Do you have the right to view messages sent by employees using company equipment? What about if those messages are stored on the network of a service provider, such as Gmail? Do you still have the right to view them? Yup, you probably do, but there could be some hidden pitfalls.

Last year, the U.S. Ninth Circuit Court of Appeals decided that a wireless service provider which provided a copy of a person’s text messages to his employer had violated his Fourth Amendment rights – despite the fact that it was the employer that held the contract with the service provider. The Court’s decision can be viewed here.

The background to the case was as follows. The city of Ontario issued pagers to its employees, including police officer Jeff Quon. The city’s contract with Arch Wireless, the service provider, enabled each pager to send and receive 25,000 characters per month after which excess usage charges applied. The city had in place a computer and email policy which stated:

The use of City-owned computers and all associated equipment, software, programs, networks, Internet, e-mail and other systems operating on these computers is limited to City of Ontario related business. The use of these tools for personal benefit is a significant violation of City of Ontario Policy.

Continue reading Policies: why they need to be implemented as written

In Are you giving away your password? Dan Blacharski blogged about the perils associated with using weak passwords or passwords based on information that is in the public domain:

We still wonder how people managed to hack into our email accounts–but a recent survey gives us the answer. Is your email password “Spot”? How about “Rover”? Oh, you’re a cat lover? Okay, then I guess “Fluffy.

According to a survey on the people search website www.yasni.co.uk, 83 percent of British users responding to the survey use their dog’s name, or their own date of birth or maiden name as a password on private email accounts, or even worse, to log onto online banking.

But passwords are not the only problem; password reset information is equally as vulnerable to exploitation. You remember what happened to Sarah Palin, right? Her personal email account was hacked as the answers to the password reset questions for her Yahoo! email account (zip code, birthday and where she and her husband met) were all easily found online. At the end of the day, it didn’t really matter whether her password was “Fluffy” or “$up4r$str0ngP@$$w0rd” – the reset questions provided an easily exploited backdoor.

Continue reading The risks of personal email accounts

Could you imagine having to spend a budget-busting $6 million on e-discovery for a case to which you were not a party? That’s exactly what happened to the Office of Federal Housing Enterprise Oversight (OFHEO) – and the costs amounted to 9% of its annual budget. Ralph Losey, a lawyer specializing in e-discovery, has posted an excellent overview of the case to his blog, but here’s a quick summary:

OFHEO regulates the Federal National Mortgage Association, commonly known as Fannie Mae. In 2003, OFHEO examined Fannie Mae’s accounting and financial practices and conculded that it had manipulated its reported earnings in order to artificially the performance-related bonuses paid to its executives. Fannie Mae reached a settlement with OFHEO in which it agreed to take remedial action to address the recommendations made by OFHEO and pay a $400 million civil penalty. Matter closed – or so OFHEO thought. But not so.

OFHEO’s report prompted a civil action by Fannie Mae’s customers. Fannie Mae’s executives subpoenaed OFHEO records claiming that those records would help their defense by demonstrating that they “had been completely transparent with OFHEO,” that “OFHEOhad approved Fannie Mae’s accounting and compensation practices,” and that the OFHEO investigation was “was politically motivated and biased.” OFHEO’s counsel agreed to provide the documents by a specified date with the Fannie Mae executives being able to specify the search terms.

Continue reading E-discovery costs can bust your budget

Email archiving solutions used to be nice-to-have; but today they have moved into the realm of business necessity. In his post Six Tips on Email Archiving Solutions, Carl E. Reid outlined some of the compelling reasons why businesses need an email archiving solution. In a recent review of GFI MailArchiver, Tom Olak, CISSP, pointed out some of the specific challenges which businesses face. Those include:

• Messages distributed across hundreds of end-user devices in personal archive files (e.g. .PST)
• The ability to efficiently search thousands of messages for one or more pieces of information, as specified in a discovery request, possibly extending over several years
• The ability to place on hold messages identified as relevant to a discovery request
• Enforcement of retention policies
• Efficient use of storage
• Easy access to archives by end-users and administrators
• Maintain acceptable overall performance of production messaging system

Continue reading Archiving: can you do it in Exchange without a third-party solution?