I. Defining Secure Email

A. Confidentiality - not for public consumption
B. Integrity - data has not been altered
C. Authentication - Ownership
D. Three primary forms of Internet Data are:

Data posted on the web by the owner
Data posted by others (chat room)
Data posted by others without the consent of the owner

 

        Back to Top

---

II. Data Classification

• Restricted: sensitive data
• Private: nonpublic, personal information by government regulation
• Internal: data available to employees and non-employees
• Public: non- sensitive information
  
  Back to Top

---

III. Questions to Ask

A. What is Encryption?

Encryption is a method to send authenticated email. It can not be altered or read unless the recipient has the key and/or password to decrypt the file and that the messages are from who they appear to be from. PGP (Pretty Good Privacy) is a well know product that can achieve this.

B. How do I decide who I should use eMail encryption with?

1. Business to Business
2. Business to Client
3. Client to Business
4. Frequency of Correspondence

C. What capabilities should my software provide to protect my company?

1. Authentication - the ability to verify that the person receiving the message was the one intended. (Password)
2. Message Integrity - that it was not altered from point a to point b.
3. Non-Repudiation - verify that the sender is who they claim to be and that it was their intention to send this message to the recipient.
4. Firewall - A firewall is a method of protecting the internal mail network from external attack.
5. Intrusion Detection (Ingress & Egress Logging) - the ability to report and detect unusual activity that may be indicative of an attack from the outside or one being initiated from internally against someone else.
6. Anti-Virus - This feature provides the ability to scan all incoming messages and attachments for viruses, Trojan horses, worms, etc. It should be able to stop, delete or quarantine as necessary.
7. Anti-Spam - Junk email. This could be dangerous because it could overload the server and bring it down.
8. Policy Manager - The policy manager allows Information Security to set limits on who can send what to whom, whether or not authentication, Message Integrity, Non-repudiation or Encryption is required based on sender, recipient and content among other things.
9. Confidentiality - Email Encryption is used to "encode your messages" which are then decoded by the recipient after delivery.
10. Spoofing - Taking the identity of someone. This is easily done without the proper software because SMTP (Simple Mail Transfer Protocol) lacks authentication. If a site has configured the mail server to allow connections to an SMTP port, anyone can connect to that site and issue commands that will send email that appears to be from the address of the individual's choice. If a request seems shady, investigate it and do not respond.
11. Steganographic Content on the Internet - data hidden in the images themselves.
12. Integration - which software best fits my existing system

  Back to Top

---

IV. Password Policies

Protect your password file so that an intruder cannot obtain a copy of it. Ensure that good passwords are selected so that they cannot be easily cracked, or use a technology in which passwords are not located in the password file.

Back to Top

---

V. Prevention Policies (Deterrence)

A. Use cryptographic signatures

(e.g., PGP "Pretty Good Privacy" or other encryption technologies) to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.

B. Consider a single point of entry for email to your site.

You can implement this by configuring your firewall so that SMTP connections from outside your firewall must go through a central mail hub. This will provide you with centralized logging, which may assist in detecting the origin of mail spoofing attempts to your site.

D. Educate your users about your site's policies and procedures

This is to prevent them from being "social engineered," or tricked, into disclosing sensitive information (such as passwords). Have your users report any such activities to the appropriate system administrator(s) as soon as possible.

E. Employee Compliance

If employers give their employees the impression that the employee has a right to his or her own policy with email, it can come back to haunt in a court of law. The employer should prevent the private use of email and remind that it will be monitored for compliance.

          Back to Top

VI. Legal Issues

A. Authentication

The authentication standard is no different for web site data or chat room evidence than for any other. Under Rule 901(A), "The requirement of authentication…is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims." United Sates v. Simpson, 152 F. 3d 1241, 1249 (10th Cir. 1998)

B. Hearsay

1. Expert Witness - Under FRE 801 if an expert witness submits an affidavit detailing what he/she viewed, hearsay would not apply.
2. Chat room - The question here falls under the function of data entry authentication.
3. Business and Public Records - If the data is downloaded and printed it does not lose the business and public record category. (Rule 803(6) or (8)).
4. Market Reports & Tables - Rule 803(17) excludes from the hearsay rule; stock, interest rates, bonds and currency; real estate listings; and telephone books.
5. Email Evidence - Basic criteria that email was sent, or was sent by a specific person.
   • See also United States v. Siddiqui, 215 F. 3d 1318, 1322-23.
     
     

        Back to Top

---

VII. Liability Risks

A. How does evidence get created?

1. Federal Rule of Evidence 1001 treats email and other computer generated data as writings and recordings. Companies should create and continually audit policies on email retention.
   
2. The largest number of cases with email has involved employment-related disputes, including wrongful termination, employment discrimination and sexual harassment.
3. Document retention policies are very important. The existence of a document policy may be a mitigating factor if evidence is destroyed.
   

The courts consider 3 factors:

• Whether a record retention policy is reasonable considering the facts and circumstances surrounding the relevant documents.
• Whether the policy was adopted in bad faith.
• Whether lawsuits have been filed or complaints made that warrant certain categories of documents be retained. The term of retention should be equal to a usable statute of limitations or regulatory review period.
  
  As stated by one court:
  

  While a litigant is under no duty to keep or retain every document in its possession once a complaint is filed, it is under a duty to preserve what it knows, or reasonably should know, is relevant in the action, is reasonably calculated to lead to the discovery of admissible evidence, is reasonably likely to be requested during discovery and/or is the subject of a pending discovery request.

B. Electronic Record Retention

Because of the different types of Hardware and Software used in different organizations, a company's burden can not be a direct comparison. With UNIX based systems for example, there is a built in deletion policy. Therefore, companies should develop an email system rather than just an email policy.

1. Email system would entail automatic deletion of all historic email (other than official communication). A company policy should include employee education to ensure that any policies are implemented routinely and systematically.
2. Official vs. Unofficial should be discerned to avoid broad court orders or retention obligations. Unofficial email should be routinely purged. Official email should be printed and stored in a special location with a chain of custody as being part of the overall policy.
3. Unofficial email should be purged as often as every 60 to 90 days at regular intervals such as every Friday night.
4. An email retention system that provides that only official email will be retained also improves a company's chances of being able to use email evidence offensively in litigation -- as a business record-- rather than having email used against it.
5. When it comes to client-attorney privileges, if there is no policy in hand, privileged documents will be exposed among the enormous volume of email messages being reviewed.
   
   

In summary, Courts may assess the reasonableness of both the general retention period and categories of documents subject to destruction, as well as considering whether a longer retention period should apply for specific categories of documents.

Back to Top