Lock IT Down: E-mail surveillance may be a necessity at your company

Security and legal regulation may require some form of e-mail surveillance

E-mail surveillance is an important issue in the banking and financial services industry for preventing security leaks. But the technology for e-mail surveillance may soon become your responsibility, regardless of your industry. When should you consider monitoring your firm’s incoming and outgoing e-mail? Can you get by with a low-end solution, or will you require an expensive solution?

The answers depend on your specific needs, according to a study by the Tower Group . The research group says the market is currently a cool $12 million a year for e-mail surveillance tools, with an expected increase by 25-35 percent a year over the next three years. Today’s high-end solutions are being used almost exclusively by:
  • Full service brokerage firms
  • Online stock traders
  • Bank-brokerages
  • Independent brokers
  • Registered investment advisors
  • Banks

Why surveillance?
Reasons for using e-mail surveillance include:
  • To comply with SEC regulations
  • To protect against inappropriate dissemination of sensitive data, including medical records, personnel files, insurance claims, and banking information
  • To protect corporate proprietary information, such as product design
  • To protect a company from potential liability due to inappropriate and offensive language
  • To archive a growing part of a company’s knowledge
  • To protect against incoming computer viruses

To comply with SEC regulations
Emerson Thompson is senior vice president for financial services for SRA International . SRA manufactures a software product called Assentor, which is designed to support enterprises that are concerned with supervision and regulatory compliance on e-mail. Since the SEC approved NASD and NYSE rules regarding e-mail surveillance in 1997, Thompson says “reasonable supervision has to be done on any e-mail communications with customers to avoid violation of SEC rules. That means hyping of stock, downplaying risk, all the various things that registered representatives are beholden to do according to SEC rules. This has to be supervised on e-mail just as it does on written correspondence.”

One of SRA’s customers is Derek Brooks, manager of applications development at the full-services brokerage firm Scott & Stringfellow. He has used e-mail surveillance since it was developed by SRA in 1997. “We decided to use it for two reasons,” Brooks said. “The first was firm preservation, that is, to protect us from discrimination and things like that. The second was the fact that we are regulated to do so in some fashion.”

To protect against inappropriate dissemination of sensitive data
Many companies charged with protecting information such as medical records, reports, and other data are vulnerable to having information being sent inappropriately through e-mail.

To protect corporate data and secrets
Sensitive corporate information walks out the door every day—in briefcases, under jackets, and, through e-mail. Can you trap someone who’s stealing corporate information via e-mail? “Possibly,” Thompson said. “Firms that are using those patterns may find cases where information is being passed in e-mail messages that’s not supposed to be.”

To protect a company from potential liability
Thompson believes e-mail surveillance will find a wider corporate audience for firm preservation issues. “One of the byproducts of Assentor is that it is quite easy to add patterns for firm preservation involving inappropriate language in messages, harassment, seven dirty words, that type of thing. Some firms have contacted us regarding that capability. In some cases, we have clients that want to use the securities patterns for their registered people, but they want to use the firm preservation patterns for everybody else.”

Brooks says that one of the top reasons his firm uses e-mail surveillance is “to protect our associates from harassment, [to watch for] profanity, to sort of keep an eye on things to make sure that the work environment stays clean,” Brooks said.

To archive a company’s knowledge
“Think about all the information that is stuck in your e-mail system, which no one will ever find because it’s all locked up in the text of a message,” said Tim Landgrave, president and CEO of eAdvantage. “How many e-mail threads go back and forth in a company on discussion of a single topic in all the internal mail? Now, what if those e-mail threads were saved in an archive and could be indexed and brought up when you are researching an internal topic?”

Why bother? “Because 90 percent of a company’s knowledge is trapped in e-mail messages and it never goes anywhere else,” said Landgrave. “Think about all the conversations that take place every day via e-mail. That information is trapped. We need a way to index it, filter it, and bring it back out.”

Landgrave added, “If you can screen for a phrase like ‘sure bet’ [as in, that stock is a sure bet], why can’t you screen for keywords like, say, ‘outsourcing’ in internal mail?” Then, if you were doing an internal report on outsourcing security, you could “bring back and read all the internal e-mails that once floated around discussing that topic.”

According to Thompson, “It’s only a matter of time until all firms will have some sort of e-mail compliance. Whether or not they need or want archiving is another question. Some are very interested in the archiving only, and others are interested in the e-mail scanning and not the archiving.” If all your company wants to do is archive e-mail, Thompson said, "you could probably buy other solutions without going to the trouble of having an e-mail scanning engine and all the different things that Assentor offers.” However, he added, “Some companies have to keep archived versions of correspondence in such a way that the archived information cannot be altered.”

