For better or for worse, email is still one of the most prevalent ways to communicate in business. But lately email records have come under scrutiny in organizations when they’re mismanaged, hacked, misplaced or lost altogether.
In government, recent public records issues came to light when government officials used their personal email accounts for official government business. The email records (potentially public records) of Hillary Clinton, Jeb Bush, Lois Lerner, John Kitzhaber and more have been either lost, destroyed or retained improperly.
Email presents unique challenges for government agencies, because they’re required by law to preserve anything related to official business. For federal agencies, The Federal Records Act prohibits government business on personal email accounts, unless the communications are copied and turned over to the National Archives within 20 days. Government business email records must also be made available to the public via the Freedom of Information Act and state open records laws.
Email record tribulations carry over to the private sector, exposing companies to various reputational, regulatory and legal risks. Last year the Sony Pictures email hack left the company reeling after a cyber attack resulted in employee and other private and privileged information being leaked. The attack served as a reminder to create stronger email governance and security procedures.
Each situation provides email lessons for companies and their employees. Below are some email best-practices, which companies can use to reduce the risk of public scrutiny, regulatory fines, privacy violations and legal battles related to errant email communications.
Know the Rules
Understand the state and federal regulations your organization and industry fall under, and then develop a set of clear email use policies and training for employees to help ensure they follow the rules. In the Clinton story, it appears that staff were not fully aware of government policies and what was required to adhere to them.
Agencies also need to have structured plans and policies for the secure retention of email, due to increasing pressures to be open in matters that involve public business. New federal policies will soon require agencies to manage email records in a digital format by the end of 2016.
Strict regulatory rules apply to many other types of organizations. For instance, financial services organizations must meet SEC and FINRA record-keeping obligations, which apply to all digital communications, including email. Companies must produce email records for e-discovery events when responding to an audit, an investigation or litigation.
It’s the Content That Matters
In several of the government email scandals, representatives used official state and personal email accounts to communicate with colleagues and discuss government business. The content of a message — not the account, messaging platform or device the message is sent from — determines its status as a business record.
Organizations need to create and distribute policies on business versus personal emails (and other types of digital communications) and work to strike the right balance of security, transparency and records retention obligations. Ongoing employee training can help to clarify these issues and raise awareness that an email related to business is an official record, whether it’s found on a company-issued laptop or a personal device.
Archiving and Supervision Is Crucial
While email policies are important, they’re only one part of the equation. Email use that isn’t consistent with policy can only be detected and corrected if policy is being enforced. Ongoing email supervision is critical, because it helps authorized company personnel identify and address risky emails or bad behavior before they become big problems. Email archiving and supervision can also help a company demonstrate to a regulatory body or court that company policies were enforced and corrective actions were taken.
The Sony Pictures hack was a cautionary tale for any company with sensitive data and high-value intellectual property. While appropriate IT systems, policies and processes are critical to help protect email, what also makes or breaks an organization is its ability to respond quickly after an email breach.
Companies often don’t know what might be discovered in email, because they don’t have a system to gauge the scope of the content — making it difficult to determine the best course of action when sensitive data is leaked. If emails are archived and supervised, it can help a company determine what information cyber criminals might have, and even help protect a company when records show non-compliant or risky email communications were promptly addressed. A system of email supervision could also potentially help an organization detect any inappropriate email communications as they take place, long before being made public, and prompt corrective actions can then be carried out.
Email is used by almost every business and employee around the world. It’s a great communication tool, but companies need to take extra measures to ensure it’s used responsibly and as securely as possible. Archiving and supervision of email, along with strong email security systems and processes, can help any organization avoid becoming the next negative headline.
Title image by PauliCarmody
Title image by PauliCarmody