Security Manager's Journal: When technologies collide

An encryption initiative runs into the law of unintended consequences: Legal can't search encrypted emails.

By Mathias Thurman, Computerworld |  Security, e-discovery, encryption

dear diary

flickr/Rowdy Kittens

My efforts to protect sensitive company data recently got a boost when we introduced encryption for files and emails to several key groups, including the human resources, finance, sales and legal departments. I was delighted to see how readily many employees in those groups were adopting encryption, since its use means that files and email can be read only by the intended recipients. Then we ran smack into the law of unintended consequences.

Trouble Ticket

Encrypted emails can't be searched in the archive for e-discovery purposes.Action plan: Pull the plug on the encryption deployment until the conflict can be resolved.

A couple of years ago, we purchased an email archiving tool that automatically stores copies of all sent and received email, which was something that our legal department was interested in doing as a way to help it comply with e-discovery requirements. Now, whenever we are faced with an e-discovery request, whether it relates to an HR matter or a court case, we can run fast, efficient and detailed searches against the entire email repository.

Or rather, we could do that, until we started encrypting some of our email.

Last week, as it was looking into an issue involving license compliance, the legal department asked me to conduct a search of the archive for emails containing certain keywords. You see, the licensing model for some of our products hasn't been updated in years and therefore our licenses can be misused. Our sales contracts include language giving us the right to audit customers to ensure that they are using our products within the constraints of the license they paid for. Many times, we have to enter into litigation with our customers, some of whom then claim that our sales associates gave them permission to use the license in a way that violates the agreement. The value at issue in such disputes can rise to over a million dollars, so it's critical for us to have the ability to search our archives for keywords within the body of emails that would bolster our contention that no such promises were made.

But when an email is encrypted, we can't search it. That's why I was sitting in our general counsel's office today, explaining that our new encryption initiative was the likely reason we were unable to find emails beneficial to our company in this particular compliance investigation.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness