Perils of Email

The Perils of E-Mail

By Nicholas Varchaver (Fortune.com 02-03-2003)

It was supposed to make life easier. Now e-mail has become a prosecutor's No. 1 weapon and the surest way for companies to get sued. How e-mail became e-vidence mail--and why the solution is often worse than the problem.

It was the sort of e-mail most people delete with nary a glance. The bland subject heading read: "E-mail content training to begin in October." But the message inside was anything but routine. Merrill Lynch was ordering its 50,000-plus employees to attend a reeducation camp of sorts. "It is imperative that every employee knows how to use e-mail effectively and appropriately," wrote Merrill president Stanley O'Neal and chairman David Komansky. "E-mail and other forms of electronic communication are like any other written communication, and are subject to subpoena." Before sending an e-mail, they advised, "Ask yourself: How would I feel if this message appeared on the front page of a newspaper?"

Good question. And one O'Neal and Komansky would get a chance to answer. Some thoughtful Merrill staffer, apparently, zapped the e-mail to the Reuters news service (or to someone else who did), from which it traveled to the pages of the New York Post, the Boston Herald, and the Houston Chronicle, and to Lou Dobbs Moneyline on CNN. Take two seconds to think about it, and two lessons emerge: (1) E-mail is inspiring a very real and growing fear in corporate boardrooms, and (2) that fear can't do anything to stop electronic messages from careening out of control.

Sure, 2002 was the Year of Corporate Scandal. But really it wouldn't be fair to give all the credit to grasping, conniving executives and malevolent, sneaky bookkeepers. No, as those corporate honchos offer their plea bargains, they'll all be able to name an accomplice: e-mail.

For prosecutors, it has become the star witness--or perhaps an even better weapon than that. Think of e-mail as the corporate equivalent of DNA evidence, that single hair left at the crime scene that turns the entire case. In theory you can explain it away, but good luck trying.

So ubiquitous has the smoking e-mail become that some lawyers have taken to calling it "evidence mail." Says Garry Mathiason, whose law firm, Littler Mendelson, defends giant corporations in employment cases: "I don't think there's a case we handle today that doesn't have some e-mail component to it."

Who knew that a nation could become so transfixed by writing? There was the Stephen King of e-mail prose--former Merrill Lynch analyst Henry Blodget--whose output was as prolific as it was haunting. Former Salomon Smith Barney analyst Jack Grubman favored a terser style--he's reportedly a BlackBerry man--for what he would later claim were his fictional musings. But literary style notwithstanding, their e-mails shared a common plot: jacking up stock ratings to please investment-bank clients. Does anybody think the nation's biggest brokerages would have agreed to hand over $1.5 billion in settlements if not for this electronic paper trail?

Nor was the pox limited to the Wall Street houses. Like forgotten land mines, unfortunate e-mails involving Enron, WorldCom, Qwest, Global Crossing, and Tyco exploded sporadically throughout the year. There was even damaging e-mail about e-mail, as happened with the J.P. Morgan Chase banker who warned a colleague to "shut up and delete this e-mail."

But even that seemingly obvious fix can bring its own perils. Five big Wall Street brokerages coughed up $8.25 million in fines in December for failing to preserve electronic messages, as securities rules require. And one cannot forget Arthur Andersen, whose destruction of Enron-related transmissions led to a criminal conviction and eventually to the accounting firm's implosion. While the degree of punishment was exceptional, the fact of it wasn't: Judges are increasingly imposing penalties on companies that can't turn over old e-mails when the court demands them.

And so it boils down to this, to borrow an old phrase: Companies can't live with e-mail, and they definitely can't live without it. As we've seen it's increasingly a legal albatross--and, at the very least, a fast track to public humiliation. But then it's also the most important business technology since the advent of the telephone. It's invaluable in allowing far-flung offices to communicate and it lets employees work from anywhere. It has freed us from the tyranny of phone tag and given us an effortless way to transmit lengthy documents without so much as a busy fax signal. If you have any doubt how much the technology has worked its way into your daily life, just ask yourself this: How many times a day do you check your e-mail?

How to reconcile these two contradictory notions--that e-mail is both salvation and threat? As we're about to show you, there is no easy answer. In fact, this may be one of the most daunting, high-stakes conundrums facing corporate America today.

