Leveraging a preventative email risk management approach to meet compliance mandates

According to a survey conducted in 2008 by Emedia Research, 94 percent of C-level executives believed they were powerless to prevent confidential or sensitive information being sent outside of the organization. The same survey also found that 32 percent were unaware if a data leak had taken place.  It is clear that the majority of companies do not have the necessary systems in place to protect data and are at risk of triggering a regulatory violation.

Aside from the sensitive documents that are routinely exchanged, email is increasingly the only form of written communication that exists between a company, its clients and suppliers. Most people prefer email over telephone conversations because it allows for easy and efficient communication with multiple parties, with the added benefit of a paper trail that can be tracked and referenced as needed. This situation can leave organizations in a more precarious situation than initially believed, especially for those in highly regulated industries, including financial services, utilities/energy, healthcare and education.

Underscoring the importance of properly categorized and managed email archives, the Federal Rules of Civil Procedure (FRCP) requires email and other electronic communications be provided in a timely and organized manner during the litigation discovery process. Additionally, with tightening regulations including SEC Rule 17a-4, SOX, and FERC posing an increased risk to organizations, organizations must find methods to comply with laws and regulations while keeping costs at a minimum.  For example, a single email violation under FERC can lead to fines up to $1 million per day.

These challenges are amplified when organizations have minimal, or no, polices in place to control data shared through everyday communications. As email further becomes a workflow tool, its relevance, in many ways, deteriorates. Most see email as somewhat of a burden in the work day, despite it being a necessary communications tool. Without policy-specific controls in place, this casual approach to email can cause organizations to be at risk for sensitive data exposure throughout the lifecycle of email. Users are copied and blind copied as both a courtesy and requirement. Other “opt-in” email traffic, such as periodicals, newsletters, order confirmations and personal emails, only add to the volume of messa ging activity. With email now considered a legal business record, this growing volume of information signals a source of increased legal liability within the enterprise – and growing headache for IT departments.

The best approach is a preventative one that will help an organization actively manage the lifecycle of email from creation, to delivery, storage and eventually deletion.  By taking a proactive approach to email risk, organizations can better avoid future violations and expensive litigation fees or fines. To get a head start on implementing an ongoing proactive approach to improving disclosures and safeguard against potential risk and regulatory violations within enterprise email traffic, consider creating an internal compliance team that integrates IT, HR and legal departments. This creates an internal check to enforce an ongoing proactive strategic approach to regulatory risk management while promoting communication between the departments.

Due to the penalties at stake, organizations can no longer ignore the inherent email-related risks at hand and must take proactive measures to meet compliance mandates. IT departments can actively manage the risk of future violations through a preventative approach to help their organizations meet compliance regulations and prevent email misuse. The following are suggested steps to consider when implementing a cost-effective preventative approach to email risk management:

1. Manage intentional and unintentional employee threats: The casual nature of email poses a risk for all organizations. While compliance regulations such as SOX and SEC rules do not impose specific requirements for email security, or IT security in general, the frameworks commonly used for assessing internal controls are still applicable to email. To secure casual conversations and avoid routine routing of inappropriate emails to compliance departments, consider email controls as a low-cost insurance and critical component to preventing information from unauthorized use, disclosure or modification.
   
2. Make archiving work smarter, not harder: According to an Osterman Research survey in January 2009, C-level executives ranked email archiving at the top of the list of technology areas expected to see increased IT spending in 2009. With SEC Rule 17a-4, securities firms must retain their electronic documents, including email, for five years and ensure that it is readily retrievable and reviewable in a short turnaround time (usually within 24 hours). Real-time email management and archive categorization can save costly and lengthy litigation battles.
   
3. Create email controls and policies that can intercept at-risk emails: Under HIPAA, companies must maintain administrative, technical and physical safeguards to prevent intentional or unintentional disclosure of Protected Health Information (PHI). In order to maintain complete audit trails for any data leaving the company, look for a flexible policy engine that enables real-time proactive management of information flow while mitigating insider threats.
   
4. Real-time email audit and profile: In order to enforce email policy controls, IT departments need to safeguard against any potential email risks, build custom policies that look for specific criteria in email attachments, including file formats and usage patterns. For example, FRCP requires the speedy recovery of electronically stored information, which is only possible with rapid search and retrieval capabilities, as well as the ability to audit operations. IT should have the ability to review emails and implement actions based on group affiliation, policies, as well as email and attachment content and context in real-time within the live email stream.
   
5. Provide real-time blocking and re-routing of outbound emails: Email remains the de facto communication method requiring controls. After-the-matter reporting functions are no longer enough given that a majority of intellectual property is stored somewhere within the email network. Enterprises need consistent email controls with the ability to take action on emails in real-time through proactive security and archive management. 

The time has come for real-time proactive email controls to become a strate gic business priority. Unbeknownst to a majority of organizations, data security issues can live throughout the lifecycle of corporate messaging. Implementing enterprise email risk management throughout the lifecycle is a strate gic priority that requires business driven polices and a flexible technology deployment to enforce them. The key is to start with the issues that are most pressing from business perspective, and evaluate how they might translate into enforceable policies in electronic communications. By implementing a proactive approach, enterprises can build effective email risk management policies within the organization to prevent recurring violations while implementing an ongoing strategic approach to email derived risks and overall compliance.

Chris Bradley is vice president of marketing and business development at MessageGate, a leading provider of email controls for enterprise risk management.