How private is your office e-mail? Not very, as The Boeing Co. CEO Harry Stonecipher discovered to his sorrow this month.
Post-stock-bubble rules such as the Sarbanes-Oxley Act add more risks and responsibilities to being a CEO of a public company than ever before. Worried about the possible impact, Boeing's board of directors preemptively fired Stonecipher before amorous e-mails he had sent to a female employee with whom he was having an affair were spread around the Internet.
But more than the boss' e-mail is attracting extra scrutiny these days. Executives and employees at all but the smallest firms should expect that somebody is snooping around their electronic communications.
"People think e-mail is as private as writing a personal letter," said Jim Forant, an IT director for Delaware Investments, a Philadelphia mutual fund company. "It's not. It's owned by your company."
According to a 2004 survey of 840 companies by the American Management Association, 60 percent said they use some type of software to monitor employees' incoming and outgoing e-mail, up from 47 percent in 2001. Twenty-seven percent also monitor internal e-mail.
Only a few states require companies to tell employees that their e-mail is being monitored.
"There is no expectation of privacy for Sandia e-mail," said Michael Janes, a spokesman at Sandia National Laboratories in Livermore, Calif.
Top-secret government entities were early adopters for obvious reasons and the lab has long used both software and staffers to monitor employee e-mails. Most companies began to monitor employee communication simply to cut down on e-mail spam and virus-laden attachments. The assumption was that threats were mostly external.
That assumption no longer holds true. High-profile legal cases against Enron Corp. and Wall Street analysts were won in part because of incriminating e-mail evidence written by employees and executives. One-fifth of the companies surveyed by the management association reported they had had their e-mail subpoenaed.
More prosaically, Sarbanes-Oxley and the Health Insurance Portability and Accountability Act, or HIPAA, in the medical area have stiffened penalties for companies that fail to show that employees are complying with data handling and privacy rules.
Banks and hospitals were among the first private-sector firms to begin monitoring e-mails. But others have followed - some to cut down on offensive or explicit language that could leave companies open to claims of hostile workplace environments, others to keep tabs on employees who may be spilling insider information.
"What we're seeing is the adoption of these same tools by industries that are not mandated by regulations to do so, because the risk created by not managing this content is unacceptable," said Zantaz Inc. CEO Steve King. The Pleasanton, Calif.-based firm makes software that lets companies such as Delaware Investments archive and monitor their e-mail.
Once e-mail is sent out into the wild, it is impossible to keep track of where it will end up.
"Just because you click send when no one's around doesn't mean it's not tracked, saved, received and archived," said Dave Eerikainen, an IT manager for a billion-dollar Virginia telecommunications company. The firm, which uses software from Emeryville, Calif.-based SendMail Inc., takes the extra precaution of "quarantining" unacceptable e-mails before they go out and notifying the sender.
Other e-mail accounts
Personal e-mail addresses such as Yahoo Mail or Hotmail are unlikely to be screened by firms, although any e-mail that is stored on a desktop computer's hard drive, even if later deleted, can be recovered by company techies.
That is what happened at Volterra Semiconductor Corp. FBI agents last month found deleted personal e-mails stored on the desktop computer of a former employee of the Fremont, Calif. chipmaker. The e-mails documented that the employee had sent Volterra's proprietary chip designs to a Taiwanese firm he planned to join, according to the FBI. That ex-employee is being charged with theft and faces up to ten years in prison.
VoIP calls next?
The next frontier is voice-over-Internet-protocol, or VoIP, calls, which many companies are adopting because it offers more features and lower costs than conventional analog phone systems.
Because of their digital nature, VoIP calls or voice mails can be easily stored on hard drives, according to Todd Cadley, a spokesman for data storage vendor EMC Corp., which also offers e-mail monitoring software.
While none of the e-mail vendors allows companies to store and scan VoIP calls for keywords or heightened emotions indicative of a conflict, the technology is expected to be available soon.
"I don't think companies will monitor VoIP calls," Forant said. "But several years ago I wouldn't have thought it necessary to monitor e-mail, either."