Last week, I wrote about two recent situations where major companies suffered from entirely avoidable email-related problems ("Rookie Legal Mistakes Hurt Large Companies," February 7, 2008). In one case, Qualcomm lost a major patent dispute, and six of its outside attorneys are now staring down the barrel of possible disbarment. In the other case, an attorney working for Eli Lilly & Company accidentally sent a highly confidential document to a New York Times reporter. How could these mishaps have been prevented?

Let's start with Qualcomm, or, more precisely, with two of its outside law firms. The court found that the attorneys involved failed to produce relevant email messages and that they did so on purpose. The immediate fix for this type of problem would seem to be "don't hire dishonest attorneys"—but that presupposes that you can tell which ones are dishonest in the first place!

Consider what might have happened if Qualcomm had a more effective system for handling electronic disclosure requests. For example, if the company had been performing regular audits of its archiving system to see how many results were produced for important terms, there might have been some warning that the results offered to the court were incorrect or incomplete. It's not clear whether Qualcomm performed the discovery operation inhouse or outsourced it, but it would seem that a more effective internal compliance operation might have been able to prevent the problem in the first place. I'll certainly be advising my clients who use outside law firms for compliance and discovery issues to ensure that their contracts for these services include hefty penalties for the kinds of shenanigans that Qualcomm's attorneys apparently pulled.

The Eli Lilly case is a bit more complex. Ignore the fact that the accidental disclosure was made by an attorney working for Lilly's outside law firm. Although it makes for great lawyer jokes, the fact is that this sort of accidental disclosure could easily have happened to many other people in the organization—though you have to have pretty bad luck to mistakenly send a critical document to a reporter for one of the world's best-known news organizations! My first thought when I read about this was that Lilly could benefit from using information rights management software such as Windows Rights Management Services (RMS) or Adobe LiveCycle to apply technical protection to their messages. If they'd done so, the protected message still would have gone to the reporter, but he would have been unable to open it. I think such an approach is probably best, but there are a few other "what if" scenarios that might have helped prevent this problem:

  • What if the law firm had deployed message classification tags and an Exchange Server 2007 transport rule? With this combination, their Hub Transport servers could automatically reject messages tagged as privileged but sent to domains other than those of the specific customer.
  • What if the law firm had used email policy control software to scan outbound messages for customer names or other sensitive details, quarantining matching messages for human inspection?
  • What if the sender had taken the time to double-check the recipient address on the message before sending it?
None of these scenarios, of course, solve the problem that's already occurred, but all of them are worthy of consideration because they highlight the fact that there's more than one way to limit inappropriate email disclosure. I'm a big fan of RMS because it helps you apply fairly strong policy controls that greatly reduce the impact of mistakes such as those in these two cases. A malicious user can still disclose protected information with a camera, a phone call, or pad and paper, but RMS makes it harder to accidentally or unknowingly spill the beans. However, message classification and transport rules are already included in Exchange 2007, so that's probably the lowest-cost way to start adding this kind of policy protection to your environment.