Information Security Tips from Westfield Insurance

Tired of paying full price for ink and toner?  Click here to save 85%.  Are you ready to make $6000 a month working part time from home?  How about consolidating your debt?  With all the layoffs, it’s hard to believe that Michael Vincent has personally found millions of people a new job.

Feel like you’ve seen or heard some of these things before?  You’re not alone.  While computing and the Internet has improved countless things about our lives; it certainly has complicated others.  While spam is primarily an annoyance, there are also risks and vulnerabilities associated with them as well.

Traditionally spam is thought as an email problem.  However, with the proliferation of instant messaging, text messaging and social networks spam can be used to broadly define unsolicited bulk messages.

How did they find me?

Despite what your co-workers may have teased about, receiving spam does not mean that you frequent adult sites or spend too much time on the Internet.  For many, it is simply the misfortune of having a common name.  Since spammers typically use hijacked email accounts, they aren’t too picky about dropping a couple of million name combinations in the “to” field and hitting send.  Often times, these emails are programmed in a way to use the recipient’s name as the sender’s address making it look as though you sent the email to yourself.  Once a valid email is identified, the spammer may spoof that address to make the email appear as though it came from one of your co-workers.

Some of the other common ways that spammers receive your email information is through legitimate purchases from online, as well as, brick and mortar stores. You most likely signed up for direct marketing while signing up for online services such as fantasy sports or weather feeds.  Your email was probably “scraped” if you belong to professional organizations where email is posted on the organization’s contact webpage or if your email is listed on your company’s webpage.

What can I do about it?

For personal email; if you already own an anti-virus product such as McAfee or Symantec, there is most likely a complimentary anti-spam product that is available as an upgrade.  While these programs are usually effective, they are not always very intuitive and make reading and composing email a lot more complex than if you just went through and deleted all of the spam.  There are also many open source solutions available through SourceForge such as SpamBayes.

Depending on your email provider, you may notice that mail you received has already been tagged as spam.  Using an Outlook rule, I have all mail that is marked as spam by my internet service provider moved to a folder that I created called “Spam.”  Periodically, I review the emails in that folder and delete them in bulk.  On any given day, that reduces the number of spam in my inbox by 100-200!

For business email; you have several options depending on whether you use a hosted email solution of if you have your own email server.  In the first scenario, you should start by contacting your email host provider to determine what anti-spam solutions they offer.  If your company manages its own email systems, you have options to redirect your incoming mail directly to solutions such as Postini or an in-house anti-spam solution such as Proofpoint.  In the first scenario, all of your incoming email is redirected to a third-party and scanned for spam/viruses before being forwarded to your company email.  This solution is ideal for companies that do not have full time IT staff.  In the second scenario, your incoming email is first scanned by a product or appliance before being sent to your email server.  This solution is ideal for companies which receive a lot of legitimate emails that may be construed as spam.  For example, a medical or insurance company that receives email related to “personal injury” or common prescription drugs.

Staying ahead of the curve

Anti-spam is a journey and not a destination.  As quickly as companies implement rules to block one spam message, another type appears.  On the surface, it would appear as though your anti-spam just quit working.  In reality, the spammers have found another way to fool the anti-spam products into thinking it is legitimate email.  The solution you choose should be continually updated in order to effectively identify spam.  For more information on how you can become an anti-spam storm trooper visit the Coalition Against Unsolicited Commercial Email.

Back by popular demand, this "encore tip" is a reminder to be especially professional in your email communications. Please share this seasonal message with your co-workers. (This Tip was first run in October 2006.)

Halloween is a time for scary stories - tales of vampires and ghouls rising from the dead to terrify innocents - a time when things that you thought were dead and buried come back to haunt you.

Unfortunately, the analogy between badly written email and the undead is sometimes all too appropriate. A hasty word can return to haunt you long after you hit the send button and thought the conversation was over. Careers have been destroyed, money lost and relationships ruined when an email returned from beyond.

Americans have a bad habit of treating email very casually – as an extension of our last phone conversation or a continuation of the chat in the hallway. We assume that the message is private and that recipient will understand the context and correctly interpret our tone.

In fact, email is more like a postcard - anyone can read it while it's in transit^† and any of the recipients can save it, forward it or post it to the internet. Electronic copies can remain in archives and electronic message hubs all over the Internet – places that neither the sender nor the recipient can control. Emails can be subpoenaed and forced into the public record. You have no right of privacy in your email, either sent or received. When you write an email, you must assume that it will be read by an unknown and unforeseen audience.

