Mention the word 'archive' in regard to corporate email, and users get their hackles up. But IT managers are taking a tough stance: Messaging is not personal. "People rely on email as a record of their life, but they should not assume that email is a private form of communication," says Joanne Kossuth, CIO at Olin College in Massachusetts.
The blurring of personal and business email is a serious problem at companies today, says Mich Kabay, associate professor for information assurance at Vermont's Norwich University, and author of the Network World on Security newsletter. "Any email message that is written on a corporate account should be considered written on company letterhead," he says. "It should not be taken lightly."
Personal email contaminates corporate archives, wastes valuable resources, including storage space, and is a productivity risk, as it adds to the amount of time IT spends on managing the messaging system, he says.
Olin's Kossuth is just one of many IT managers trying to hash out policies for email use. Driving this movement are high-profile lawsuits that involve email evidence and an increased focus on public and private sector regulations.
The US Gramm-Leach-Bliley Act makes Olin responsible for all information on campus, with much of that information held in the college email system. "We have to make ourselves compliant so we're not tagged by the auditor," Kossuth says.
Do you Yahoo?
To avoid any confusion about the public nature of email, Olin has all users sign an acceptable use policy. "If there is an event, the institution has the right to search email," Kossuth says.
Kossuth encourages everyone to use a Web-based account, on Yahoo or AOL, say, for personal communications. "There has to be delineation between personal and business," she says.
Another way she discourages personal use of the system is by setting storage limits on the server and the lifetime of messages overall. Each student is allowed 30MB of storage and then has to transfer data to local folders. Staff are not held to quotas, but are subject to the same archiving rules that apply to students.
Olin does not keep messages on the server for more than 30 days, and then only archives them for six months, a time frame set by the college's senior administrators. The reasoning is simple: "If you keep messages around for long periods of time, you have to protect them and you face liability issues." If the college is sued, years and years worth of archived messages could be used for discovery, which would be a time-consuming and costly process, Kossuth says.
Like Kossuth, Andrew Kline, network administrator for The Reading Hospital and Medical Centre in Pennsylvania, struggles with the personal use issues. Right from the start, he makes it clear to employees that they shouldn't use email for personal stuff. "It's a productivity tool," he says.
Kline has new hires at the main hospital and 60 satellite locations sign an acceptable use policy for email. "They understand we can look at anything at anytime," he says.
To further discourage personal use, Kline instituted storage limitations, saying, "if you go over, you've just lost your ability to send and receive email." Today, Kline's team stores messages on the server for three weeks, but he's anxious for system improvements and is investigating how to make email storage compliant with the US Health Insurance Portability and Accountability Act (HIPAA). "How long do I need to keep messages floating around? Do I need off-site storage?" he says.
To protect patient privacy, Kline limits the size of messages so that patient record information such as X-ray images can't be shared over email. "I know our email at this point cannot be trusted to be secure, so no patient information should be going back and forth in a message," he says.
Instead, he gives authorised caregivers an intranet tool for accessing digital images and other critical information in a secure environment. Rather than physicians being able to send information to whomever they want, they must register message recipients with the system, Kline says.
The trick to making all this a success is the support of hospital administration, he says. When a doctor complained to the CEO about the message limitations, the CEO backed the IT team. In the end, the storage limits and offloading to the intranet have made a noticeable improvement to the performance of the hospital's Microsoft Exchange server, he adds.
Privacy not permitted
"Email is a business record, pure and simple," says Craig Olson, vice president of marketing at Zantaz, one of a host of companies cropping up in the message management arena. "It's a corporate information asset."
He points to the financial sector. "Email and instant messaging have been documented as books and records, and as such are required to be kept archived four to seven years," he says.
Because of this, he says, message system users have no privacy rights. "Employers are very aware that users are worried about privacy. And each company is coming up with its own policy," Olson says.
Educating users about email use policy is critical. Some things to include in the policy: how long the information will be stored, who will have access to it, and when and why would access be allowed, he says.
The access issue is of most concern to users, says Marc Van Zadelhoff, vice president of business development and strategy at security software maker Consul.
"You need to make sure that someone is officially designated as the security officer or security manager," he says. "And he must have a reason to look through the files. There must be evidence of a chain of events that leads the company to be suspicious."
Another essential for users is message protection, Van Zadelhoff says. Users want to know that IT is doing everything in its power to secure that archive. "If that information is suddenly viewable by everybody, not properly secure, not properly archived, that's a bigger problem," he says.
Olson recommends employing a chief compliance officer to make sure everyone understands and adheres to email regulations. "If email resources are not managed properly," he says, "there are significant consequences for the company's reputation, stockholder confidence, share prices and more."
Sandra Gittlen is a freelance writer in Massachusetts.