Instant Messaging Risk Management Is Not Complete Until Dead Records Are Gone

Disposing of IM, e-mail, and other business records once they reach the end of their lifespan is an important part of document management. Assign your legal, compliance, and records management team the task of determining when old records have outlived their usefulness and can be disposed of.

The AIIM/ARMA survey of records managers reveals that 67 percent of records professionals doubt that their IT departments really understand the concept of electronic records lifecycle management. That’s despite the fact that, in 70 percent of cases, IT is responsible for managing the organization’s electronic records. ^[14]

Be sure to have legal, compliance, records management, and IT professionals work together as a team to ensure that everyone responsible for the successful management of your organization’s IM, e-mail, and other electronic records really understands the concept of business records—and business record lifecycle management—from both a legal and business perspective.

The employees of fallen energy giant Enron made the company e-mail system an extension of their personal lives. Like workers in many other offices, Enron employees thought nothing of using the company’s e-mail system to discuss personal matters and air dirty laundry.

Because those private (and in some cases highly confidential) messages were mixed in with Enron’s electronic business records, they were gathered as evidence during the Federal Energy Regulatory Commission (FERC) investigation of Enron’s alleged energy-market manipulation.

In March 2002, FERC posted online 1.6 million Enron e-mails from 2000 through 2002. At no charge, the public could surf the e-mail inboxes of 176 current and former executives and employees, some of whom had thousands of business and personal messages on display.

Romances, affairs, and gossip were discussed—with senders’ and receivers’ names attached. Complaints were lodged against in-laws and managers alike—with senders’ and receivers’ names attached. Executive salary packages and employee performance reviews were transmitted—with senders’ and receivers’ names attached.

Employees’ bank records and Social Security numbers were displayed—with senders’ and receivers’ names attached.

Two days after the e-mail was posted, Enron petitioned FERC to remove the most sensitive and confidential messages. FERC agreed to remove 8 percent of the database (141,379 documents), including a payroll document that listed the Social Security number of every Enron employee. In the end, only 5,128 e-mails containing Social Security numbers and employee performance evaluations were permanently removed. ^[15]

The Enron e-mail disaster was covered by The Wall Street Journal, CNBC, and National Public Radio, among other national business media outlets. Millions of curious readers (possibly including identity thieves) jumped online to sort through the goldmine of Social Security numbers, personal dirt, and other ‘‘goodies,’’ crashing the site in the process.

A cautionary tale for all IM and e-mail users, the Enron e-disaster story drives home an important lesson for employees. Never use your employer’s IM or e-mail system to transmit personal, sensitive, or confidential information that would embarrass or otherwise harm you or your loved ones were it to be made public.

For employers, the Enron e-mail disaster clearly illustrates why it is so important to distinguish business record IM and e-mail from nonbusiness record messages, and to purge all documents that you do not need to retain for business, legal, or regulatory purposes.

^[14]Ibid.

^[15]Dennis K. Berman, ‘‘Online Laundry: Government Posts Enron’s E-Mail,’’ The Wall Street Journal (October 6, 2003), A1.