Email leaks can strike anyone. Here’s what companies can do to prepare.
This is a question I’ve been mulling for a number of months: How has email use evolved in the days since Sony’s email server hacks and Wikileaks?
As most will remember, Sony’s email system was breached in October 2014 by hackers hired by North Korea, to protest the release of The Interview. Thousands of emails emerged including salary records, negotiations and enough salacious material to fill the tabloids for seasons. On paper, Sony pegged the damage at $15 million. The emotional toll to employees, some who left the company and others who’ve filed civil suits has dragged on for years.
The March 2016 leak of some 30,000 emails from the Democratic National Committee revealing information about DNC’s off-the-record conversations with the press during Hilary’s campaign, coupled with controversy about her use of a private email server while Secretary of State and reticence to produce the entirety of those emails was another set of history-changing occurrences. (CNN’s outline of that situation is here). In my opinion, the greatest damage to Clinton was not the question of whether she’d behaved illegally (CNN’s report maintains she didn’t), but the hit to her reputation from the materials the emails contained.
What are the lessons in these disasters for entrepreneurs? The ramifications should be clear to employees who’ve lost jobs or ruined careers over foolish email behavior. But for founders, the risk of lost contracts, ruined reputations and lawsuits over confidentiality breaches should be sobering enough to stand your neck hairs on end.
Consider the example of John White, founder of Social Marketing Solutions. Prior to his current company, he’d led the account team for a high-profile client with a reputation for being difficult. His life (and his employer’s) was turned on end when a customer support rep on his team emailed the following missive: “The wicked witch of the west is back on her broomstick. Which one of you wants to respond?” She had failed to notice the client was copied.
The employee was terminated on the spot and the company sent a formal letter of apology to the customer. But the client relationship, already close to the fence, could not be saved. The customer declined to renew, moving $2M in business to a competing agency at their next available chance.
In another case, the GM of a global company (one of our clients) shared the story of his prior start-up preparing for a high-impact launch. A vice president of the firm’s PR agency, feeling his oats and on a bit of a power trip, leaked the news early to one of his pals in the press. His email trail told the tale. Liability insurance was not enough to save that agency’s future. Legal action quickly shut the company down.
What are founders doing in the face of these risks? Lyle Ball, CEO of Salt Lake City-based NetEndeavor, said that his own policies and behavior changed well before the era of Wikileaks when a prior company he’d worked for found itself in the midst of a lawsuit against an industry giant.
Attorneys had purposely and successfully subpoenaed reams of executive emails, far beyond the material required for the trial. The outcome of the trial was influenced, Ball believes, by the embarrassing nature of the materials found — appointments with call girls, gossip and private information that executives in the defending organization had no qualms about sending via company email (in the 80’s and 90’s) as it seemed impossible the materials would ever be found.
“I actually credit this issue for the emergence and popularity of systems like Gmail and Hotmail,” he says. “Executives learned the need to conduct private conversations away from their company servers.”
Of course, as we mused, while court subpoenas may not reach private email systems, the risk remains high of having illegal or embarrassing behavior discovered regardless. Too many people who’ve thought they were covering their tracks have been uncovered when their messages get forwarded by recipients or they simply forget to log out, implicating not only themselves but anybody else connected to their conversations as well.
Email Best Practice for Entrepreneurs
Beyond liability insurance and IT safeguards against cybersecurity hacks, employee training and awareness is vital. Organizations should take the following steps to increase their email safety and savvy, and to avoid the risk of PR and liability fails:
Watch out for “reply all,” and remember to delete prior threads.
Particularly for junior employees, the temptation is great to let email threads continue forward that contain internal or private information. Make it a policy to nip this trend in the bud. Additionally, everyone should institute the practice of stopping to review each message, see who is copied, and even spell and grammar check the material in messages before pressing “send.”
Use email to document facts for protection.
