Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Tips for e-mail handling of confidential information

To most people it’s impossible to imagine the modern office without e-mail as the primary mode of communication. With the widespread popularity of tablets and smartphones moving our e-mail accounts from our desktops to our cell phone screens and everywhere in between, the risks attendant to this ubiquitous use of e-mail is always at the forefront of compliance concerns surrounding the handling of confidential information. To handle this, ongoing controls are advisable to ensure that the flow of information is protected and restricted to sharing on a need-to-know basis only.

  • Determine recipients carefully: Recipients should be determined case-by-case by the purpose of the e-mail. Senders should also consider whether the information is intended to be used internally (for information purposes only) or also at a later stage externally (such as for promotional purposes). In general, recipients should be as limited as possible. Include broader stakeholders more remote to the work that the confidential information concerns only insofar as they are known to be interested (for example Compliance, Legal, or other functions serving the business line). Seek to avoid administrative burden on the sender to update standing lists to tailor them to a particular message, as this is where human error can lead to inadvertent dissemination.
  • Consider most appropriate method of distribution: Use individual addresses, not group mailboxes, to control the recipients, as group mailboxes can be under collective and changing ownership. Posting messages on shared, secure intranet or internet sites may be an attractive alternative to e-mails. This can help to prevent accidentally incorporating unintended recipients, but the community or site needs to be closed and carefully administered.
  • Remember strict criteria for sharing confidential information: Generally, confidential information should only be shared on a need-to-know basis, not like-to-know. Possessing confidential information should be seen as a responsibility, not a privilege, and seeking access to this information or inclusion in communications that share confidential information should be discouraged unless there is a work necessity. As a broad rule, e-mails sent to individuals or groups without first informing them of their responsibilities with handling confidential information should contain public information only.
  • Seek review/approval before dissemination: Think of clicking “send” on an e-mail as publishing the information contained within it. Are your messages up to publication standards? It would be wise to have those which contain confidential information reviewed first by business management before circulation. Management should also be comfortable seeking advice from Compliance on whether sharing the information is appropriate in terms of content or recipients if necessary.
  • Include disclaimer language regarding forwarding/use of information therein: Even with the above points considered, it still could be wise to add disclaimer language to the e-mail to discourage erroneous distribution or misuse. E-mails can easily be printed, forwarded, or copied and pasted. Standard disclosure language could be, for an example: “Information in this transmission is intended only for the person(s) to whom it is directed. Any disclosure, copying, forwarding, re-publishing, or other dissemination of the information is unauthorized. No liability is accepted for any unauthorized use of the information contained herein.”

Using e-mail has become second nature to most people, but communicating confidential information always merits extra caution. Considering the above control framework can help to use e-mail more carefully and wisely to ensure that confidential information is not mishandled or inadvertently disseminated