That unknown audience will assume that you carefully crafted and wordsmithed your message (or, if not, that the hurried email is evidence of the writer's "real state of mind"). They will not believe that you were "just joking" and won't care that you were trying to dash off a quick note. They will interpret the tone according to their own preconceptions.

Always assume that anything you write will come out at the worst possible time and in the worst possible light. Be professional in your email. Include enough context that the unforeseen reader understands the message. Be personable yet professional in tone. (In particular, never use sarcasm in email.) Never write anything that you would be embarrassed to see on the front page of tomorrow's newspaper.

Remember, email can come back to haunt you.

^† Footnote: The comment that "anyone can read [your email] while it's in transit" is less true if you have email encryption with your business partners but your words can still be saved, forwarded or otherwise sent outside your control. Please don't assume that email encryption will protect you from sloppy wording.

Spam filters are getting better every year. They have to so they can keep up with the ever-increasing flood of spam. But no matter how good the filters get, some spam will always leak through. More worrying, some fraction of good messages will be inappropriately tagged as spam and lost. And depending on how your respective spam filters are set, your reader may never even know that the message was attempted nor you that the message was rejected.

A while back, we wrote a tip about "how not to look like a phish". I've wanted to write the companion article about not accidentally tripping the spam filters for several years now. I resisted because the rapid change in spammer tactics makes any list obsolete even before it hits the page. It will also never be a definitive list - the anti-spam vendors are justifiably worried about giving the spammers a roadmap showing how to bypass their filters. Nevertheless, there are some general rules worth discussing.

• Your subject line is important. A blank subject line (or, worse, a subject line that is ambiguous and generic like "Hi" or "I love you") will almost certainly get your message tagged as spam. A good subject line is also a courtesy to your readers, helping them to more quickly prioritize their inboxes and give your email the attention it deserves.
• Mailing to lots of people at once will increase the odds of being tagged as spam. (This is a problem for the publishers of legitimate email newsletters with large distribution lists like, say, these tips.)
• Use a company-issued email address. Sending from a free email account like yahoo.com or gmail will increase the odds of getting tagged.
• Avoid common spam words like "cheap" and the V- word (rhymes with the famous waterfall). That sometimes means completely avoiding certain topics (which can be quite difficult, especially in a newsletter like this one where we are discussing spammer tactics) but more often means avoiding flowery, inflammatory or overly-promotional language. In particular, avoid all caps and multiple exclamation marks.
• Avoid images, fancy graphics and html code in your email. Hackers and spammers hide things in those glossy "enhancements". The simpler your message, the more likely it is to get through unmolested.
• SPELL-CHECK! Spammers are getting much better at the use of grammatically correct English but bad spelling is still a surprisingly good filter for spam.
• If you are sending a newsletter, always include your real contact information and a working set of "unsubscribe" instructions at the bottom of the message. This won't actually help you get past the spam filters – too many spammers just include fraudulent unsubscribe options in their messages – but it is the law.
• Try to keep your message under two megabytes including embedded pictures and attachments. This isn't strictly a spam-filtering rule but many mail servers use a 2 meg/message limit to keep any one message from tying up the lines.

Finally, if you don't get an answer in a reasonable amount of time, follow up on your message. No matter what you do or how good the filters get, some false positives will always exists. The person might be ignoring you but it's more likely that they never got the message.

For several years now, we've been telling everyone that email is a postcard – everything in the message is exposed to anyone who wants to read the message as it flashes by. A couple of companies have figured out how to solve this problem and their solutions are finally hitting critical mass. If you have a secure mail solution, you can finally put your message in an 'envelope' and keep outsiders from reading it.

The problem is that we've also told you as a reader to delete any message that appears suspicious or that asks you to click through some "convenient" link. The 'envelope' around a secured message looks a lot like a phish. (See "How it works" below.)

Here are some tips on telling the difference between a secure mail message and a spam or phish.

