You can stop staring at the ceiling each night, wondering. A new study
has confirmed what many a cubicle dweller has long suspected: Many
companies, maybe even yours, are monitoring outgoing e-mails.
According to a new survey conducted by Forrester Consulting and sponsored
by Proofpoint Inc., a company that makes anti-spam and filtering software,
more than 43 percent of corporations with more than 20,000 employees employ
staff to monitor and read outbound e-mail.
The survey of 140 corporate decision-makers found that companies’ concern
about employees leaking sensitive information via e-mail ranked as the
biggest reason behind the snooping policy.
The study said almost 75 percent of large corporations
view reducing the financial and legal risks of outbound e-mail as
“important” or “very important.”
Another concern driving the monitoring trend, respondents said, is ensuring that the enterprise is complying with personal,
financial and healthcare privacy regulations, such as Sarbanes-Oxley,
Gramm-Leach-Bliley and the Health Insurance Portabilty and Accountability Act of 1996 (HIPAA).
Gary Steele, CEO of Proofpoint, said the firm believes that, over time,
enterprises will put technology in place to help them manage the threat of
information leakage. “We see an opportunity for many companies to establish
policies” along these lines too, he told internetnews.com. In the
meantime, however, many scanning products aren’t really up to the task, he
On the other side of the equation, he added, “individuals need to think
about their use of the corporate e-mail system. We recommend that people
keep and use a personal e-mail address outside the corporate system.”
Although the survey didn’t ask how far a company may or
may not go to watch how its employees use company property and adhere to e-mail policies, Steele said observing privacy policies regarding federal
regulations was often cited in the results. For example, one of the
HIPAA mandates is that personal, medical information be kept confidential, which means it should not be e-mailed without certain protections. HIPAA regulations govern how healthcare organizations share and store information about patients.
The Forrester/Proofpoint survey also found that about 30 percent of all
respondent companies rely on staff to monitor outbound e-mail
content. And the larger the organization, the more prevalent is the practice.
For example, 43.6 percent of companies with more than 20,000 employees used
personnel to monitor outbound e-mail. In addition, another 33 percent of all
companies reported that they conduct regular audits of outbound e-mail
content. More than 38 percent of large companies said that they
regularly audit the content of outbound email.
Staggering stats? Forrester thought so, but not how you may think. In its
summary and conclusions, the research firm’s consulting group suggested the
results are a testament to “the widespread failure of current
content-scanning technologies to stop the leak of intellectual property,
confidential memos and embarrassing information from the enterprise.”
Almost 75 percent of companies with 20,000 or more employees said that
reducing the financial and legal risks associated with outbound e-mail is “important” or “very important” in the next 12 months.
Other findings: less than 12 percent of companies report that they have
deployed technology for detecting intellectual property breaches in outbound
e-mail. The most common technique used for detecting these e-mails remains
physical review by hired staff.
The survey comes on the heels of a recent federal court ruling that held it
is perfectly legal for ISPs to read and copy the inbound e-mail of their
clients. The ruling by the U.S. Court of
Appeals for the First Circuit in Boston held that e-mail does not enjoy
the same eavesdropping protections as telephone conversations, because it is
stored on servers before being routed to recipients.