SEEK AND/OR DESTROY
Better email management may not save your company. Then again …
By Alix Nyberg

There are two problems with email: how to lose what you want to hide and how to ¤nd what you need to retrieve. Merrill Lynch's Henry Blodget and Andersen's Nancy Temple can attest to the hazards of the former, after discoveries of their e-memos led to federal prosecution. Untold numbers of less notorious but equally harried employees have complained about the latter when forced to rifle through dozens of irrelevant messages in search of the one that holds a critical nugget of information.

Many companies have policies requiring employees to delete email messages, but such policies are often ignored. And deleting a message, it turns out, is much tougher than it seems. Simply hitting the "delete" key rarely does the trick, since copies may still reside on the sender's or recipient's hard drive, or with anyone to whom the sender or recipient may have forwarded the message. Experts in forensic computing have proved adept at recovering email messages that employees thought they had vaporized.

One solution comes from software that can "expire" both sent and received email, or restrict a recipient's ability to forward or print the material. Products from such companies as Atabok, Authentica, Omniva Policy Systems and Tumbleweed Communications let senders encrypt outgoing email and then provide recipients with conditional access to the decryptor key, which stays on the sender's server. "We have no notion of where someone might have stored an email or on what servers copies might be residing," says Jim Hickey, vice-president of marketing for Authentica. "Our product gives you an opportunity to expire the key at the server, so it doesn't matter," he says.

That means, in theory, that everything from personal notes to top-secret product specs can be deleted after a specified time. With most products, a company can set global deletion rules based on sender or recipient characteristics, or keywords. Some, like Authen-tica, let senders themselves decide, and even revoke a recipient's viewing privileges ad hoc, should a relationship change. The products can also be set to delete email received internally, based on company-specified rules and keywords, although this leaves untouched copies the sender keeps or sends to others..

Not for everyone

Unfortunately, these software products are not panaceas. "There is absolutely a need for them, but they're a hassle to implement," says David Ferris of Ferris Research, a San Francisco-based market research firm. It takes significant upfront work to configure a system to filter all email and automatically delete certain types, he says. Permitting employees to individually determine expirations requires absolute confidence in employee compliance, and can be time-consuming. Furthermore, recipients of encrypted email may need to have special software installed to read the messages, or may have to access them via a third-party website. Even Authentica's Hickey admits: "This is not something you'd put on everyone's desktop." Nor does he suggest all email be encrypted for future control. "Probably 10 to 15 percent of correspondence would merit this," he says.

But the software is useful for protecting obviously sensitive documents that are carried in email, such as sales strategies, business plans and due-diligence information pertaining to an acquisition. Matthew Kovar, director of security solutions and services at US-based e-business consultancy Yankee Group, expects "secure content delivery" technologies and services to be a US$800 million market this year, more than quadruple what it was just two years ago.

The market may get an additional boost as vendors make the products easier to use. This month Omniva will launch a new product that can be integrated into the corporate email directory to give companies more control over who can and can't receive certain email. Recent privacy legislation in the US, such as Gramm-Leach-Bliley in the financial services sector and HIPAA in health care, has also prompted companies to take a look at email management tools.

Should it Stay or Should it go?

Costs for such software vary widely. Authentica charges between US$30,000 and US$50,000 for a perpetual license for the first 1,000 users. Tumbleweed, which charges on a per-CPU basis, says its average deal is around US$500,000. Buyers need to be cautious when selecting a vendor, since many of them are new and attempting to establish themselves at a time when most companies are watching every penny. Tumbleweed, one of the few public companies in this space, has yet to turn a profit; it lost more than US$114 million last year as revenues dropped 22 percent.

For companies not subject to industry regulations, retaining email for long periods of time is probably not necessary, says Michael Overly, an attorney with Foley & Lardner, and the author of Document Retention in the Electronic Workplace. Two-thirds of companies have a formal email management policy, which sometimes includes parameters for deletion, if only to save storage space and keep system response times high.

However, he cautions that companies should be ready to suspend deletion activity as soon as litigation looms. "At times, destroying email, even if it contains nothing damaging, can lead to legal problems," he says. For example, says Overly, Hughes Aircraft was once held liable for US$90,000 for destruction of evidence, partially as a result of accidentally overwriting email relevant to a former employee's case after being notified by the lawyer.

But it may be the "save" key rather than the "delete" key that poses the biggest problems. Email archives often act as a handy filing system, until you have to find a piece of information buried in a particular message. US-based Applied Discovery is one of several companies (others include Fios, Electronic Evidence Discovery and Tumbleweed) that helps clients find the needle in the email haystack. The company categorizes, manages, searches and reviews electronic data (email, documents and other "unstructured" data) from clients via a secure on-line "reading room".

Applied Discovery is helping Enron organize its electronic files, including email, into a central, searchable repository for the plethora of lawyers and regulators looking to build their cases. "This way, Enron has to process the information only once," says Applied Discovery CEO Michael Weaver. A customer typically ends up paying about 20 US cents per page for information managed this way, as opposed to US$1.30 for the traditional method of coding and scanning. US-based KVS, which sells an email search agent for Microsoft Exchange, says calls from investment houses and energy companies have kept its phone "ringing off the hook" in recent months - presumably the one form of non-email contact the company embraces.