• In a legitimate message, you will still be able to read the subject line and the sender. If you are not expecting a message from that sender, be suspicious.
• Once you start working with a business partner who uses a secure mail system, all secure messages from that company should look basically the same. If the logo, the layout or the text look different, be suspicious.
• A legitimate message will take you to the sender's website to verify your login. A phish will try to take you someplace else to steal your password. If the message alleges to come from someone at redcross.org but the link is trying to take you to yahoo.com, be suspicious.
  Reminder: The only part of the domain that matters is the part immediately before the top-level domain (.com, .org, etc). Ignore everything to the left or right of the dots. In the link voltage-pp-0000.westfieldgrp.com/mail/32/, only 'westfieldgrp' matters for verifying the legitimacy of the message. The rest is set up by the company's IT department to point to specific places within the company's domain.
• Legitimate messages are written by professionals. Scam messages want to panic you into acting without thinking and often use phrases like "URGENT" and "log in now or your account will be closed". If the language seems inflammatory, be suspicious.

If you are suspicious, call the sender and confirm the message. Please do not just delete these messages, though. There's a fair chance they are legitimate and you wouldn't want to lose good messages.

How it works
There are several ways to put your message in the secure 'envelope'.
One technique doesn't actually put the content in email at all. What you really send is a placeholder saying "You have a message waiting. Please sign in at my website to read it." The message content stays on the sender's webserver and never actually travels by email. Some large financial and medical institutions use this kind of secure messaging.
The other way is to pull the content off the message, encrypt it and reattach it to the message. The content travels by email and but can't be read except by someone who knows the password. (If you don't already have a password set up, you will be asked to verify your identity and create one.)
A third technique is Transport Layer Security (TLS), a method that protects the message from one email server to another. This requires some setup between the two companies but is otherwise invisible to both the sender and the reader. These messages can't be easily mistaken for a phish so we won't discuss them in this tip.
An example of that second kind of 'envelope' – the encrypted attachment solution - is attached below.

PC World magazine put together a short tutorial on recognizing eleven common email scams. Each page includes an actual example, most culled from recent messages being sent out by the notorious Storm Warn gang, a group of hackers based out of Germany who not only run the scams themselves, but also sell their hacker toolkits to others.

Some of the scams seem pretty obvious (like number 10, the IRS scam) but others are very sophisticated in their tactics such as number 9 where the hacker is impersonating an indignant eBay customer accusing you of not responding to his question or number 11 where the hacker took the time to personalize the attack based on the victim's alumni listing.

Number 5, the NFL stat-tracking software, is particularly effective because the webpage is so professionally done. And there really are some good free software programs out there. (Well, not completely free since they're ad-supported but for an avid fan a few ads might not be too much to pay.) The problem is that there are a few very dangerous landmines hidden among the legitimate tools. Short of completely rewriting the code yourself, there is no way to tell the safe ones from the scams.

Never download "free" software unless you are completely sure of the reliability of the source and never load any software onto your work computer yourself. Always call your IT department.

If you have your own datacenter and have a dedicated IT staff that runs your own email system, you can skip this week's Tip. If you use webmail (such as Gmail, Hotmail or Yahoo mail) or if you use an email service (such as XO Communications or AppRiver), you are using hosted mail (that is, someone other than your own IT people has a copy of your email on their servers and manages your email for you) and you may need to think about how to keep your emails safe between your computer and the host.

Hosted mail can be a very useful service. It lets individuals and small companies buy top-quality email services without needing a full data center and 24 hour support staff. (Personal webmail accounts can also be useful for keeping personal and professional messages separate. See the 27 Jan 2007 Tip for more.)

However, hosted email adds a layer of complexity to your security arrangements. When your email system is completely in-house, you can trust your perimeter defenses to protect messages from one employee to another even if the message itself is not encrypted. When you use hosted email, the message is leaving your perimeter before it gets back to your co-worker. Since standard email is not encrypted, that message could be intercepted and read by basically anyone during that period while it's outside your perimeter.

The same applies when emailing outsiders. More and more companies are implementing secure email in order to protect messages with confidential content. Many of those systems use Transport Layer Security (TLS) which scrambles the message while it's moving from the sender's email system to the recipient's email server but does not protect the message between the recipient's email server and his/her desktop. That leg is a responsibility of the recipient.

While it is dangerous to generalize from just a few examples, all the email services that I've talked to have some way to secure that last mile from their email server to your desktop. XO Communications, for example, has detailed instructions on their webpage explaining the settings and port numbers that you have to set up on each desktop in order to connect to them securely. AppRiver has instructions for how to use the capabilities built into MS Outlook to protect the connection.