But one thing is certain: Imposing a technological solution to a behavioral problem, as many companies are trying, seems doomed to failure. After all, e-mail didn't cause Blodget to write what he did--it simply did a good job of recording him.

It's not as if we've never been warned. Only four years ago Microsoft was flayed at its antitrust trial for endless indelicate e-mails, such as the one in which Bill Gates asked, "How much do we need to pay you to screw Netscape?" A decade before that an early form of e-mail provided key evidence in the 1987 Iran-Contra investigation. As it happens, many of the smoking guns consisted of e-mails that Oliver North had erased. Or thought he did.

Now, 15 years later, it sounds obvious to say that "delete" doesn't mean delete. It sounds schoolmarmish to say, "Careful what you write." We know that already. But still, neither lesson has sunk in.

So what is it about e-mail that makes it seem like electronic truth serum? Some years back, researchers at the University of Texas conducted an experiment. They asked volunteers to sit in a cubicle by themselves and respond to a series of personal questions. The subjects had to speak into a microphone, which, they were told, would record what they said. Half the group sat in cubicles with a large mirror facing them; the others had no mirror. The researchers found that the mirrorless subjects were noticeably more willing to speak and more likely to say revealing things. E-mail, which at heart is a solitary way of communicating, may convey that same mirrorless feeling.

Perhaps that explains our apparent tendency to confess electronically. In Alphabet to E-Mail: How Written English Evolved and Where It's Heading, linguist Naomi Baron notes that 25 years of research reveal that "people offer more accurate and complete information about themselves when filling out questionnaires using a computer than when completing the same form on paper or through a face-to-face interview. The differences were especially marked when the information at issue was personally sensitive."

That's great news for D.A.s and advice columnists, but a nightmare from the corporation's vantage point. "Companies are really struggling with this," says Jay Ehrenreich, senior manager of PricewaterhouseCoopers' cybercrime prevention and response group. For starters, we're drowning in electronic paperwork. The ease of e-mail means we send and receive more documents than ever before. And as document-management consultant Bob Williams of Cohasset Associates points out, the rise of word processing and e-mail has led to the gradual extinction of the secretary--the person who paid attention to filing and purging. If the typical middle manager were to file papers the way he stores e-mails, his office would be filled with five-foot pillars of vellum and bleached bond. Is it any wonder that embarrassing e-mails keep popping up?

Many corporate managers have concluded that the best solution to this mess is the mass purge. If your business isn't, say, a brokerage or health-care company, both of which have specific rules on how long they must keep records, you can trash e-mails whenever you want, as long as you do so pursuant to the terms of a formal policy. And so companies are cleaning out their electronic closets, now typically wiping all e-mail messages from their servers after 30 to 90 days.

Others limit individuals' storage capacity. For example, Boeing restricts staffers to 15 megabytes of e-mail in their in-box. If they exceed the limit, the system won't allow them to send any e-mail. In theory, employees will judiciously eliminate messages that have outlived their usefulness.

Purging has other benefits--it allows companies to free server space for more productive uses. But as a litigation-avoidance tool it's "pissing into the wind," in the earthy words of Tom Campbell, founder of Kobo.biz, a company that offers high-end web-based e-mail. Purges don't delete the messages that are stored on employees' hard drives; they don't eliminate the ones that people print out and file away; and they don't eradicate the e-mails that have been sent or forwarded to people outside the company. In other words, a huge percentage of e-mails will escape most purges.

More fundamentally, do businesses want the legal tail to wag the commercial dog? How many documents do you want to throw out in hopes of avoiding future litigation? "To purge the contents of the entire e-mail system," says consultant and lawyer Randolph Kahn, co-author of the forthcoming book E-Mail Rules, "is to potentially dispose of records with business significance that are needed to protect the company's business and legal interests."

And, believe it or not, e-mail can actually come to the rescue of corporations in litigation. In employment cases, says lawyer Mathiason of Littler Mendelson, e-mail evidence is as likely to help a company as it is to hurt it. He cites a recent mediation in which a company was sued because a male executive had allegedly sexually harassed a female employee. Mathiason's team retrieved lurid e-mail attachments that the woman had sent to her ostensible harasser, undercutting her claim that she'd been a victim. Says Mathiason: "The attachments were so gross and so disgusting that, first of all, one of our paralegals wouldn't even look at them, and I could hardly blame that person. We threw those out in the mediation, and the claim went down from $1 million to $10,000."

