Goldman Sachs, an urban investment group focused on revitalizing communities, recently made headlines by announcing a new policy to eliminate profanity from its internal email correspondence. This policy was the direct result of a business-wide review triggered from a U.S. Securities and Exchange Commission (SEC) inquiry. The investigation produced, among other things, rather salty emails which were then broadcast at a U.S. Senate hearing for all to see. Goldman took bold actions to make an example out of those whom were faulty in this case and to prevent such inappropriate emails from being sent in the future. Whether or not Goldman’s new policy will prevent similar embarrassments is a matter of debate, however, it is important to know how and why some companies go to great lengths to police their email and other electronic communications.
Let’s start with a quick primer on why a company would want such a policy. More than just protecting their reputation, it is important to realize that in the United States, companies are potentially liable for all the electronic communications that pass through company controlled information systems. This responsibility encompasses more than just email. Often IM, texts and social media, along with other electronically stored and transmitted information, can be subpoenaed or requested under legal discovery orders. Policies are designed to avoid the most egregious of email, reduce risk and embarrassment while helping to combat a host of violations. Profanity specifically is often banned, not just to uphold a company reputation, but to avoid harassment or discrimination claims.
As mentioned, internal company edicts often lay out usage policies to dictate how email and other electronic communications should and should not be used. While many organizations may have retention policies that are actively (and automatically) enforced, not many organizations take the time to make sure the usage policy is strictly followed. The exceptions are usually found in high profile, strictly regulated or extremely litigious industries. In these cases, human resources, legal, compliance and information technology teams join forces to not just craft strict usage policies, but to actively implement, regulate and deploy software to control it.
There are two main strategies for most types of policy enforcement: pro-active and reactive. Proactive solutions, like Sherpa Software’s Compliance Attender, screen email in real-time by allowing automated policies to scan communication for violations then determine the trajectory of the message. Screeners are deployed at the client or server level as the communication is generated. These tools are designed to give administrators highly configurable options, ranging from transparent to intrusive, on the correct steps to take when a violating message is identified. These options include pausing delivery of the email with a warning on the client side, stopping it entirely with a non-delivery notice, sending it to the intended recipients while anonymously copying it to a compliance department, collating reports and more. Some tools even replace the offending text with non-offensive characters.
By contrast, reactive auditing often relies on sampling of communications after the data has been sent. These audits can be automated or manual and often rely on selecting a random set of email from random users. The sets are run through filters and maybe evaluated transparently by compliance personnel. If violations are found, internal procedures are initialized to handle offenders.
Both proactive and reactive types of usage policy enforcement rely on custom dictionaries, thesauruses or keywords lists specially crafted to find actionable communication. If the company moves to new markets, lists are often expanded to include terms native to the region or new dictionaries which spell out abusive, profane or vulgar terms in the local language. The creation of these lists often is organic; they can be modified or edited based on feedback from users, additional criteria, evolving terms, company imperatives, or over enthusiastic screening. Think, for example, of the ‘classic’ or Scunthorpe problems. There is a delicate balance in making rules overly comprehensive while still catching the most flagrant violations of policy.
The Goldman Sachs directive highlighted the use of policy and software to combat profanity specifically. In addition to enforcing usage policy, these tools can be used for more far reaching purposes. For example, Sherpa customers use Discovery Attender (a reactive tool), to track down leaking of proprietary data, investigate employees, gather data for impending regulatory audits or assist in legal electronic discovery.
There will continue to be debate on how effective any policy could be in preventing embarrassment on the scale that Goldman Sachs recently experienced. Usage policies, especially when diligently enforced, serve to keep employees conscious of what they are writing. The creators of usage policies hope users are equally aware that the tone, context and content of electronic communication should be weighed as much as the actual words used. After all, if these emails are widely distributed, the court of public opinion can be very judgmental indeed.
For more detail on creation and drivers of policy, please see Denny Russell’s excellent series on managing email or contact Sherpa Support to download a trial of Discovery Attender.