All types of organizations are finding the widespread use of e-mail is creating myriad security issues, including one issue commonly overlooked by corporate America: legal liability.

E-mail and Internet usage draw on perhaps the greatest vulnerability - human error - to contribute to situations threatening the security of employees and/or the corporation. In this age of cybercrime, the legal risks are abundant. But so are the solutions.

Thanks to a growing mobile workforce and tight integration with partner operations, remote access to company systems is a customary occurrence. These entry points, though, meant to increase productivity and efficiency, can also expose to intruders intellectual property, confidential customer records, financial documents, business plans and other proprietary information. The lifeblood of your business could be compromised, and the impact on your company could be immeasurable.

The San Francisco Chronicle reported in November 2000 that an ex-employee of Cisco Systems was charged with stealing trade secrets from the networking giant before he left to join Calix Networks, which competes against Cisco in optical networking. In March 2001 he plead guilty to a lesser charge and received a sentence of three years' probation.

To prevent unauthorized access to sensitive data, companies can use encryption tools to protect files stored in databases and files in transit. Similarly, e-mail filtering tools can be programmed to intercept messages containing proprietary information based on predefined key words, such as project code-names.

Meeting federal mandates

Beyond lost value and productivity, lax e-mail security can also bring your organization afoul of federal regulations that carry criminal penalties and stiff fines for noncompliance. The U.S. Securities and Exchange Commission has such rules governing the transmission of sensitive financial data, while the emerging Health Insurance Portability and Accountability Act (HIPAA) regulations call for expanded protection of medical records. For healthcare and financial services organizations, this information represents the trust and confidence of their customers. A company's careless use of the data could result in lawsuits and regulatory sanctions, which, in turn, could impact the organization's reputation and market value.

Consider this close call by Kaiser Permanente, one of the nation's largest HMOs. According to a story in the November 2000 issue of Information Security magazine, in August 2000 the company accidentally sent hundreds of e-mail messages to the wrong recipients. Some of the e-mails contained sensitive medical information of the type HIPAA is meant to protect. Luckily, the incident occurred before the HIPAA regulations were put into affect. The company (and its corporate officers) would have otherwise faced criminal charges, jail time and fines of up to $25,000 for each e-mail erroneously transmitted.

Companies must help employees understand regulatory guidelines about the transmission of sensitive information, especially in large companies where e-mail use is widespread. E-mail policies are a good solution for adding a layer of security and raising awareness among employees about the implications of their e-mail activities. They should cover guidelines for appropriate and inappropriate content and usage. Policies should also clearly state the ramifications of abusing corporate e-mail, and require employees to confirm that they've reviewed and understood the guidelines.

With respect to e-mail, policies should cover areas such as: appropriate use; prohibited activities, including unauthorized dissemination of confidential information and of information restricted by government laws or regulations; electronic activity that may negatively impact the company's business efficiencies, such as spamming. Companies should also make clear to employees that all information on computer systems, including e-mail, is the property of the company.

Keeping corporate ethics

E-mail communication is as easy to use as the telephone, but with one major distinction: it is documented. Additionally, conversation that is taken one way in spoken form, with the benefit of the speaker's inflection, gestures and facial expressions, can be construed entirely differently in written form.

High courts have ruled that employers are responsible when their employees create a hostile work environment, and e-mail is now very much a part of that environment. That means companies must take steps to ensure employees don't send e-mail that includes threats or language that can be considered sexually harassing, violent or discriminatory. Such steps should include detailed policies regarding acceptable use of e-mail as well as filtering systems to catch offending messages before they are sent out. If organizations fail in this endeavor, the ensuing litigation can have costly, long-lasting repercussions: a tarnished reputation, eroded stock value, weakened recruiting efforts and low employee morale.

Sparked by employee complaints, in July of last year Dow Chemical Co. fired 50 workers and disciplined another 200 for sending pornographic and violent images via corporate e-mail. While the company took a proactive stance to prevent harassment litigation, it still carried the expense of terminating staff, recruiting and training replacements and improving the low morale and productivity of suspended workers.

What can be done?

No company wants to take on the role of Big Brother, but many can't bear the legal liabilities caused by e-mail and Internet abuse. Here are some tips for covering the legal and e-security bases:

  • Coordinate with your corporate legal department for updates on industry regulations and compliance deadlines.
  • Work with human resources, legal and IT departments to develop clear policies for e-mail and Internet usage. Spell out appropriate and inappropriate content, as well as the consequences for violating these policies. Well-written policies can protect employee rights, corporate assets and provide security at the same time.
  • Make sure your e-security technology meets your company's security needs, both technologically and legally, so as to not leave the company exposed to liability.
  • If your company does monitor e-mail and Internet communication, reassure employees that it's not to scrutinize e-mail and Internet activity but to spot red flags.

Amy Kessler is general manager and vice president of North American operations for GROUP Software, an e-mail and content security applications company. She can be reached at Or visit