Unfortunately, the connection for the users of webmail is harder to make secure. Gmail claims on their website that encryption is available but a number of requests for help on their discussion groups have gone unanswered. Yahoo has yet to return our request for information.

If you can set up that last mile securely, you need to do so. If you can't, be very sure that you do not use email to send or receive any confidential information such as SSNs or Drivers License numbers.

Have you ever replied to an email message only to realize too late that you just sent your reply to the entire department? Or worse, to the entire company? Reply to All should be used only when you are sure that every recipient on the list really wants and needs to read your reply.

Unfortunately, accidentally hitting Reply to All is an easy mistake to make.

If you are the sender of the original message, you can make life easier and safer for your readers if you use the bcc: field instead of the To: field in the email header. Bcc: stands for "blind carbon copy. Every user will receive the message but the recipient will see only his or her own name in the bcc: field. If a user accidentally hits the Reply to All button, the reply message will only be sent to the original sender.

As a matter of ettiquette, you should disclose the distribution list to your readers in the body of the message. This avoids any appearance of attempting to hide the distribution. A common convention is to use small italicized text in the first line with the text "sent bcc: to MidwestDivision".

At some point, all of us have received a "helpful" message from a co-worker or family member warning us about the latest internet virus. Unfortunately, the overwhelming majority of these messages are hoaxes - scare alerts started by malicious people and then passed on by well-intentioned users who think they are helping by spreading the warning. The message itself is the virus, and it depends on your goodwill (and gullibility) to spread.

Do not forward hoax messages. Some hoax messages carry malicious instructions about how to delete certain "corrupt" files - files that actually are not only safe but even necessary to your computer. In others, the hacker offers a convenient link or tool to "check your computer and remove the virus" or "improve your performance". Instead of downloading an anti-virus tool, you're actually loading the malicious software itself.

Even "innocent" messages with no direct malware attached have caused the e-mail systems at some companies to collapse when hundreds of users forwarded a false alert to everybody in their address book.

If you receive an alarm email about a virus from anyone except your own IT department, just delete it, especially if the message includes any "special" instructions. (The instruction to run your own anti-virus program is probably safe but I'd never trust someone else to tell me to load a piece of software.)

If you suspect that the message might be legitimate, forward it to your IT department and let them determine if a wider announcement is appropriate. You can also check at f-secure.com for a good list of known virus alarm hoaxes.

Phishing is an increasing and serious problem. Luckily, consumers and even some tools are getting better at identifying and deleting them. Unluckily, many legitimate messages get thrown away because they look too much like phishing messages. TRUSTe and Ernst & Young recently published a white paper on "How Not to Look Like a Phish". Here are a few thoughts that can help you keep your messages from looking too much like a phish:

• Don't request personal information from customers via a hyperlink in an email. If you need information (such as an updated address), tell the customer to go to your company's website and log in. Don't provide a "convenient" link.
• Personalize the email whenever possible. This proves that you know your customer's name. For example, use "Dear John" instead of "Dear Sir".
• Don't get your customers in the habit of linking through someone else to get to you. For example, if you are going to provide a link in the email, if should look like www.yourdomain.com, not www.somebodyelse.com?redirect=www.yourdomain.com;. Never use the IP address in the link. http://12.168.68.50 will still take you to westfieldgrp.com but customers can't be expected to know that or to recognize when the address has been tampered.
• Be very cautious about using click here links. You may think they read better but customers should rightly be suspicious of any attempt to obscure the destination of a link. Written-out addresses are better.
• Use simple and intuitive domain names and directory paths. The longer the address line, the more likely it is for something to be spoofed and the harder it will be for your customers to recognize the falsification.
• Proofread and spell-check all your communications. While more phishers are improving their English, many users still rightly assume that a grammar or spelling mistake is evidence of a possible phish by someone whose native language is not English.
• Avoid messages with an urgent, threatening or time-sensitive tone. (I had an example in here but it made this message look too much like a phish and got blocked. Don't say anything about passwords and account cancellation.)

For the full report, go to truste.org.

This Tip was first run in October 2006. This "encore tip" is a reminder to be professional in email.

Halloween is a time for scary stories - tales of vampires and ghouls rising from the dead to terrify innocents - a time when things that you thought were dead and buried come back to haunt you.

Unfortunately, the analogy between badly written email and the undead is sometimes all too appropriate. A hasty word can return to haunt you long after you hit the send button and thought the conversation was over. Careers have been destroyed, money lost and relationships ruined when an email returned from beyond.

