Developing E-Mail Business Rules. What are Business Rules for E-Mail? “A Girl’s E-Mail...
-
Upload
cora-evans -
Category
Documents
-
view
214 -
download
1
Transcript of Developing E-Mail Business Rules. What are Business Rules for E-Mail? “A Girl’s E-Mail...
Developing E-Mail Business Rules
What are Business Rules for E-Mail?
“A Girl’s E-Mail Experiment Clogs n-Box for Weeks: Update on the Reindeer,” WSJ 2/13/03 E-Mail Chain Project
“howfastorfar2003” 23 letters originally Next day she got one
reply every 7.2 minutes Three days later she
got one every 7.2 seconds from 47 states and 25 countries
Methodology to address these issues:
Risk Management
Protecting Company Information
Company Resources
Record Keeping
Security
Policy
Training & Audits
Spam
Need to address liability issues
“Can’t throw the baby out with the bathwater”
As business use goes up so does the need for security and management
Need to balance various competing interests
“Investment Banking Star Learned, by E-mail, of Probe Before Urging a Purge of Files,” WSJ 2/27/03
Rule # 1: Holistic Approach Required
Manage Employee Use Fear of lawsuits from improper use of e-mail
is number one concern 10% of companies have received subpoenas 10% have been sued for discrimination
Should employees shop from work?
Should employees be allowed to invest from work?
Rule #2: Manage Employees
Rules #3: The Company Owns E-Mail
Theft of company information is easy
Policy on ownership of company records required
“Bertha Belch, a missionary from Africa, will be speaking tonight at
Calvary Methodist.
Come hear Bertha Belch all the way from Africa.”
Rule #4: Policies Can Help Protect The Company
Rules for prohibited conduct
Rules regarding retention
Rules stipulating where to retain
Rules may not work in all cases but they sure help “we see no evidence of fraud or bad faith in a corporation
destroying records if it is no longer required by law to keep and which are destroyed in accord with its regular practices. As we have previously observed, storage of records for big or small businesses is a costly item and destruction of records no longer required is not in and of itself evidence of spoliation.” Moore v. General Motors
Rule #5: One Size Does Not Fit All
No personal use v. some limited to _____
Privacy rules differ jurisdiction to jurisdiction
Have a privacy policy and get employees to acknowledge it High Court of France Position on privacy
Announcement in a church bulletin for a national PRAYER & FASTING
Conference:
"The cost for attending the Fasting & Prayer Conference includes meals."
Rule #6: Control Risk By Managing Content
Tell them they can’t use offensive content
E-mail needs to be business-like
No jokes, opinions or personal observations
No discriminatory comments
Assume e-mail will become known beyond the recipient
Bad acts need to be addressed
Filtering may require action
“The attorney general’s office is
examining whether the
school admitted Mr. Grubman’s
children because of a donation…”
Ghosts of E-Mails Continue to Haunt Wall
Street
WSJ 11/18/02
Rule #7: Establish And Enforce Etiquette Rules
Beware of hidden readers “It’s a good day for bombing”
Write as though mom was reading it
Don’t let off steam
Never reply to spam
Let reader know topic in subject line
No “shotgun” distribution
Don’t forward without permission
Rule # 8: Apply Rules Consistently
Discipline consistently
Consistent personal use guidelines
Don’t have different rules for senior management and lower level employees
Teach everybody - executives write some really damaging messages “we have found issues that will likely interest
the SEC…creativeness is employed in hitting the forecasts.” (From Tyco lawyer on May 25, 2000) “E-Mail Show Tyco’s Lawyers Had Concerns,”
WSJ 12/27/02
Rule # 9: Control LISTSERV Use
Manage use of public forums
Employees need to make clear that comments are their own
No admissions of company foibles
Approval based on content
What happens if an employee slams a stock on an Internet bulletin board from work?
The sermon this morning: "Jesus Walks on the Water."
The sermon tonight: "Searching for Jesus."
Rule #9 Manage Discussion Databases
Subject: Bad / Really Bad Attitude
Date: Thu, 20 Aug 1998 10:11:12 –0700
From: [email protected] (Kent Walker)
To: jwz, sclatter
Jamie / Sarah --
Microsoft has subpoenaed the contents of bad attitude and really bad attitude. I need to get a print-out of the contents of both asap (today would be good), preferably formatted as individual messages so that we can produce one and not another. (I'm hoping that we've followed the document retention policy and deleted materials older than 90 days, but I fear we haven't.) Please call me with any questions. Many thanks. -- Kent
Rule #10:Rules For Employees On The Road Protecting confidential information in
laptops British officer in Gulf War gets court
martialed for theft of his laptop
Making sure company has records it needs to run its business
"Ladies, don't forget the rummage sale. It's a chance to
get rid of those things not worth keeping around the house. Don't forget your
husbands.”
Rule #11: Develop and Enforce Policies
Chemical Co. – the company has no choice but to fire 50 employees
Vicarious liability—company may pay for wrongs of employees
“ . . . e-mail retention policy provided that backup tapes were
recycled after 45 days. If Fluor had followed this policy, the e-mail issue would be moot. Fluor does not explain
why, but maintained its backup tapes for the
entire fourteen month period.”
