Ignorance is no defence

For some years now a good many organisations have bemoaned the dramatic fall in productivity prompted by e-mail misuse. They have wrestled with the challenges presented by inappropriate downloads, employee harassment and corporate compliance. However, such concerns appear positively benign when compared to the threat of criminal prosecution and (possibly) a prison sentence that face today’s company directors should their employees breach new compliance legislation or use e-mail to facilitate sexual, racial or religious abuse.

Indeed, in the States plenty of organisations have already been prosecuted for copyright infringement as a result of employees using company networks to distribute MP3 files. No surprise, then, that the lawyers are circling and dedicating their resources to what is now an increasingly lucrative area for them.

Innocent until proven guilty doesn’t apply in corporate Britain. To avoid reputation-destabilising Court cases, punitive fines and unlimited damages, a business must demonstrate that it has taken all reasonable actions to control employee use (or alternatively abuse) of e-mail.

Switched-on organisations (no pun intended!) are managing to evade the legal representatives’ clutches, opting instead to use proactive e-mail audits with an investigative forensic tool to enable rapid identification and investigation of e-mail traffic (and, hence, providing an excellent defence).

Degrees of corporate responsibility

For the past few years, business leaders have developed ‘acceptable usage policies’ for e-mail, each designed to minimise personal e-mail usage and protect employees from unfair treatment. More often than not, those policies have been supported by stringent penalties for misuse. Indeed, after violence and theft, e-mail misuse is the most likely cause of instant dismissal.

Many feel they’ve been waging a losing battle and yet, while commercially damaging, the problems have not actively threatened the business. Times have changed. Legislation has finally caught up with the e-mail explosion, and now touches every aspect of the business – from corporate compliance through the Financial Services Authority (FSA), Basle II and Sarbanes Oxley to employee care.

While FSA regulations, for example, now dictate that all e-mails are retained for seven years, the Information Commissioner has laid down explicit requirements for e-mail traceability and audit to combat instances of racial or sexual abuse, harassment or bullying. As a result, organisations must now be able to demonstrate – in Court, if necessary – that all possible steps have been taken to prevent abuse or any kind of regulatory infraction.

With directors now personally liable in areas such as corporate compliance, any failure to implement appropriate controls could result in a prison sentence. Indeed, in one particular high profile case it has already done just that.

Even if an organisation is unaware that harassment is occurring, with no mechanism in place to identify or prevent such harassment it has failed in its Duty of Care and is, therefore, liable for prosecution. Furthermore, if the organisation is aware of the problem but has taken no steps to prevent it, it’s deemed to be complicit in this action. In both cases, the organisation concerned could be facing punitive fines, a high profile Court case and, where racial harassment is concerned, unlimited damages.

Management taken to task

Switched-on organisations are evading the legal representatives' clutches, opting to use proactive e-mail audits with an investigative forensic tool to enable rapid investigation of e-mail traffic

While it might be the employees who are misbehaving, it’s going to be senior management that are hauled up in front of the Judge. Nor is there much time to respond to the guilty charge. The new regulatory landscape requires companies to be able to undertake rapid investigations into e-mail activity in response to specific accusations. The problem is that typical strategies of content filtering external messages and backing-up all e-mails don’t facilitate such investigations.

How, for example, will an organisation respond to an FSA investigation into alleged leaking of performance information prior to year end results? While the FSA may have a copy of an e-mail there’ll be no indication as to its sender, recipient or content. As the regulations stand today, failing to produce evidence is a tacit acceptance of guilt. Therefore, the pressure is on to find the e-mail as soon as possible (and within two weeks at the outside).

Basic system back-up will not capture deleted e-mails, nor guarantee that e-mails haven’t been doctored. As a result, investigations will be incomplete and inconclusive. Furthermore, without excellent, context-based searching the overall time taken to sift through e-mails could be prohibitive. Once more, an organisation cannot prove that it has taken reasonable steps to prevent the abuse. Its managers will find themselves on the wrong side of a fine and, quite possibly, facing up to more than just a rap over the knuckles.

Just look to the US where there’s growing evidence of companies being prosecuted for complicity in distributing both pornographic material and breaching copyright as employees use the e-mail system to send MP3 files. Locking down the perimeter will not protect an organisation from an employee uploading a disk onto the network and mailing it to colleagues. The organisation has still facilitated copyright theft or distribution of inappropriate material. Few company directors would enjoy being prosecuted for publishing pornography.

Furthermore, not only does internal e-mail outstrip external communications by a factor of ten, it’s also the primary platform for racist or sexual abuse. Any organisation that fails to take a proactive approach to internal e-mails will be failing in its Duty of Care to employees, and must then accept the consequences.

Compliance with these new regulations and current legislation is policy driven.

Is there a solo solution?

There’s no single technology solution currently available that can guarantee problems will never arise. Organisations have to expect staff to act responsibly, but also to put in place checks, audits and policies that ensure misdemeanours are rapidly identified, investigated and dealt with. In this way, company managers can argue that they’ve taken all possible actions to minimise the incidence of abuse or misuse.

By combining regular, proactive e-mail audits and management reports with a forensic tool that exploits context-sensitive searching to rapidly identify relevant communications (however obscure the language), corporate organisations can certainly offer a much stronger defence against any future claims of inappropriate activity.

Brendan Nolan is chief executive of Waterford Technologies (www.waterfordtechnologies.com)