Short of a formal contract, a list of steps or written summary of a commitment between team members or company and client can be extremely valuable over time. In my own case, when someone emails inappropriate article pitches (such as “I am willing to pay you XXX to include me in an article” or “I’d like to propose a mutually profitable arrangement”) I am explicit in responses about why this isn’t allowed, sometimes even blind copying editors and producers, as an individual engaging in behavior like this may likely be hitting up others as well. Saving emails from article sources (or customers) in an email folder is helpful as well, in the event they may resolve questions that could arise later on.
Consider a confidentiality footnote.
At least one of our clients, a multi-billion dollar company, has instituted a company-wide policy of having every email conclude with the following footnote: This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this e-mail in error, please immediately notify us by replying to sender.
While the note is not a legal guarantee and training is still vital, I imagine this reminder thwarts many bad decisions in sharing or forwarding confidential email.
Train employees to consider every email as potentially public.
Says data analytics and business coach Larry Boyer, of Washington, D.C., “There is a long standing saying, never say anything in an email you wouldn’t be willing to read in the Washington Post the next day.” He notes that Enron’s email gaffes continue to be used to teach forensic data science today. Jeremy L. Knauff, CEO of Spartan Media, agrees: “I came from a military background and was in before email was mainstream, so it’s second nature for me to only discuss sensitive matters face to face.”
In another case, a New York-based PR executive notes that three years after the Sony hack she and co-workers continue to use the phrase “this is a Sony” in emails, meaning the matter is confidential enough that it needs to be discussed on the phone.
Consider erasing all non-essential emails after 90–120 days.
While it is vital to understand that no email, even after being erased, is ever 100% “gone,” the practice of erasing messages older than 3–6 months can not only improve system performance and personal efficiency, it can also ease the workload of nuisance search requests for “every communication you’ve had with XXX, XXX, XXX and XXX” to only the items that are recent and relevant to the situation at hand.
Never email while tired or angry.
The terse message that seemed justified in the heat of battle may seem worse than intended to the recipient. Additionally, the gaffe will be intensified if the receiver is sufficiently offended to share the message with others. Mistakes are more likely when emotions are high.
Avoid gossip or sarcastic humor.
It may seem like an extremely junior mistake, but reputations have been ruined and jobs have been lost by employees thinking it’s funny to while away the time in meetings by dissing the boss or mocking co-workers or clients with clever messages in email or IM programs like Skype. People seem to forget that even if no one is seeing their own device, the material is prone to pop up on the recipient’s screen without warning (and often with an audible “ping”). Think customer presentations, speeches, in front of clients or bosses or even in front of the person intended to be the butt of the joke.
Avoid emailing from a shared or public computer.
The risk is far too high of leaving a session logged in to warrant this activity. This applies to company-owned computers as well. Consider this true story: Two co-workers, one of whom had moved to a competing company, conspired to remove information from company one for use in company two. Employee two, upon leaving, had turned in his company computer with files erased, believing the evidence of his bad acts was removed. In his first day at company two, he sent a message to his buddy at company one. “Hey, XXXX, anything you see from me on Skype, be sure to erase it to keep yourself safe.” And then the two went to town.
Weeks later, while preparing to re-image the returned computer, an IT executive for company one was surprised by mountains of Skype and Google+ dialogue exploding onto the screen. The messaging programs were alive and logged in. Adding insult to injury, the two had bragged in the conversations about their cleverness in downloading data files to MailChimp where they could be exported out via Gmail to avoid being seen by IT. In the aftermath, both employees, including the fellow who’d been dutifully erasing each message, were fired.
While these anecdotes may seem far-fetched and even funny in the eventual re-telling, each of these stories is true. Regarding email with care is one of the biggest steps any company and executive can take in our current business ecosystem to avoid liability and the need for crisis PR.
If you enjoyed reading this post, please share and recommend it so others can find it!
Would you like to be a published thought leader?
If so, get my free Definitive Guide to Thought Leadership ebook right here.
Additionally, you can download the 7-Step Thought Leadership checklist and subscribe to the free Snappington post newsletter here.