Offering Consultancy on Email Compliance Issues
The problem is that the situation is complicated, and some regulations appear to be contradictory, so far too many companies decide its best to ignore the legal requirements.
The good news is that you can help your customers manage this important aspect of staying on the right side of business regulations.
The first and most important part of email compliance is the Data Protection Act, which covers anyone who stores any form of personal information. The first point to clarify with your customers is whether they need to notify the Data Protection Agency (DPA) that they are holding data. In general, if a company is keeping personal information, they should tell the
DPA.The Information Commissioner’s Web site (www.ico.gov.uk) has good guidance on notification as well as an online self-assessment tool that you can use with your customers to determine whether or not notification is necessary. Processing personal data without notifying the Information Commissioner is an offence.
Organisations keeping data need to comply with the eight data protection principles of the act that together lay out the rules for good information handling. Personal information must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with the original person’s rights
- Not transferred to other countries without adequate protection
A thorough audit should identify where all data is processed, transmitted and stored (remember to consider online services like Salesforce.com and Gmail, which take data out of the UK). The results often contain surprises as data is held in unexpected places that don’t get backed up, and in unprotected in applications and databases.
Emails as Evidence
The second area concerning email compliance is less obvious as there’s no legislation to point at. However, high profile cases such as Enron and Arthur Anderson have highlighted the fact that emails are just as important as paper documents as a historic evidence trail. Emails are being used in courts as evidence, and if someone sues one of your customers, they may well have a legal discovery subpoena issued that demands the production of relevant records. If your customer can’t produce the information, it doesn’t matter whether that’s because they didn’t bother to keep the emails, or because the emails were deliberately or accidentally deleted. The end result is a nasty fine.
Your customers need to keep their emails, and they need to keep them in a way that proves they’ve not been altered in any way. The first step is to have in place an archiving system that removes any responsibility for archiving from the users. Any emails that have been sent or received, both internal and external, should be archived permanently in their original format. One common technique for this is to use a database and to encrypt and compress the emails so your customers can prove they’ve not been changed.
Don’t treat the archive as a backup unless you’re reselling an accredited archiving service like Mimecast (www.mimecast.com) for the purpose. What is needed is a forensically sound version when retrieved from the compliance archive, along with log files and record counts so that the entire email compliance process can be audited. The log files need to show that every email within the company is captured, and once written to the compliance archive is read-only.
When an email is received, it has to be captured in its context, uniquely identified, and archived before it is processed in any other way. This shows that no-one could have changed or deleted any messages before they were added to the compliance archive. Conversely, your customers should archive messages leaving the company after all the other processing has taken place.
Informing Employees What’s Happening
It’s all very well storing all emails, but your customers also need to tell the people working for them what’s happening. All employees need to be informed that the company has an email compliance archive, and that all emails will be archived, both internal and external. Employees should be able to access the email compliance archive to find and view any email that was sent to them or by them (but obviously, not change it in any way). Personal email is problematic. Telling employees they can’t use the company email system to send or receive personal emails will be unpopular and difficult to enforce. Some companies provide a personal email template that employees are encouraged to use; others require employees to use Web-based emails for personal emails.
At the very least, all employees should be reminded that emails sent from a company email address carry the same authority as letters sent on the company letter headed paper; that the same laws relating to written communications apply to email messages; that emails should not be used for frivolous, abusive or defamatory purposes, are actionable within the laws of defamation, and can constitute harassment and be used as evidence of such.
Informing Email Recipients
If your customers monitor email, they need to tell the people they’re exchanging emails with, so outgoing emails should say something like ‘Bloggs Builders may monitor email traffic data’. If they also monitor the contents, the warning should read ‘Bloggs Builders may monitor email traffic data and also the content of email for the purposes of [fill in the reason here].’
One problem with emails is the ease of choosing the wrong recipient. It’s too easy to click on the wrong name and to send an email that contains information you wouldn’t want someone else to read. There are technical solutions based on Data Leak Protection tools or Microsoft Information Rights Management. Alternatively, confidentiality notices are an attempt to get around this problem, though their legal status isn’t particularly strong. A typical confidentiality notice might read ‘Information in this message is private and confidential. If you have received this message in error, please notify the sender, and please delete the message from your system immediately.’
You can configure the email server to add a warning to all outgoing emails, or your customers could add the warning to their standard signature block. If your customers are private or public limited companies or Limited Liability Partnerships, the Companies Act 1985 requires all of their business emails to include their company registration number, their place of registration (Scotland or England & Wales) and their registered office address.
If your customers send financial statements, patient health information or other sensitive material, they may need to encrypt the emails in transit to meet regulations. In the past, the legislation governing the exchange of such data meant that organisations tended to send confidential information either by fax or post. The electronic equivalent is encryption.
The simplest option is to put sensitive information in an encrypted attachment. The tricky bit is exchanging the decryption key. This shouldn’t be sent by email for security reasons, so would need to be exchanged on the phone or by letter.
If your customers want to send sensitive information on a regular basis to the same people, suggest public key encryption with a system like PGP. This involves both the sender and recipient setting up a pair of cryptographic keys, and using a plug-in for the email client or a separate encryption program. Once the keys are set up, the customer can exchange encrypted emails without any requirements for passwords.
Public key encryption can also create digital signatures, so the recipient knows it was actually sent by the person claiming to be the sender.
Many companies accept credit card payments for goods, and if your customers do this, they are covered by the Payment Card Industry Data Security Standard, or PCI. They must protect payment information, and their own customer’s private information. Of particular importance is the PCI’s requirement for mandatory encryption.
On the whole, the easiest and safest advice you can give your customers for mixing credit card data and emails is – don’t. If they need to accept card data, it should be entered in a secure form and stored in an encrypted database. Storing card validation value (CVV) and personal identification numbers (PIN) is strictly forbidden, but other data can be kept in a secure system so long as it is properly encrypted and guarded. If your customers send confirmation back to their customers showing payment information, credit card information should be rendered unreadable (by the database export settings or DLP protection).
For example, they might send back a confirmation email along the lines of ‘Paid Using: Visa(exp. 2012/01)’, or ‘Paid using Visa ending 1234’. That’s enough information for the purchaser to identify the card, but not enough for other people to misuse it – or for your customers to be prosecuted or banned from processing credit cards.
The Information Commissioner’s Office (ICO) has some useful documents to help your customers ensure they’re complying with the legislation, including a good checklist on the Data Protection Act, along with a PDF (www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_complete_audit_guide.pdf) you can use to put together a Data Audit showing customers are meeting the provisions of the act. The guide lays out methods for conducting data protection compliance audits together with a series of checklists.
The British Standards Institute (BSI)
(www.bsi.org.uk) has standards for the authenticity and integrity of electronic information that could be used as evidence. BS 10008 covers electronic identity verification, the use of electronic signatures and electronic copyright systems, and linking electronic identity to particular electronic documents.
If your customers work in the financial services sector, the rules governing their data compliance and retention are more stringent, regulated by the Financial Services Authority (www.fsa.gov.uk/).