If you thought Year 2000 was a potentially explosive issue, wait until people start banging on your doors demanding tamper-proof records of all e-mails sent and received for the past three years. If ensuring ISO 9000 certification was a pain on the bottom line, imagine the blow to profits from having to pay huge damages through being criminally negligent in securing e-mails and the records of them. Lars Davies considers the issues.
Whether we like it or not, e-mail has replaced fax and become the de facto communications medium worldwide. But Internet e-mail was never meant to be this important, to have had such an impact, so quickly, on a scale equal only to the emergence of telephone networks a century ago.
Everyone has been caught off guard, not least the software suppliers whose e-mail systems designed less than four years ago are now hopelessly underpowered. Nations and governments, police and armed forces, and whole taxation and legal communities have been equally lead-footed in their ability to embrace electronic messaging as something more important than digital postcards.
The bottom line features two key developments. First, an unprecedented adoption of a wholly new communications medium, without the slightest intervention from previously omnipotent national and international licensing authorities. Secondly, organisations of all types and sizes have been left without any commonly understood frameworks or systems for managing e-mail communications both internally and via third parties.
It is precisely that lack of control, at both regulatory and commercial levels, which is leading to potential disaster. And at the heart of it all is the issue of e-mail liability, requiring companies and their directors to take precisely the same due care and attention in respect of e-mails as they have been required to take in the past with paper and fax communications.
The Present and Developing Position
Currently, there’s now law regarding the validity of e-mail receipts, which are currently little more than gimmicks making an e-mail look more secure than it actually is and which would stand little chance as evidence in a court of law. Just as guaranteed copies of typed and faxed correspondence are now used in court, so e-mail correspondence will soon carry the same evidential weight when supported by the same exhaustive traceability. That in turn means companies will be compelled to take on board the highest levels of best practice, if not necessarily the most expensive and immensely sophisticated systems promising absolute security. As the need to develop such systems becomes less an optional safeguard and more an unambiguous corporate responsibility, so the burden of proof is shifting to companies that don’t keep e-mail records. If you can prove in a court of law that certain messages were sent, and delivered and received, and you have copies to prove it, judges will be asking why copies of all correspondence weren’t kept at the receiving end.
Hence, while the laws aren’t yet in place, the environment is shifting inexorably as though they were. Companies will be increasingly unable to cite outdated practices as a mitigating factor when others are taking responsible actions now.
Other pressures are coming to bear on recalcitrant directors, not least insurers whose risk-averse nature is highlighting the potential for e-mail damage. Higher premiums for those who can’t prove safe and secure e-mail environments will no doubt help to promulgate the message through markets where some 90% of companies have no insurance or legally binding measures regarding e-mail.
The IT industry is trying to get out of this difficulty with heavy investments in individual technologies like public key infrastructure (PKI), firewalls, encryption and virus scanning. But simply rolling out PKI and other tools is not enough. Apart from the incompatible technology and management issues surrounding their long-term effectiveness, some software vendors have a vested interest in selling as much as possible regardless of applicability to any individual site. As a result, many companies are spending large sums on solutions that simply don’t work or provide the levels of security first assumed. All of which makes PKI in particular a sticking plaster, and at best merely a useful point tool, which is part of a much larger integrated solution.
Time is running out but there’s no need to panic – just yet.
Solutions
As with Y2K, assessments need to be made first as to where the potentially most vulnerable areas within the company are, and appropriate plans made. To do so effectively will require clear lines of communications between IT, for its implementation and management capabilities, and business management, which is now compelled to understand the need for both secure messaging and archiving solutions.
Standard bearers
Technology is not the only player here, as governments and national authorities begin to catch up. In fact, the UK government, normally five steps behind on such issues, has thankfully managed to spot the danger signs and put itself ahead of the game, not least through its parellel efforts to make company directors liable for properly managing electronic information.
It is also promoting best practice standards for managing and storing electronic information via the British Standards Institute, which has tabled two complementary proposals that will play a major role in creating a commonly understood e-mail security framework. One virtually guarantees the authenticity of electronic documents and e-commerce transaction, so they can be used as legally admissible evidence, while the other covers the storage media on which the electronic documents are copies and stored. While neither in itself guarantees legal admissibility of the documents, proof that they have been implemented and adhered to will confer tremendous evidential weight. That in turn will instill greater confidence and promote online trade; once companies and individuals are convinced of the authenticity and robustness of systems, history tells us they will always embrace them.
Future
Right now, however, there remains a palpable universal anxiety in transmitting and transacting across the Internet, coupled with a crisis of confidence emerging over the number of spam attacks and Web sites being hacked. But this isn’t stopping the volume ofe-mails, forecasted by some to reach over 12 billion a day by the end of 2001.
As a result, an explosive cocktail is in the making. Any one of those 12 billion e-mails could potentially bring down the world’s biggest companies, the Internet was not designed to handle enormous traffic levels, e-mail applications do not guarantee safety and authenticity, and insurers aren’t going to hang around waiting to pay out huge e-mail damage claims.
You must act now, preferably in concert with your IT operations but with third parties if necessary, to implement technology that enables completely secure e-mail delivery services, and provides legally admissible proof of delivery and receipt.
Because it is now a matter of when, and not if, a big names gets hit hard in the courts because it hasn’t done so – a result Y2K failed to produce.
Lars Davies is Chief Information Officer at 5GM Ashurst Morris Crisp.
