HelpSource Q&A 

Download Article

We invite you to send your information systems audit, control and security questions to:

HelpSource Q&A
ISACA Journal
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA

QI believe that deployment and usage of ‘collaboration tools’ is the order of the day. With the wide and rampant use of e-mails, voice and normal conversations combined with blogs and social networking sites, what kind of policies should an organisation have in place?

You may also wish to share your thoughts on archival of e-mails by corporate entities. Is there a minimum, rather ideal, period until which archives must be kept?

AIt is a very tricky scenario. On one hand, companies may restrict access to social networking and blogs as part of their Internet browsing policy; yet, the company makes a presence on such sites as well.

Corporate entities must have clear policies defining what their employees must do and must not do in no uncertain terms—whether it is blogging, cell phone, e-mail or Internet use. I am sure you can write your own policies on what to do and what not to do. However, I believe that it is essential that we understand the criticality of the matter given the litigious environment. There are many instances where companies have been held liable for the inappropriate acts of employees.

Let me illustrate this with some real-life examples. An Atlanta, Georgia, USA-based company in the construction business was ordered to pay US $4.75 million as compensation to settle a lawsuit involving one of its employees. The employee involved had caused a car crash resulting in serious injuries, while making business calls on a company provided mobile phone.

This is not a unique case. I can quote many more similar cases:
  • A multinational banking giant paid US $500,000 as compensation to the family of a motorcyclist who was fatally injured when one of its brokers caused an accident while making sales calls on his personal mobile phone.
  • A state government was made to pay US $1.5 million dollars as compensation to a pedestrian who was hit by a teacher, an employee of the state, who was driving the car and simultaneously speaking on the phone, leading to the accident.
Employers can be held liable for actions of the employees while doing any business-related work:
  • A multinational oil company was made to pay a compensation of US $2.2 million to a group of its women employees who sued it on grounds of sexual harassment. The allegation was that the company allowed the usage of its internal e-mail systems to some employees who circulated an e-mail amongst them that contained sexually offensive messages.
  • A German bank was slapped with a fine of US $87.5 million for not having the appropriate controls in terms of e-mail archival and retention.
  • During the peak of the dot-com boom, a staff member at a multinational investment banking firm was canvassing favourably on the prospects of high-tech companies. However, one particular stock analyst and some of his colleagues were warning the company’s private investment clients to steer clear of many of the very same companies that the employer was propping up publicly. Unfortunately for his employer, the analyst had used his company’s e-mail system to circulate his thoughts. When regulators investigated the investment banking giant and discovered the analyst’s e-mails, the investment banking giant agreed to pay US $100 million in penalties.
  • A well-known investment bank was ordered to pay US $29.3 million as compensation for failing to produce subpoenaed e-mails. A former employee had sued the bank alleging discrimination and it came to light during the course of the trial that backup tapes were missing and e-mail messages had been deleted.
  • A UK-based company opted for an out-of-court settlement for alleged defamation by some of its employees using its internal e-mail systems against a competitor. By the time the suit was filed and the trial started the concerned e-mail messages had been deleted. However, the competitor obtained a court order forcing the company to search their backup systems to retrieve the data. The company tendered an apology and paid £450,000 in damages and costs to settle the case with the competitor.

A US blogger coined the term ‘dooced,’ which means ‘to lose your job because of blogging’. She used her blog to rant about a lot of things, including her woes against her employer, without actually disclosing her name. When her employer found out about the blog, she lost her job.

The list of examples is endless.

It is important for companies, in consultation with their own legal function, to determine the ideal period for e-mail archival and retention. I cannot prescribe a set period as the optimal one, as there is no one-size-fits-all approach.

It is equally important for companies to ensure that their employees use the e-mail systems in an appropriate manner as anything otherwise may come back to haunt them as seen in some of the noted examples.

Gan Subramaniam, CISA, CISM, CIA, CISSP, SSCP, CCNA, CCSA, ISO 27001 LA
is the global IT security lead for a management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big Four professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK-based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.