Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Strategic Security: The Encryption Conundrum: Page 2 of 2

A recent federal case set forth this exception to the general rule that employers have broad access to data on employees' computers. Lara Curto sent e-mail messages regarding her employer's alleged violation of a federal employment statute to her attorney using her AOL account from her company-issued laptop. Before leaving the company, she deleted copies of the relevant e-mails and files, but the employer retrieved them with the help of a forensic consultant. Because the employer had not regularly enforced the personal use ban, Curto's communications and files were protected, preventing the employer from viewing or using the e-mails and files in litigation.

The company had only enforced the personal-use ban in a handful of instances--with an employee suspected of gambling and another who was downloading pornography. The court said this wasn't enough to find that Curto had waived her attorney-client privilege. If she did have an expectation that the e-mails would be monitored, then her behavior--sending the e-mails from her AOL account on a company laptop--would have been found to be careless enough to destroy the privilege.

Keep in mind that end-to-end encryption doesn't require this loss of network traffic visibility. Many products provide backup keys that may let security or human resources personnel monitor encrypted e-mail. When evaluating encryption products and the security and legal risks that you are attempting to mitigate, make sure the ability to monitor is high on your list of requirements. The other way to address the issue, of course, is to choose an architecture that encrypts e-mail at the gateway rather than the desktop, which provides centralized monitoring capabilities.

The key to mitigating risks is identifying your e-mail priorities, whether it be regulatory compliance, usability or maintaining the ability to monitor communications. But neither the information security manager nor even the CIO can properly undertake this task alone. Your in-house general counsel or outsourced compliance specialists also should be at the table to help you apply the rapidly evolving standards imposed by information security and data privacy laws and regulations.