Death By Email Blog

Proofpoint's latest annual survey entitled Outbound Email and Content Security in Today's Enterprise, 2007 was just released.  Even though it is from a competitor, I recommend the free download.  I have quoted previous editions of the survey in business plans and presentations.

Some of the key results of the survey of 308 e-mail decision-makers at large U.S. companies include:

• Respondents estimated that nearly 20 percent of all outbound e-mail poses a legal, regulatory or financial risk.
• More than one-quarter of surveyed companies (27.3 percent) have terminated an employee for violating e-mail policies in the past 12 months.
• 32.1 percent of surveyed companies with 1,000 or more employees hire staff to read or analyze the contents of outbound e-mail.

“We’ll go back to the 1920s, and have direct conversations with people,” New Jersey Governor Jon S. Corzine in the New York Times.  If you want to reach him, put away your computer.  The Governor says that he will no longer use email.  Even his BlackBerry is now off-limits.

In my last posting, I mentioned one of several law suits regarding the email of New Jersey Governor Corzine.  Corzine has refused to release documents citing personal privacy and executive privilege.  (I guess you can add this to the list of excuses for "email bankruptcy."

A new twist on the use of the Freedom of Information Act may re-define the boundaries of personal email accounts.  We have seen many cases where an FOI request was used to get emails from government email servers.  In most cases, any newspaper or citizen can get information quickly -- with limited exception.

I was alerted to a new twist by Sara Key of the The Lucy Burns Institute, a Wisconsin non-profit dedicated to sharing  information, guidance, practical advice, legal developments and news about open records at the state and local level.  (Thank you, Sara.  And, by the way, they have a great blog about FOIA issues at http://openrecords.wordpress.com/. Recommended.) 

New Jersey's Open Public Records Act is being used to demand emails from a private email service used by Governor Corzine.  The justification appears to be that some emails that were sent might have contained some work related information.  Specifically, the NJpols section of Campaigns and Elections magazine reports that New Jersey Republican State Committee Chairman Tom Wilson wrote to the Governor and made these demands: 

"In your response to my lawsuit seeking copies of all communication between you (Governor Corzine) and Carla Katz, it was revealed that you maintain a private email server and that both you and your Chief of Staff have used that server since taking office January 2006. The existence of this non-government email server raises a number of questions as it relates to OPRA and the maintenance and the retention of records.  ...

"I am requesting, ... any and all documents, emails, memoranda, policies, procedures, etc. relating to the use of external email accounts on servers such as the "votecorzine.org" server by Governor's Office staff in connection with official State business.

"I further request access to any and all documents, emails, memoranda, policies, procedures, etc. relating to the retention of emails and documents regarding official State business conducted on external servers such as the "votecorzine.org" server.

"Finally, I hereby request access to any and all "government records" which have been preserved in accordance with the Open Public Records Act, N.J.S.A. 47:1A-1.1 from the "votecorzine.org" server."

If the request is granted, it would seem logical that somebody would need to be able to review whether the proper emails were obtained.  This opens up the entire server to examination.  So far, the request has not been granted.  But, it is easy to see how this can establish case law that would extend access to private email accounts.  Let me engage in some conjecture here:

• Could the same argument be made to release all the emails in the Republican National Committee email server in regards to the firing of U.S. attorneys?  Would Democrats get the chance to review what emails were and were not released?
• What would have happened if the Governor's email was hosted by Google?  Could a demand be made to the ISP to release the email?
• Can this same logic be extended to business email?  For example, a company was in litigation, could a request for relevant emails be extended from business accounts to all personal accounts, too?

My advice has always been to make sure that all of your personal communications use a personal email account.  Now, you may also have to make sure that your personal email never mentions your business.  What does that mean if you write something personal to a business contact?  I am sure that we will find out.

Yesterday, I wrote: "It is dangerous to let a third party hold (an enterprise's) most confidential email, which includes much of the internal email.  If the third party receives a subpoena for your mail, would they fight the request on your behalf when they have nothing to gain by fighting?  Or, would they cooperate with authorities (or the other side) to protect their interests?"

Today, it looks like it is already happening.

The Massachusetts Lawyer's Weekly reported today on a case where a defendant's Goggle Gmail account was subpoenaed.  The article quotes North Billerica, Mass. attorney Jenny J. Liu, who is currently representing a party in a civil dispute that is in the discovery phase:

"Then, without any notification, I received a copy of a subpoena the other side sent to Google … for all e-mails sent to and received by my client's personal e-mail account," said Liu. "My client used that e-mail account partially for business, but mostly for personal use — and to communicate with me."

Liu filed an emergency order to quash the subpoena, which is pending in Middlesex Superior Court. ... 

Asked to comment on the issue, a Google spokesperson e-mailed Lawyers Weekly that "Google does comply with valid legal process[es], such as court orders and subpoenas, as required by law."

The article goes into much more detail and cites a case in which Apple went after the ISP who hosted the blogs of people who leaked confidential information.  There are strong statements that say that Google would not be willing to release the emails and would contact the account owner.  But, absolute protection was not given.  In many ways, the article shows just how unsettled the issue is. 

One has to wonder how far an ISP would be willing to go against its own interests to protect yours.  The new Lawyer's Weekly article demonstrates that handing over your email to a third party is potentially dangerous.  For an enterprise with internal, confidential email, it is a risk that can be easily avoided.

Several blog and news sites have commented on the acquisition activity in the email archiving and electronic discovery markets.  Tech Target's Search Storage site reports: "storage analysts say (Google's acquisition of Postini) could be the beginning of a shift in the email archiving and e-discovery markets toward outsourced, Web-based Software as a Service (SaaS)."  (I listed many of the acquisitions at the end of this blog post.)

I saw a succinct summary of the trend in the High Contrast blog.  It reported:

• Outsourcing of content archiving, which often means
• Outsourcing of e-discovery, which is why we see
• Search players buying hosted content archiving companies

What is driving the outsourcing market?  Are enterprise customers handing over their data in droves?

I talk to enterprise email decision makers every day.  They tell me that it is fine to outsource incoming email.  After all, this mail comes from the Internet anyway.  However, these same customers tell me that they are afraid to outsource their outbound and internal email handling.  (Internal email is email in which all the senders and recipients are within a company.)  Generally, there are two reasons given:

• It is dangerous to let a third party hold your most confidential email, which includes much of the internal email.  If the third party receives a subpoena for your mail, would they fight the request on your behalf when they have nothing to gain by fighting?  Or, would they cooperate with authorities (or the other side) to protect their interests? 

It can get worse.  For certain types of investigations, it may be illegal under the Patriot Act for the third party to tell you of the search for your email. 

• The amount of network bandwidth required to send internal mail to an outsourced provider is enormous.  Companies like Postini can easily archive external mail by intercepting it before it reaches you.  But, internal mail must be routed to the outsourced vendor, which can more than double bandwidth costs.

If you are already using Google for your business email, then the Google/Postini match is ideal in regards to bandwidth utilization.  All the mail is at Google anyway.  But, companies with their own email systems cannot afford the Internet costs for shipping that much mail to Google for processing.

These reasons make sense.  Therefore, while I believe that the Google/Postini marriage helps the viability of Google Mail, I do not see enterprise customers willingly handing over their precious internal email to a third party.  So, I have to wonder if all of this acquisition activity is being driven by investors in love with the outsourced business model -- not the enterprise customer.

Below is some of the examples of the recent activity reported in High Contrast: