent upon them to be simultaneously developing clear policies on usage of email and other forms of communication.