But for good or ill, e-mails are fundamentally survivors. They are the cockroaches of mass communication. Even if e-mails have been purged from a server, for instance, they may survive on the company's backup tape. And while it can be difficult and expensive to retrieve files from backup tapes, that doesn't get companies off the hook: Courts expect you to produce the e-mails anyway.

Consider one recent case involving a GMAC subsidiary, Residential Funding Corp. In a breach-of-contract lawsuit, RFC had won a $96 million jury award against DeGeorge Financial Corp. That is, until a New York federal appeals court weighed in. At issue was RFC's inability to deliver old e-mails at trial. The fact that RFC had hired a leading electronic discovery firm to recover the messages from backup tapes--and that the effort had failed--was no excuse, the judges said. A company can be punished, the appellate court found, even if its failure to provide e-mails was caused by negligence rather than bad faith. The case was sent back to the trial court and settled in December with an unspecified payment to DeGeorge.

If purging isn't the answer, can e-mail monitoring come to the rescue? These days, 47% of companies engage in the practice, according to the ePolicy Institute, a research and consulting firm in Columbus . There's no getting around the Orwellian flavor of all this scrutiny, though perhaps it's leavened by a certain absurdism in the corporate incarnation: Even the watchers are watched. Witness the very large company that brought in PWC's Ehrenreich as a precautionary measure during the layoff of some of its IT staff. The consultants scanned the hard drives of the soon-to-depart IT employees, hoping to stave off any potential sabotage. That's when they discovered that one IT staffer had quietly snooped into a senior executive's electronic in-box and retrieved some hardcore pornographic e-mails. Rather than report it to his higher-ups, he was gleefully sharing the material with his fellow techies.

Even when monitors do what they're supposed to do, they gear their efforts largely to warding off sexually explicit and junk e-mails--not ferreting out the Blodgets and Grubmans among us. Adam Ludlow, senior network engineer at electronics manufacturer Brother Industries, estimates that spam- and obscenity-hunting software blocks 7,000 of the 20,000 e-mails that arrive at Brother's U.S. servers every day. "MAILsweeper [a software program] probably blocks 2,000 e-mails a day just with the word 'Viagra' in it," he says.

The software also filters what is going in the other direction, waylaying messages with objectionable language. "I don't let any profanity leave this establishment," Ludlow says. He has programmed the software, which Brother bought from a company called Clearswift, not only to search for obscene phraseology, but also to seek out certain technical language. The latter prevents employees from sending, say, new-product designs to any e-mail address that isn't on an approved list.

It's both impressive and chilling--and still only nascent. According to International Data Corp., companies spent $139 million on content-oriented e-mail monitoring in 2001, compared with the $1.67 billion they shelled out for software that blocks viruses. IDC predicts that e-mail monitoring software sales will grow to a $662 million market by 2006.

Companies that sell monitoring software say they've been getting a lot of interest lately. Says Ivan O'Sullivan, vice-president for worldwide corporate development at Clearswift (whose 2,000 U.S. customers include AT&T, Bank of America, Continental Airlines, and General Electric): "In terms of requests for proposals, I haven't ever seen it as hot and busy as it was in the last three months of 2002."

Wall Street houses, in particular, are looking to tighten their monitoring, O'Sullivan says. In the past, they employed software to identify suspicious messages after they were sent and delivered. Now, he says, "more people want to do pre-review of messages in the financial space, rather than look at things after the fact." In pre-review, messages are electronically shanghaied and then "quarantined" until, say, a compliance supervisor reads them. Only with the supervisor's approval is a message routed to its intended recipient. Second, whereas investment banks mostly monitored e-mails that went to people outside the firm, according to O'Sullivan, they're now looking to monitor communications within the firm too. (Need we point out that the infamous Wall Street e-mails were all intracompany messages?)