To protect from viruses
“As a reaction to viruses, vendors are now allowing you to intercept a message from the Internet to the firewall, before it hits the mail server stores,” Landgrave said. “You can look at that message, its content, where it’s from; you can dissect it programmatically, check it for viruses, check it for keywords, do whatever we want with it. As mail comes in, we’ll check it for keywords and decide if we should put it in the store or a pending mail folder, delete it, or return it with an automatic reply saying it’s unsuitable. Checking is currently being done at the client level, and sometimes that’s too late. E-mail vendors are building that in their products.”

What if you want e-mail surveillance?
If your firm decides it needs e-mail monitoring, what are your choices? As the experts see it, you have three e-mail surveillance options:
  • Do it yourself. In-house-designed software is your first option, but Thompson doesn’t recommend that approach. “We don’t find those to be nearly as effective,” he said.
  • Use a new e-mail package. “You can do this in the next versions of Exchange (2000) and Notes,” said Landgrave. “Every new e-mail system has added the ability to trap e-mail messages when they go in or out of the stores. They are doing that now to check for viruses."
  • Buy an expensive, high-end solution: According to the Tower Group, four firms have off-the-shelf solutions, which are currently in use at financial services firms:
  1. SRA International—clients include more than 70 firms using its Assentor product
  2. Worldtalk—clients include Fannie Mae and Mass Mutual
  3. PaperLess, Ink—clients include Daiwa Securities and Josephthal & Co.
  4.  Amicus Networks—clients include Sigma Financial and National Planning Corp.

The Tower Group says that SRA is the “current leader" in terms of brokerage clients, but it expects niche markets to open up for the other vendors.

Does surveillance delay the mail?
A delay in communication of important and timely information is a big issue with e-mail surveillance. As a response to customer demand, SRA and others have added a choice of post-review or pre-review of e-mail. The Tower Group report indicates that “the overwhelming majority of e-mails are now surveyed via post-review surveillance, rather than pre-review.” As a result, e-mail gets through, but if something is amiss, it’ll be caught eventually.
Thompson describes the process of e-mail surveillance: “Essentially, we process all mail before it leaves the firm and when it enters the firm. We take the messages apart, all the pieces and parts and attachments and attachments within attachments, and so forth, and we scan all the textual information using an artificial intelligence type capability that we’ve developed over many years at SRA. We examine those messages to see if there are any potential violations.” And if they find a violation? “If we find something suspect, we’ll assign a probability factor to that item and any other items we discover in the message. Then, depending on the threshold settings that the firm has chosen, we’ll check our discoveries against the thresholds. If any thresholds are breached, we’ll quarantine the message for human review—review by a corporate compliance officer. He or she may then send it or return it to the sender.
Keywords vs. natural language
Brooks said: “Assentor does both keyword searching and natural language processing. So it’ll put words in context.” The Tower Group report adds, “Two basic types of surveillance technology—keyword and phrase search, and natural language—are in use in the systems now on the market.” SRA’s Assentor is the only one that uses natural language search technology, which is “designed to scan and recognize language patterns and to dynamically update its internal lexicon,” according to the Tower Group report. “The other three systems…rely on variations of the keyword and key phrase search technology and are equipped with databases and rule sets that can pick out words, word patterns, and sequences. One example would be the ability to flag compliance whenever a number of predetermined words (“unique…opportunity…get in now!”) appear in the same sentence.”

Thompson said: “We find that keywords create too many false positives to be useful. So we’ve incorporated a natural language capability, which reads text somewhat like a human being would read it. It understands the meanings of words and phrases in context.” Using the word “free” in an e-mail would be a good example, Thompson said. “If you had a keyword system and that’s all it was doing, the word 'free' would likely be flagged as a word that’s prohibited. So, if you had a message that said ‘We offer free checking' and 'free' was a keyword, it would be flagged unnecessarily. However, 'free checking' would not necessarily be inappropriate; it’s very appropriate in banks. So you wouldn’t want to quarantine that message. The idea is to minimize the number of messages that are being quarantined and that require human review.”

Who does the human review? “A combination of people,” Thompson said. “Firms appoint various managers. Sometimes they’re compliance officers or branch managers. It depends on how the firm’s supervisory process is set up.”

Thompson said, “Any firm that’s interested in examining message content for regulatory reasons, for firm preservation reasons, or for protecting confidential information, or any other things that the firm wants to deal with in messages and attachments should look at an e-mail surveillance product.”
Do you foresee a need for screening e-mail at your company? When and why? Let us know, and we’ll publish some of the more enlightening responses. Send us an e-mail or post a comment below. We’ll report back to you on the results.

Editor's Picks

Free Newsletters, In your Inbox