Financial Times FT.com

Message on sensitive e-mails is not getting through

By Ben White in New York

Published: October 15 2006 16:16 | Last updated: October 15 2006 16:16

When new employees start at Goldman Sachs, among the first things they are told is that they should not put anything in an e-mail that they wouldn’t want to read in the newspaper.

Don’t complain about colleagues. Don’t discuss sensitive deals. Don’t bad-mouth the competition. If you want to do those things, they are told, use the phone or talk to someone in person, outside the office if necessary.

“E-mail is forever,” says Goldman spokesman Peter Rose. “People are told to use their good judgment.”

The warning has been repeated across Wall Street and the larger corporate world for years, especially since New York Attorney-General Eliot Spitzer used embarrassing e-mails to wrest $1.4bn in regulatory settlements from securities firms.

But the message never seems to get through. Unfortunate e-mails and instant messages continue to turn up in public.

Earlier this month, Morgan Stanley sacked its chief Asia economist Andy Xie over an internal e-mail in which Mr Xie attributed Singapore’s economic success to money laundering.

E-mail exchanges are also expected to play a major role in criminal prosecutions of the former Hewlett-Packard chairman Patricia Dunn and four others who were involved in HP’s investigation of news leaks.

It seems that no matter how often they are told, employees simply cannot break the habit of treating workplace e-mails as casual, private exchanges that will never go beyond their intended recipient.

“There are a lot of things that we know at the abstract level that we don’t put into practice,” says University of Chicago assistant professor Nicholas Epley. “We know we should eat a salad but we eat a Twinkie. We know we should save but we spend. We know we shouldn’t send something over e-mail but we do it anyway.”

Simply telling workers to be more careful is not enough, Mr Epley says. “The reality is that most of the policy things you can do cannot overcome psychological shortcomings...You are not going to overcome millions of years of evolution. “You have to change the environment in some way.”

Some companies are doing just that by using increasingly advanced software that can block potentially embarrassing messages from leaving a corporate system.

“In addition to dirty words you can train software to look for specific trade secrets, or the names of your executives, or research projects or clients or competitors, and block those messages from ever leaving your system,” says Nancy Flynn, executive director of the ePolicy Institute, which conducts research and advises companies.

Ms Flynn says employers should be rushing to deploy this kind of software, and not just for e-mails. Blog posts and instant messages are dangerous as well.

In a recent ePolicy survey of 416 companies, 35 per cent of workers said they use instant messaging at work.

Of that group, 10 per cent said they had sent or received internal messages with sexual or romantic content, 24 per cent containing jokes, gossip, rumours or disparaging remarks and 12 per cent containing confidential information about the company or employees.

The survey found that only 42 per cent of companies conduct any formal training regarding e-mail usage, relying instead on written policies that often go unread.

Although most companies will not discuss internal information-sharing and monitoring policies, Keith Crosley, director of market development for electronic security company Proofpoint, says heavily regulated industries such as financial services and health care are among his company’s best customers. Kawasaki Motors uses the software to make sure no one leaks its motorcycle designs.

Proofpoint offers software that monitors messages as they arrive and depart, deploying complex algorithms to detect potentially dangerous words or phrases.

The software ensures that personal data such as credit card numbers and medical histories are not sent un-encrypted and monitors the disclosure of proprietary corporate information.

“Our systems can be trained,” Mr Crosley says. “You can show it examples. ‘Here are my new car designs. Here is my internal phone list,’ and not let those messages go out.”

Mr Crosley says Proofpoint can also scan e-mails sent using web-based accounts such as Yahoo. It can also monitor internal messages and blog posts – anything transmitted from company computers over internet protocols.

The problem, as with spam filters, is that the algorithms occasionally block important and innocuous workplace e-mails. “Customers are not very tolerant of that problem,” Mr Crosley says.

Despite increasingly clever software, there remain stalwarts such as Gary Weaver, an associate professor of management at the University of Delaware, who say the only solution is to create a culture in which employees voluntarily censor their online communications.

“That might mean having a manager or someone in a supervisory position calling someone up and saying something like, ‘We are talking about our strategic plan here. We can’t risk putting this in an e-mail.’ ”

Copyright The Financial Times Limited 2009. Print a single copy of this article for personal use. Contact us if you wish to print more to distribute to others.

"FT" and "Financial Times" are trademarks of the Financial Times. Privacy policy | Terms
© Copyright The Financial Times Ltd 2009.