Better living through software, right? Perhaps. But there are plenty of dangerous things a person can say without using a single hot-button word or combination. Consider two phrases: "This is an accommodation for an important client" and "This company is very important to us from a banking perspective." Both excerpts are from the Merrill Lynch e-mail collection. In the context of allegations that Merrill inflated stock ratings to please investment-banking clients, the phrases are extremely damning.

But if every e-mail that mentions an accommodation for a client sets off an alarm bell, companies will need battalions of censors to comb through the resulting deluge of "suspicious" messages. Even clearly inflammatory wording, such as the Blodget assessment that a stock was "a powder keg," is caught only if the phrase in question is common enough to be included on a programming list. As O'Sullivan acknowledges, "Ultimately, we're not a substitute for good management. We're a tool that organizations who wish to comply can use to assist them in their compliance."

Aggressive monitoring can actually create surprising risks for multinational corporations, which the great majority of the FORTUNE 500 are. Privacy-protection laws for employees are much stricter in Europe than in the U.S. Three Deutsche Bank executives now face prison time in Spain for doing something American companies routinely do: examining an employee's e-mail. Microsoft was fined after a few of its Spanish employees voluntarily submitted personal data to a company website, which sent the information to the human resources department in Redmond , Wash.

The buzz phrase for e-mail consultants in recent years is "having a policy." In theory, companies are shielded from liability by putting their e-mail rules in writing--something four-fifths of American companies already do. "But where employers drop the ball," says Nancy Flynn of the ePolicy Institute, "is that only 24% do any kind of training. So you can't expect your employees to know what to do and what not to do if you don't train them."

Companies such as Boeing and Intel have long had classes on e-mail and Internet use, which focus on commonsense rules and advice (with an occasional quirky mandate: Intel's policy forbids chain letters). Boeing even requires an annual refresher course.

Training, perhaps, is the best tonic--at least when it comes to simple concepts, such as not using offensive language. But can we ever train people when the core of the message is "Don't say anything stupid"? And ultimately, of course, e-mail is simply a recording medium. Though no company would ever admit to such a view, you get the feeling that more than one CEO is thinking, I don't care how you act--just don't write it down. And that, of course, is not an e-mail problem.

Now that some businesspeople appear to crave a return to a world where every exchange isn't recorded, it's worth recalling that there was a time when just the opposite was true. In the earliest days of the telephone, according to America Calling: A Social History of the Telephone to 1940, some businessmen actually resisted the new technology because they couldn't conceive of buying, selling, and negotiating without a permanent paper record.

Indeed, the history of the telephone offers lessons for corporate managers wrestling with e-mail. For all its universal acceptance, e-mail has been in widespread use for less than ten years. We simply haven't figured it out yet. By comparison, it took decades to evolve uses for the phone that seem completely natural now. For nearly half a century, the Bell companies scorned the idea of using a phone to socialize; they marketed it for its business and utilitarian purposes only.

Like the telephone, e-mail is occasionally blamed for long-developing changes that it didn't necessarily create (but did accelerate): the increasing overlap of home and work life and the tendency of written language to resemble speech. Both have fed people's tendency to write irreverent, loose e-mail.

Add to that more recent technological developments, such as the popularity of the BlackBerry, which both heighten the intermingling of work and home and accentuate people's tendency to fire off a quick electronic note. Where once an employee would compose himself and dictate a memo to a secretary, who might bring it back for inspection an hour later, a manager is more likely now to thumb-type a two-line e-mail while standing on the sidelines at her daughter's soccer game.

As young as it is, e-mail is already being followed by an even faster technology that could be more dangerous still. Instant messaging is rising fast in corporate America ; some 45% of Internet users at work currently have access to consumer IM services such as those from AOL, MSN, and Yahoo, according to ComScore Media Metrix. Such systems generally leave little electronic trace unless a user intentionally takes steps to preserve messages. But for the same reason that companies monitor, block, and save e-mail messages, they're likely to eventually do the same with IM.

Among teenagers and college students, IM plays the role that e-mail does for older people, argues Baron: It's casual and written in "spoken" style. Students, she says, save e-mail for more formal correspondence with parents and professors.

So our e-mail problem may disappear--only to be replaced by an IM problem. Says Paul Saffo of the Institute for the Future: "By the time we get all four corners of e-mail nailed down, the important communications are going to be instant-messaging. And no one will know what to do with that."