In early February, while the government was breathing down Eli Lilly’s neck over questionable marketing tactics used to peddle its schizophrenia drug Zyprexa, an Eli Lilly in-house attorney was working on a way to settle the matter.
The lawyer was writing an e-mail full of sensitive information pertaining to the settlement, which included a fine that would be the largest ever paid by a drug company for breaking federal laws regulating how drug makers can promote their medicines. She meant to address the message to Brad Berenson, a partner at Sidley Austin, and outside counsel on the case.
However, thanks to the autofill function on her e-mail, the message went to Alex Berenson, a reporter for the New York Times. Needless to say, the issues surrounding Zyprexa literally became front-page news the next day.
E-mail blunders such as Eli Lilly’s can happen to any company. Whether it’s an employee writing blatantly harassing e-mails to a co-worker or an engineer transmitting trade secrets outside of an organization, no company is safe from the risks that e-mail creates.
However, new technology may help combat these liabilities. A number of companies are producing software that automatically enforces acceptable use policies. These customizable systems execute a number of actions in the event that a policy is broken, going so far as to sequester the damaging message before it ever reaches the recipient.
“People treat e-mail like chatting, often thinking of it as private, short-lived and unofficial,” says David Cohen, co-chair of K&L Gates’ e-discovery analysis and technology group. “What lawyers quickly learn is that it lasts forever, multiple copies of a message exist, and it’s easily misinterpreted and misdirected.”
E-mail dangers come in many forms. The most notorious risk that e-mail poses, and possibly the most costly, is the “smoking gun.” This is the term used for e-mails that contain blatantly damaging information that can sink a case for a company defending itself in investigations and litigation.
Other e-mail dangers include misguided messages that can compromise privilege or trade secret information, the transmission of pornographic material and the accidental disclosure of private information such as Social Security numbers and health records. Any of these can result in litigation, regulatory investigations or financial loss to a company.
“The first step for any company is to have an acceptable use policy, which should state, among other things, that company resources are for business purposes and that employees have no privacy rights,” Cohen says.
The company should publicize the policy and ensure all employees sign a document stating they have read and understand it.
However, sometimes policies aren’t enough to protect a company. That’s where e-mail monitoring software comes into play.
This technology comes in multiple flavors, but all permutations of the product serve the same purpose–to create a process whereby in-house counsel can track, monitor and sometimes prevent potentially damaging messages.
This process begins with the establishment of policies. Policies are customizable combinations of rule sets that in-house counsel can institute to help automatically enforce acceptable use policies. Policies can take the shape of banned keywords, whereby the software, using its built-in lexicon, can scan e-mail messages for trigger words such as sexual and racist vocabulary.
“With our software, you can have multiple lexicons for different business units, such as R&D and HR,” says Bill Tolson, director of legal and regulatory solutions marketing at Mimosa Systems Inc. “All those lexicons will be compared in real time as files flow through the system.”
Another type of policy can limit the number of recipients a sender can assign an e-mail. Companies can use this function to cut down on the number of mass e-mails employees transmit, but it also can help prevent violations of certain regulations, such as those that govern the financial industry.
“Let’s say you are a registered broker-dealer and you just sent out a communication to more than 20 people outside the company,” says Chris Bradley, vice president of marketing and business development for MessageGate Inc., an e-mail monitoring software provider. “That could be constituted as marketing materials, so you might want to alert the user to insert a disclaimer saying the message doesn’t represent the views of the company but of the individual.”
Finally, the software can limit communication between internal departments at a company. This type of policy is especially useful to prevent the transmission and theft of trade secrets and personally identifiable information.
“If you are an engineer, you tend to not be working with HR content,” says George Tziahanas, vice president of legal and information management solutions at Orchestria Corp. “If it turns out that you are an engineer working with HR content [and shouldn't be], we can trigger a control.”
These controls are called “actions,” and in-house counsel can set up the software to deploy actions of varying severity depending on the infraction.
For example, some software can automatically sequester an e-mail in a special queue, preventing it from leaving the organization. The company assigns someone to monitor the queue, often either in-house counsel or a member of the compliance or HR departments. This person can review the questionable e-mails and either allow them to continue on to their recipients or stop them and confront the sender on the violation of policy.
However not all software manufacturers include this capability.
“Our product is different in that we don’t stop e-mails,” Tolson says. “We watch things, do alerts and put copies of questionable e-mails aside, but we never stop the flow of e-mail. If you are stopping the wrong things and cause a business to lose business, then there are some liability issues.”
This is why many companies opt to use the alert action, which not only prevents the interruption of business but educates employees in the process. When a user attempts to send a message that potentially violates a policy, a message appears citing the possible violation. At this point, the employee can opt to either send the message as is or alter the e-mail to comply.
“If you give people the ability to self-correct, that has a huge impact on two things,” Tziahanas says. “It is a deterrent in and of itself, but it also is a great way to educate employees.”