The Problems With E-Mail
A business user in the United States sends and receives, on average, 171 e-mails a day, and that volume is expected to double by 2010, according to the Radicati Group, a research firm. As e-mail proliferates, so does the number of ways for it to be misused and mismanaged. Out-of-control e-mail isn't only a cost burden and a time suck; it's also a legal and regula- tory liability.
E-mail foibles can lead to firings, public embarrassments, and, in extreme cases, even criminal charges. In November, Deutsche Bank resigned as an underwriter to Hertz Global Holdings' initial public offering after a Deutsche Bank employee sent e-mail with inside information to some 175 accounts. Last month, the National Association of Securities Dealers cited--and may soon fine--Morgan Stanley for allegedly destroying millions of e-mails it had earlier claimed were lost in the 9/11 terrorist attacks. In another case, former CTO of a wireless telemetry startup, William Dobson, faces up to 15 years in prison for allegedly intercepting e-mails of the CEO and VP of engineering.
A company with 5,000 users can expect 900 unauthorized releases of private information and 150 inappropriate e-mails every day, according to e-mail management provider MessageGate. And that company will store 3.4 terabytes of nonbusiness e-mails a year. Some 6% of users surveyed by Radicati say they've e-mailed confidential company information to someone they shouldn't have, and 42% say they've been subjected to offensive language in an e-mail from a co-worker. Only half of those respondents say their companies publish an e-mail use policy.
Even for those companies that button down their e-mail guidelines and plan for all manner of contingencies, something's bound to go wrong. E-mail goes down for the dumbest of reasons, people who should know better unwittingly send out trade secrets, incoming spam jams gateways, regulations snag the noncompliant. "The one certainty is, there's no certainty," says Mike Rosenfelt, co-founder of e-mail continuity company MessageOne. So in the absence of an out-of-the-box solution, take a few pointers--or just have a good laugh--at the expense of some organizations and individuals who have muddled through e-mail screwups and debacles.
STRANGE-BUT-TRUE DOWNTIME STORIES
E-mail downtime is as unpredictable as termites, goats, and the Grateful Dead. We'll explain in a bit, but suffice it to say you'd better have a backup plan.
When e-mail goes down, collaboration stops and business grinds to a halt. A recent outage at Dow Jones led The Wall Street Journal to write a first-person article about the "snow day" caused by not having e-mail. A 5,000-employee health insurance company in the Midwest estimates it lost $3 million in productivity and business during an eight-hour outage, according to MessageOne, after the data center manager, giving a tour to his family, flipped what he thought was a light switch that turned out to be an ill-placed control for an entire bank of servers.
E-mail downtime also exposes companies, especially those subject to strict regulations, to legal ramifications. Say the company e-mail goes down and employees turn to their Hotmail or Gmail accounts--if that e-mail ever gets subpoenaed for discovery, it will be hard to find. And should e-mail go down during discovery, archives might not be recoverable quick enough to satisfy regulators.
The answer is simple, though the solution sure isn't. "E-mail has to be up all the time, everywhere," says John Bowden, CIO of plastics and wood products maker Lifetime Products.
The horror stories range from the typical--network failures, database corruptions, and power outages--to the downright bizarre. Morrison & Foerster, a prominent high-tech law firm, has wood frame office buildings on its Palo Alto, Calif., campus, one of which had to be shut down and fumigated because of a termite infestation. Nobody could get into the building, which just so happened to house the firm's regional data center and e-mail servers. "While we prepare for many outages, termites were never part of our disaster recovery plan," says CIO Jo Haraf. If not for its backup systems, the firm's e-mail would have been down for four days.
In another offbeat case, a senior partner at a national law firm based in Texas burned two DVDs of Grateful Dead concerts and sent the footage to people around the firm. The escapade clogged the firm's Exchange queues, taking out the e-mail.
It's not the only time multimedia swamped an e-mail system. One major multinational company has a tight IT maintenance window because soon after the last employee shuts down his or her computer for the day on the West Coast, someone else will be signing on in Paris. During a software upgrade, an IT worker came in after-hours to oversee a batch transfer of mailboxes to the new software. To pass the time, he watched a copy of the movie Planet Of The Apes. Two-and-a-half hours later, as the credits began to roll, he had forgotten about the software migration, and people in Paris weren't getting their e-mail.
A company in Texas had an agricultural tax exemption because goats lived on its property. One day, some hircine saboteurs ate through the fiber conduit into the building, bringing e-mail (and every other IT system) to a halt. "No goats were harmed, thank goodness, but connectivity was impacted," says MessageOne's Rosenfelt.
In a survey commissioned by MessageOne, 48% of companies said they'd had major e-mail outages within the last six months, and half of those surveyed said their last major outage lasted longer than three hours. Yet only 8% of them have e-mail continuity plans, only 29% use data replication or mirroring to protect e-mail servers, and just about half have tape backups for e-mail.