Americans have a bad habit of treating email very casually – as an extension of our last phone conversation or a continuation of the chat in the hallway. We assume that the message is private and that recipient will understand the context and correctly interpret our tone.

In fact, email is more like a postcard - anyone can read it while it's in transit and any of the recipients can save it, forward it or post it to the internet. Electronic copies can remain in archives and electronic message hubs all over the Internet – places that neither the sender nor the recipient can control. Emails can be subpoenaed and forced into the public record. You have no right of privacy in your email, either sent or received. When you write an email, you must assume that it will be read by an unknown and unforeseen audience.

That unknown audience will assume that you carefully crafted and wordsmithed your message (or, if not, that the hurried email is evidence of the writer's "real state of mind"). They will not believe that you were "just joking" and won't care that you were trying to dash off a quick note. They will interpret the tone according to their own preconceptions.

Always assume that anything you write will come out at the worst possible time and in the worst possible light. Be professional in your email. Include enough context that the unforeseen reader understands the message. Be personable yet professional in tone. (In particular, never use sarcasm in email.) Never write anything that you would be embarrassed to see on the front page of tomorrow's newspaper.

Remember, email can come back to haunt you.

Have you ever received an error message about an email that you didn't send? Or wondered why someone from your own company's email address is sending you ads for Viagra or financial alerts for penny-stocks? Have you gotten a spam message from yourself? If so, you've just seen email spoofing in action.

Anything about an email can be edited or overwritten including the From, Return-Path, and Reply-To fields. Commands inserted into the header of the email can make the message appear to come from anyone, anywhere saying whatever the sender wants it to say. Spammers and other hackers know that their response rate is 10% higher if they can match the recipient's name – they rely on curiosity and trust to trick you into opening a malicious message. The trick is built right into the hacker tools that are used to generate mass-mailingworms and other malware.

If you think you received a spoofed message, simply delete it. Most email programs allow you to block future messages from that address but that approach is no longer effective at actually stopping spam. The problem is that blocking User1@spoofvictim.com still lets junk through from User2@spoofvictim.com, User3, etc. The odds that the spammer will pick the same victim next time are negligible. But if you ever do get a legitimate message from User1, you'll never see it. If there really is enough spam from one location to justify a black-listing, our spam-filter vendor will find it and include it in their master list. That fixes the problem not just for your email but for everyone else at the same time.

Do not send a complaint to the person that you think sent you the spam. If it was a spoof, they can't do anything about it anyway. If it was not a spoof, all you've done is confirm that you're the kind of person who opens spam messages. You'll get more spam, not less. You can, however, forward a copy to spam@uce.com, a department of the Federal Trade Commission which collects and reports on spam trends.

If you think that your address has been spoofed, delete that message too. Some virus writers are deliberately mimicking the email error messages in the hopes that you'll open the attachment "explaining the problem" and infect your computer with their program. If you don't remember sending the message, trust your memory. It's very likely a scam.

This article was originally published in the Jul/Aug 2007 edition of The Agent Newsline, a publication of Westfield Insurance.

Are personal e-mail accounts acceptable for work? What are the advantages and disadvantages to your agency? The lines between personal and professional life often become increasingly blurring. One of the advantages of allowing personal use can be that a few minutes to check e-mail during a lunch break can help staff feel connected and productive for the rest of the day.

Keeping personal e-mail accounts separate from work e-mail accounts can have some real advantages for your agency.

• First, it helps to keep business and personal issues separate. Work is completed on the employee's official e-mail account, and they can talk to family and do their Internet shopping via the personal account.
• Second, it keeps a lot of the spam messages out of your agency e-mail box. Spammers can find you in lots of different ways but some of the most common involve scanning internet chats and shopping sites for e-mail addresses. If you use a work e-mail address and the spammers find you, they can rapidly invest the account - and you can't easily change it because that's were customers expect to find you. In addition, if you use one of the free web-based services like Hotmail or Yahoo and the spam gets too bad, you can always abandon the account and open a new account.
• Third, if set up correctly, it's portable. When you're no longer an active employee, you will lose the companyprovided e-mail address. A personal address provides continuity during your transition. If you use one of the web-based services, you're not even dependent on your personal Internet service provider.

Here are a few things to keep in mind.

