E-mail snooping becomes business standard

By Eric Lai

updated 6:09 p.m. ET March 21, 2005

How private is your office e-mail? Not very, as The Boeing Co. CEO Harry Stonecipher discovered to his sorrow this month.

Post-stock-bubble rules such as the Sarbanes-Oxley Act add more risks and responsibilities to being a CEO of a public company than ever before. Worried about the possible impact, Boeing's board of directors preemptively fired Stonecipher before amorous e-mails he had sent to a female employee with whom he was having an affair were spread around the Internet.

But more than the boss' e-mail is attracting extra scrutiny these days. Executives and employees at all but the smallest firms should expect that somebody is snooping around their electronic communications.

"People think e-mail is as private as writing a personal letter," said Jim Forant, an IT director for Delaware Investments, a Philadelphia mutual fund company. "It's not. It's owned by your company."

According to a 2004 survey of 840 companies by the American Management Association, 60 percent said they use some type of software to monitor employees' incoming and outgoing e-mail, up from 47 percent in 2001. Twenty-seven percent also monitor internal e-mail.

Only a few states require companies to tell employees that their e-mail is being monitored.

"There is no expectation of privacy for Sandia e-mail," said Michael Janes, a spokesman at Sandia National Laboratories in Livermore, Calif.

Top-secret government entities were early adopters for obvious reasons and the lab has long used both software and staffers to monitor employee e-mails. Most companies began to monitor employee communication simply to cut down on e-mail spam and virus-laden attachments. The assumption was that threats were mostly external.

Enemy within
That assumption no longer holds true. High-profile legal cases against Enron Corp. and Wall Street analysts were won in part because of incriminating e-mail evidence written by employees and executives. One-fifth of the companies surveyed by the management association reported they had had their e-mail subpoenaed.

More prosaically, Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, or HIPAA, in the medical area have stiffened penalties for companies that fail to show that employees are complying with data handling and privacy rules.

SECURITY     MORE Surprise! Merchants say Web fraud is down Facebook forms board on online safety Man in stolen cell phone pic turns himself in Teen Internet addicts more likely to self harm

Banks and hospitals were among the first private-sector firms to begin monitoring e-mails. But others have followed - some to cut down on offensive or explicit language that could leave companies open to claims of hostile workplace environments, others to keep tabs on employees who may be spilling insider information.

"What we're seeing is the adoption of these same tools by industries that are not mandated by regulations to do so, because the risk created by not managing this content is unacceptable," said Zantaz Inc. CEO Steve King. The Pleasanton, Calif.-based firm makes software that lets companies such as Delaware Investments archive and monitor their e-mail.

Once e-mail is sent out into the wild, it is impossible to keep track of where it will end up.

"Just because you click send when no one's around doesn't mean it's not tracked, saved, received and archived," said Dave Eerikainen, an IT manager for a billion-dollar Virginia telecommunications company. The firm, which uses software from Emeryville, Calif.-based SendMail Inc., takes the extra precaution of "quarantining" unacceptable e-mails before they go out and notifying the sender.

MORE FROM EAST BAY

Travel passion - Jade Chapman and family keep Key Holidays on track

Travel passion - Jade Chapman and family keep Key Holidays on track California HealthCare Foundation buys Oakland Athletic Club Federal stem cell bill an unlikely bet, says Prop. 71 author   Add East Bay headlines to your news reader: