Monday, February 19, 2007

E-mail and trade secrets

I missed this post from The Trade Secrets Blog. I report my embarrassment at this because I recognize the behavior described in the post. Web-based e-mail includes Yahoo and G-Mail and Netscape Mail (if that still exists) and MSN (or whatever Microsoft calls MSN nowadays).

From the New York Times (registration req'd), a story about the heartburn employers feel when employees transfer their confidential company email to web-accessible free personal email accounts offered by companies such as Google and Yahoo.

As the Times puts it, "employers, who envision corporate secrets leaking through the back door of otherwise well-protected computer networks, are not pleased."

Rest easily (for now) though, "[s]o far, no major corporate disasters caused by this kind of e-mail forwarding have come to light."

But, for the paranoid among us: "Lawyers in particular wring their hands over employees using outside e-mail services. They encourage companies to keep messages for as long as necessary and then erase them to keep them out of the reach of legal foes. Companies have no control over the life span of e-mail messages in employees’ Web accounts."
The New York Times has a free subscription policy but in case you do not want to take the time, here are some excerpts directly from the article:

Hospitals have an added legal obligation to protect patient records. But when DeKalb Medical Center in Atlanta started monitoring its staff use of Web-based e-mail, it found that doctors and nurses routinely forwarded confidential medical records to their personal Web mail accounts — not for nefarious purposes, but so they could continue to work from home.

In the months after the hospital began monitoring traffic to Web e-mail services, it identified “a couple hundred incidents,” said Sharon Finney, DeKalb’s information security administrator. “I was surprised about the lack of literacy about the technology we depend on every day,” she said.

DeKalb now forbids the practice, and uses several software systems that monitor the hospital’s outbound e-mail and Web traffic. Ms Finney said she still catches four to five perpetrators a month trying to forward hospital e-mail.

The Web mail services may also be prone to glitches. Last month, Google fixed a bug that caused the disappearance of “some or all” of the stored mail of around 60 users. A week later, it acknowledged a security hole that could have exposed its users’ address books to Internet attackers.


Paul Kocher, president of the security firm Cryptography Research, said the real issue for companies was trust. “If you can’t trust employees enough to use services like Gmail, they probably shouldn’t be working for you,” he said.

Many companies apparently do not have that level of trust. In a survey conducted last year, the e-mail security firm Proofpoint found that 37 percent of companies in the United States used software to monitor office use of Web mail.

With trade secrets does it not always come down to trust? I do not see any means of a business with employee trust issues to protect itself other than installing monitoring software. Do read this earlier post which widens the focus beyond only e-mail.