• A good rule of thumb to follow is to not allow use of a personal e-mail account for work-related communication. Customers and coworkers expect us to communicate through a consistent channel. In these days of spam and e-mail spoofing, messages from any address other than your regular domain will be met with justifiable suspicion.
• Make sure that you tell employees that you retain the right to monitor personal e-mail if they check it on a work computer. Employees have no right to an expectation of privacy in anything they do on a work computer or system.
• Remind them that if they're on your work computer, all the normal rules about professionalism and appropriate use still apply, even though it's their "personal" account.

All sorts of problems come with an e-mail box that gets too large. Bloated e-mail boxes are a technological and administrative headache. Self-discipline over the size of files that we store or that we attach to e-mail is part of good discipline and e-mail courtesy.

One technique for controlling the size of files is to use lower-resolution graphics wherever possible. For most uses, the lower resolution version looks the same on the page even though it takes one-tenth or even one-hundredth the space. Your communications team should have low-resolution versions of all your logos and graphics. These should be used for all e-mails and internal documents such as meeting minutes and presentations. Make sure your staff know where to find the approved versions of all your official graphics.

A second technique is to scrupulously avoid attaching unnecessary graphics to your e-mail in the first place. Graphics in your signature block are specifically discouraged. While some people think that they add a "personal" feel to the message, they go out on every e-mail, bloating both your and your readers' e-mail boxes. Furthermore, they often fail to display correctly, especially if the message recipient uses a different e-mail program than you do, and frequently cause the message to get trapped in the recipient's spam or virus filters. Keep graphics to an absolute minimum in e-mail.

Many people keep a personal email account separate from their work email address. I recommend this practice for several reasons.

First, it helps to keep business and personal issues separate.

Second, it keeps a lot of the spam messages out of your work email box. If you use one of the free web-based services like Hotmail or Yahoo, you can abandon the account and open a new account when the spam gets too bad. If the spammers infest your work account, you're stuck.

Third, if you set it up right, it's portable. Few people are lucky enough to work at one company for their entire career and all of us hope to retire someday. When you're no longer an active employee, you lose the company-provided email address. A personal address provides continuity during your transition. If you use one of the free web-based services, you're not even dependent on your personal Internet Service Provider. You can switch from AOL to RoadRunner and back without ever making your family and friends change their address books.

There are a few things you should remember about your personal email account, though.

• Never use your personal email account for work. Customers and coworkers expect us to communicate through a consistent channel. In these days of spam and email spoofing, messages from any address other than your official work address will be met with justifiable suspicion.
• In almost all situations, your company does have the right to monitor your personal email if you check it on a work computer (and in some situations, is obligated to do so). If you're on your work computer, all the normal rules about professionalism and appropriate use still apply.

Halloween is a time for scary stories – tales of vampires and ghouls rising from the dead to terrify innocents – a time when things that you thought were dead and buried come back to haunt you.

Unfortunately, the analogy between badly written email and the undead is all too appropriate. A hasty word can return to haunt you long after you hit the send button and thought the conversation was over. Careers have been destroyed, money lost and relationships ruined when an email returned from beyond.

The problem is that we have a bad habit of treating email as a very casual form of communication. We think of it as an extension of our last phone conversation or a continuation of the chat in the hallway. We assume that the recipient understands the context and correctly interprets our tone. When third parties read your message, however, they assume that you spent as much time crafting and wordsmithing your message as you would have in the days of typewritten memoranda. They may or may not understand (or care about) the context of the message and they will interpret the tone according to their own preconceptions.

Legally, email is a type of formal business communication. The contents of the message are not protected. You have no right of privacy in your email, either sent or received. Any email can be subpoenaed and forced into the public record. Or it could be saved, forwarded or posted to the internet by one of the recipients. When you write your emails, you must assume that it will be read by an unknown and unforeseen audience. Assume that anything you write will come out at the worst possible time and in the worst possible light.

Be professional in your email. Include enough context that the unforeseen reader understands the message. Be personable yet professional in tone. (In particular, never use sarcasm in email.) Never write anything that you would be embarrassed to see on the front page of tomorrow's newspaper. Remember, email can come back to haunt you.

Think of e-mail as a postcard. The postcard will get to its destination, but any postman along the route can read it.