Another law firm, Adams & Reese, has its headquarters in the largest building in New Orleans, where on Aug. 29, 2005, hurricane winds took out electricity and telecommunications. "I never thought in my career that communications in a city like New Orleans would be down for 22 days," CIO David Erwin says. The day after the storm, Erwin was able to send e-mail via a local listserv because, in anticipation of the hurricane, he had turned on a hosted e-mail continuity service from MessageOne. Erwin credits e-mail uptime, especially BlackBerry uptime, with helping the firm's New Orleans employees move to a temporary headquarters in Baton Rouge.
SPAM ISN'T JUST A VOLUME PROBLEM
The biggest problem with e-mail--literally and figuratively--is spam. At fast-growing Grand Valley State University near Grand Rapids, Mich., where 90% of the 1.2 million incoming messages a day are spam, the old spam-filter program couldn't keep up. The university's e-mail system crashed every time the filter began generating its daily spam reports, says Tom Norman, Grand Valley's e-mail administrator. Since the system couldn't handle that massive amount of data, the school was forced to keep quarantined spam for only three days, not enough time for users to pick through their junk for legitimate e-mail.
However, one person's spam can be another person's business. A law firm doing work for pharmaceutical company Merck on the Vioxx case ran into e-mail problems. Vioxx happens to be one of the most prevalent words appearing in spam, so the law firm found its own spam filter was blocking critical business e-mails.
Filters aren't much good at blocking spam that's sent with the best intentions. Lifetime Products, the metal and plastic product maker, has the lifetime.com domain name and often gets e-mail meant for the TV network of the same first name. "Our PR guy gets e-mails all the time wondering how come we moved the time slot for Golden Girls," says Vince Rhoton, the company's senior VP of sales.
On the flip side, some companies are unwitting spammers and get cut off from potential business as a result. The Eastridge Group of Staffing Companies, a cross-industry staffing firm, analyzed outbound e-mail traffic and found that some employees were sending 5- to 10-Mbyte spreadsheets of client information to thousands of e-mail addresses several times a week. Yet many of the companies to which those e-mails were sent hadn't done business with the Eastridge Group for several years. Why? "We were blacklisted everywhere," says Brad Taylor, system architect for the group. "Not only that, but we started to lose business because we sent out so much that our system crawled to a halt and e-mails that we said would be delivered by 'this afternoon' or whatever weren't getting there until later."
Similarly, cosmetics franchiser Mary Kay was blacklisted by several ISPs. Although Mary Kay has only a few thousand corporate e-mail addresses, the nearly 700,000 field sales representatives often use their personal e-mail for official Mary Kay business. Before implementing spam management products, the company automatically forwarded corporate e-mail--including unfiltered spam--to its agents' personal e-mail addresses, and soon enough the ISPs labeled everything from Mary Kay addresses as spam. Only after what sometimes became difficult communication with the ISPs would the e-mail get unblocked. "If AOL blocks us, suddenly there's a huge segment of our sales force whose customers can't communicate with them," says Daryl Smith, Mary Kay's technical consultant for messaging. "It could become very disruptive."
When health drink company Naked Juice found that its outgoing e-mail was getting caught in the spam filters of its corporate customers simply because of its name, it had to call all those customers and request its e-mail be whitelisted. The company, which outsources operation of its e-mail servers, even had a problem a few years ago with internal e-mails being filtered out, but that was fixed with a call to the outsourcer.
Getting put on blacklists is one of the biggest spam problems companies face, says Gartner analyst Matt Cain. There's no central clearinghouse to get off the blacklists, he notes. Using HTML messages, sending e-mail to the same people too often, and lacing text with typical spam keywords are the major culprits. Often, companies must go to individual spam-filtering companies and ISPs to get their names removed, Cain says. Just goes to show that not all spam problems revolve around finding an advertisement for V1aggRa in your in-box.
THE TROUBLE WITH 'REVIEWERS'
The Securities and Exchange Commission requires that companies in certain industries review a percentage of their outgoing e-mails, from 1% to 3% for financial companies to 10% for retailers. Big companies often employ small armies of people who do nothing but sift through e-mails, looking for breaches in sales practices, excessive gifts and entertainment, leaks of intellectual property, and other regulatory breaches. It's not the most efficient of operations.
Reviewers tend to miss things because of the sheer volume of e-mails they must review. "It's a futile, burdensome activity, and most of what they're reviewing is pointless," says Paul Johns, VP of marketing for e-mail firm Orchestria. Applications from vendors such as MessageGate, Orchestria, and Proofpoint scan for account numbers, Social Security numbers, medical record numbers, and formats consistent with confidential documents, and they apply policies based on those scans: keep or quarantine the message, encrypt it, send it back to the sender, send copies to compliance officers, etc. Even Microsoft Exchange 2007 has some of those features.