Murphy Oil v. Fluor Daniel
At Issue – 19.7 million pages, costing $6.2
Million
Rule #12: E-Mail as a Record
2001: 1.4 trillion business e-mail messages in North America
Today few are about lunch appointments
Manage e-mail records as a company record
What is a record? Info. with business,
legal, compliance, operational or historic value
Company intends to retain it as evidence of its business transactions or activities
“State sued for deleting e-mails,” Sacramento Bee 2/14/03 Deleted 20 K messages
from citizens against a new tax in violation of state law
Rule #13: Written & Enforced Retention Rules
Tell employees what to keep
Tell them what to discard
Records have a lifespan based on content
Records needs to be trustworthy
“I thought this was all entirely appropriate
until I received a subpoena.”
David Duncan, WSJ May 15, 2002
Rule #14: Apply Retention Rules
RM requires management by content
Why not 30, 60 or 90 days and out?
Why not keep everything forever?
“Organize Your E-Mail: That muffled cry for
help is the sound of yet another person
drowning in a sea of messages.”
WSJ Nov. 27, 2000
Rule #15: Regulators May Dictate Retention
For example, SEC & NASD rules regarding retention of e-mail
“Securities Firms Agree to pay $8.3 Million in Message Dispute,” WSJ Nov. 18, 2002 “ . . .for allegedly failing to keep e-mails and
produce them…”
Rule #16: Backup is not RM
“If there’s one thing…learned from the World Trade Center disaster it’s that when it comes to data storage, recovery from a tape is about as efficient as swimming upstream.” Wall Street & Technology, December 2002,
“Running Out of Room: Data-Storage Needs Explode”
Paper or plastic "The peacemaking meeting scheduled for today has been cancelled due to a
conflict.”
Rules #17: Software can help with retention
The skinny on auto-classification Can capture a good percentage Will not be perfect
“For those of you who have children and don't
know it, we have a nursery downstairs.”
Rule #18: Outsourcing Storage
Manage ASPs ASAP
Control, ownership and access
Rule #19: Make Retention Simple
Rules must be easy to apply
Few seconds to code - no more
Can’t keep everything forever
What are “non-records”?
Draft & duplicates
Attachments
Rule #20: E-mail As Evidence
May need to produce e-mail
Legal v. legally sufficient
“Barbara remains in the hospital and needs blood
donors for more transfusions. She is also having trouble sleeping and requests tapes of
Pastor Jack's sermons.”
Rule #21: Accuracy and Trustworthiness
Making “good” e-mail evidence Monotype v. International Typeface
Created and managed in the ordinary course of business Example of the manufacturer and delivery
confirmations
Rule #22: Anticipate Litigation
Why is e-mail a target? Volume is substantial Not methodically
managed Embarrassing and
damaging content
Plan now to minimize inconvenience and expense
“If you want to make someone
look bad, it’s easy to take words on a
page intended sarcastically out of context. Often e-mail produces
guns that shouldn’t be smoking but
appear as though they are.”
Washington Post, 2002
Rule #23: Never Destroy Evidence
“Irving Benson and Jessie Carter were married on
October 24th in the church. So ends a
friendship that began in their school days.”
E-mail can be evidence
Anything potentially relevant to pending or imminent audit, litigation or investigation must be preserved
Need Legal Hold Mechanism
Rule #24: Tell Employees What To Do
Give specific rules to employees about their responsibility during discovery
Train, train and train some more
Rule #25: Develop E-Discovery Strategies
Are you prepared?
Could you search 5 years of e-mail
What backups are available and what is on them?
Who could search employees’ PCs, PDAs and laptops? “At the evening service
tonight, the sermon topic will be What Is Hell?
Come early and listen to our choir practice.”
Rule #26: Develop Security Policy
Need security policy to address a variety of issues System configuration Patches Physical security Content Confidential information Information theft Transmittal of customer data
“E-mail Virus Opens Backdoor on PCs to Hackers,” WSJ 2/25/03
Rule #27: Physical & Network Security
Multi-pronged approach
Limiting access to system
Limiting access to facilities
Limiting access to others content
Password & IDs
Rule #28: Inbound Content
Viruses and .exe’s
Why are attachments the problem?
Configuring virus software & keeping patches updated
Keeping bad content out
“Please place your donation in the envelope along with the deceased
person you want remembered.”
Rule #29: Manage Outbound Content
Protecting company secrets
Overstating products
Inappropriate content
Filtering can work
Rule #30: Develop Security Policy
Everything sent via e-mail does not have the same value
Perhaps some material should not be sent without encryption
Buy or build security
Rule #31: Managing Spam
Junk mail is out of control and something has to be done
1600% increase in last year (Gartner)
Software used to block junk may also block “good” content as well.
“This evening at 7 PM there will be a hymn sing in the park across from
the Church.
Bring a blanket and come prepared to sin.”
Rule #32: Instant Messaging
IM use on the rise
Waste of time or business tool?
Another records retention headache
Rules to deal with use, security, retention, etc.
Rule #33: Manage Other Messaging Technology
SMS on the rise
Mobile and wireless e-mail
“Low Self Esteem Support Group will meet Thursday
at 7 PM.
Please use the back door.”
Rule #34: Peer-to-Peer File Sharing
What is peer-to-peer?
May create new security issues
Wasting bandwidth
Copyright concerns The case of the Medical School Mishap
Rule #35: Other E-Mail Interfaces
Web mail (like Hotmail) at work
Sent via browser, not e-mail software and can circumvent company system
The Associate Minister unveiled the church's new tithing
campaign slogan last Sunday:
I Upped My Pledge - Up Yours
Rule #36: Train Employees
Training is an ongoing process
Provide comprehensive training coverage
Get managerial assistance
Train everyone including management
Rule #37: Employee Compliance Is Key
Make risk their problem
Make clear what will happen to them if they violate policy
Use real life examples