When you send an e-mail message, you are sending a text file that contains routing information - From, To, Date, Subject - and your message. When you hit "Send," the file is moved to your e-mail server and then transmitted to an Internet mail router where the file "asks directions" to the destination. The router compares the mail destination to a list of locations and sends the message to the next available router until the message finally finds the recipient’s e-mail server. While this is happening, your e-mail can be read by anyone with access to one of the servers your e-mail passed through.

The only way you can secure an e-mail message is to encrypt the body of the message. Encryption is a way of scrambling the contents on your "postcard" in a way that your recipient can decode but that no one else can figure out. Encryption has to be set up ahead of time, though. You and the recipient have to have the same "code-book" or you won’t be able to decode each other’s messages.

Unless you are using strong encryption, you should always assume that your messages can be read by an outsider, and avoid sending sensitive or confidential information in an e-mail message.

This article was originally published in the Apr/May 2006 edition of The Agent Newsline, a publication of Westfield Insurance.

As e-mail continues to soar in popularity, be careful what you write. Working in information security, I've seen how e-mails can come back to haunt you - see the sidebar for some specific court cases. Here are some guidelines and suggestions to help you draft your next e-mail.

There is no right of privacy in e-mail

When reading e-mail, outsiders assume that e-mails are written with the same care and attention as written momoranda or that the "casual" e-mail reflects what the writer really thinks about the situation.

The new buzzword is "eDiscovery." It means that plaintiffs in court cases have the right to examine and request copies of all electronic communications to or from a person or agency. E-mail is often introduced as a key exhibit in trials on corporate misconduct. The costs incurred by companies to meet discovery requests can go into the millioins of dollars. Even if the e-mails are not directly relevant to the case at hand, discovery requests move the e-mails into the public record, which means they can be used for future lawsuits (potentially class-action) and other discovery requests.

E-mail is a formal business communication

Electronic communication, because of its speed and reach, is fundamentally different from paper-based communication. In a paper document, it is essential to make everything clear and unambiguous because your audience may not have a chance to ask for clarification. With e-mail, your recipient can ask questions immediately. Like conversational speech, e-mail tends to be sloppier than communications on paper.

We forget that e-mail does not convey emotions nearly as well as face-to-face or even telephone conversations. we assume that the context is understood. Your client may have difficulty telling if you are serious or kidding, happy or sad, frustrated or euphoric. Sarcasm, in particular, is very dangerous to use in e-mail.

The spoken word fades - e-mail is eternal

E-mail can come back to haunt you years after you sent the message. Once you hit the send button, you no longer control the messate. It cannot be called back and cannot be deleted. You can delete your copy but you can never be sure that the recipients have destroyed theirs. They can save it or forward it to anyone they want, whether you approve or not.

Remember also that electronic copies of the message can remain in archives and electronic message hubs all over the Internet - places that neither the sender nor the recipient can control. E-mail is like a postcard in that everyone watching the flow of mail can read your message.

E-mail etiquette: Rules to live by

Before you e-mail a prospective customer or existing policyholder, consider the following rules of thumb:

• Be fact-based and professional.
• Write for unintended and unforeseen readers.
• Assume that your words will be taken out of context.
• Write as if the document will never be destroyed.
• Always assume that somebody has a copy of your e-mail and that it will come out at the worst possible time and in the worst possible light.
• Never write something in an e-mail that you would not ordinarily include in a memorandum. If you would be embarrassed to discuss it with a stranger, you should probably rethink the message.

The e-mail rules listed above also apply to instant messaging and voicemails. Soem conversations are just best handled in person.

Examples of E-mail Troubles

• In American Home Products Fen-Phen litigation, lawyers found one message (among 33 million messages) from a disgruntled worker who wrote "Do I have to look forward to spending my waning years writing checks to fat people worried about a silly lung problem?" Though the information did not relate to the company's policies, this was considered enough to sugest a pattern of behavior and contributed to a settlement of $3.75 billion.
• In the Zubulake case, when the company could not produce backup tapes containing relevant e-mails and other documents in a timely manner, the judge instructed the jury to infer that the company was hiding something, resulting in a $29 million award.
• Morgan Stanley was ordered to pay $1.4 billion in connection with a stock sale to Sunbeam because they failed to preserve e-mails for the 24 months required by the SEC, failed to disclose the presence of backup tapes, and failed to adequately search archived emails and attachments.
• In a life insurance company case, the IT department was not informed of a litigation hold and continued to destroy electronic records on its own retention schedule, resulting in a $1 million penalty and a court order to deploy a multi-million dollar records management program.