Eastridge Group used to have a problem with job applicants' personal information being sent outside the organization's firewalls. So it automated the identification of Social Security numbers and blocked e-mails being sent that contain them. That automation, however, isn't as simple as it seems. Eastridge Group consists of many subsidiaries with various e-mailed forms, and while the industrial staffing arm was a big offender in sending out Social Security numbers, the medical staffing arm uses a nine-digit identifier that's formatted like a Social Security number. So instead of just blocking all of the medical staffing company's e-mails that contain those nine-digit numbers, the company's MessageGate system cross-checks the medical numbers with valid Social Security numbers before they go through the system.
Because automated processes carry their own risks, nothing replaces on-the-ball IT workers and educated employees, says Mike Rumen, enterprise messaging manager at international accounting firm Grant Thornton, which has 10 e-mail reviewers on staff. If companies try to filter all e-mail based on keywords and other content, they risk filtering out some important stuff that was misidentified. "It's a hard place to be in because you don't want employees abusing a system," Rumen says. "But you don't want to take away from something that's the soul of your business."
Employees may not be aware their e-mail is being monitored. In a Radicati survey of 363 e-mail users, only 22% say their companies filter outbound e-mail, and more than a third don't know. On the other hand, in a Proofpoint/ Forrester survey of 294 e-mail decision makers, almost half say their companies regularly audit outbound e-mail content.
VICTIM OF ITS OWN UBIQUITY
E-mail represents the worst possible combination of attributes for electronic communications because it's both "impulsive and indelible," says Orchestria's Johns. It's also omnipresent. "Our life and blood are e-mail and client interaction in a timely manner," says Rumen of Grant Thornton, whose employees send and receive 750,000 messages a day.
E-mail's ubiquity has become a problem in its own right. "It's not just e-mail anymore," says Lifetime Products CIO Bowden. "It's meeting requests, tasks, mobility, and workflow--and e-mail's sort of wrapped around all that now."
Its seems that every employee has a favorite e-mail app or service he or she considers superior to the company's system. A client of LECG, a consulting firm, had a senior executive who just couldn't part with his AOL e-mail. The IT department didn't want to raise a stink, so it forwarded all of his e-mails to his AOL account. Recently, an investigation of the company turned up e-mails in the executive's in-box dating all the way back to 1999. "It's all great to accommodate executives who want AOL, but it's time to think about it and say, 'Maybe we shouldn't be that nice,'" says Kris Haworth, managing director of LECG's forensic investigation group.
The new model of unified voice mail and e-mail is compounding matters, as voice mail must also be retained and searchable for legal and regulatory compliance purposes. The legal department of accounting firm Grant Thornton doesn't let employees forward voice mails off-site for fear they could expose the company to litigation.
REGULATORS MEAN BUSINESS
Regulators, meantime, are pushing hard on e-mail discovery, which means companies need to have documented, and coordinated, policies for e-mail retention. Aaref Hilaly, CEO of Clearwell, an e-mail discovery software company, says his customers in the power industry complain about regulators breathing down their necks. "The [Federal Trade Commission] is always saying to them, 'Prove to us in this specific case that you're offering power through third-party vendors at the same rates as you would offer your own customers,'" says Hilaly.
When e-mail gets subpoenaed for discovery, it's crucial that nothing relevant has been deleted--even if it was unintentional or deleted for a different reason. A client of LECG's Haworth was under a fraud investigation at the same time the company was recycling its PCs. E-mail messages went out telling employees to delete their files, since the company would be replacing their computers. Such e-mails could easily be misinterpreted by outside investigators.
Another faux pas is reformatting documents. Bob Krantz, senior account executive for forensic discovery software company On-Site E-Discovery, says some of his clients save e-mail messages as rich text documents instead of in native form and that loses a lot of the characteristics of the original e-mail. Changing the characteristics of a file alters metadata, which changes the look and feel of an actual message, he says--for example, dropping the embedded spreadsheet that might be in a message. "I've had the Department of Justice ask for Lotus Notes natively now because they've seen that so many times on projects," he says.
On the other hand, e-mails don't always hold up in court. In the past, if a company handed over anything to the other side in a lawsuit, courts would say they'd lost any presumptive attorney-client privilege, says Andy Cohen, associate general counsel and global practice lead for storage vendor EMC. Now, Cohen says, the volume of e-mails that's subpoenaed has made courts think twice; the notion of inadvertent waiver of attorney-client privilege is no longer valid.
Don't count on those annoying disclaimers that legal departments append to the bottoms of e-mail to bail you out of hot water. They don't hold any legal weight, Gartner's Cain says. "I went through a couple of very common legal disclaimers line by line with an attorney, and we ended up rolling on the floor laughing at how toothless these disclaimers really are," he says.
Geography is a challenge--more specifically, knowing which rules apply in which jurisdictions. For example, European e-mail users are afforded much more privacy protection than users in the United States. Overall, regulations continue to be complex and confusing, and the more you brush up, the safer you'll be.
Fortunately, only a few e-mail problems revolve around goats and termites. But many of the headaches caused by e-mail involve dealing with spam, finicky executives, and aggressive regulators. While it's heartening to know there are worse e-mail problems out there than yours, don't ignore your own slowly overloading e-mail server.