Are You Sure You Want to Use Email?

Companies Rethink Policies About Deleting Messages in Wake of Sony Leaks

By Don Clark, Shira Ovide and Elizabeth Dwoskin in the Wall Street Journal

Devastating leaks from Sony Corp.’s computer systems have dramatized the risks of storing corporate email for extended periods. Some people in Silicon Valley wonder if it is time to rethink that practice.
Electronic mail, despite many attempts to replace it, remains a vital communications tool and an ad-hoc filing cabinet for employees at most companies. Retrieving important information and attachments by searching mail—which can be stored indefinitely—is simple and fast.
But as was highlighted in the Sony hack, this puts a single trove of both potentially embarrassing communication and critical company secrets within easy reach of cybercriminals. (Related Article: Obama Says Sony ’Made a Mistake’ Canceling Film)
Many long-established companies have for some time had email-deletion policies, but for a different reason: Complying with demands for stored communication in legal cases can be expensive.
These policies typically call for automatic deletion of emails after a set period, often after 90 or 120 days. But many companies—especially startups—have no retention policies.
Some experts view the startling success of attackers in breaching Sony’s defenses and distributing sensitive emails—an incident that U.S. officials have linked to North Korea—as a powerful argument for prompt destruction of nonessential messages.
“My belief is the retention policy should be 30 days,” said Steve Blank, a veteran Silicon Valley entrepreneur and academic. “I think the Sony-North Korea thing just kind of reinforces the fact.”
There are signs that some companies are heeding such calls. Cloud Sherpas, an Atlanta-based firm that helps companies buy Gmail and other workplace technology from Google Inc. and others, said two customers have changed their email retention systems since the Sony hacking.
One of them, a big technology manufacturing firm on the West Coast, asked for a customized software process to purge email of specific users whenever the business deemed it necessary, said David Hoff, Cloud Sherpas’ chief technology officer. The other customer, a midsize manufacturer, added a Google function to automatically delete emails after a year, with a shared “safe” folder in which employees could stow emails that they needed to keep longer.
Deleting messages isn’t necessarily an absolute defense against theft, since storage systems frequently retain traces of data that can be retrieved under some circumstances.
A Sony spokesman didn't respond to questions about the company’s data-retention policies or details about the breach.
‘My belief is the retention policy should be 30 days. I think the Sony-North Korea thing just kind of reinforces the fact.’

—Steve Blank, a veteran Silicon Valley entrepreneur

Amid the uncertainty, some tech companies say they are reviewing their security precautions, in part because customers in government and other sectors are demanding to know their data will be safe.
“They have a lot more questions for us as we sell into those accounts,” said Douglas Murray, chief executive of Big Switch Networks Inc., a Silicon Valley startup that is using a security firm to evaluate its safeguards. “People are concerned.”
Executives at some startups say the very idea of regularly deleting emails is a foreign concept, and may be too drastic a solution.
“Destroying email that has become a repository for employees to go back and do research will be a significant culture change,” said Justin Somaini, chief technology officer at Box Inc., which offers online data storage and related services. “A better approach than deleting email is the application of healthy security practices on the content itself.”
Another familiar option is encrypting mails to make them unintelligible in the event they are stolen. Few companies encrypt all of their email, though, in part because many employees correspond with others outside their organizations who aren’t using the technology.
Some startups, meanwhile, have been pushing alternatives to email that they believe improve collaboration. They include Slack Technologies Inc. and HipChat.
Matt Mullenweg, chief executive of the startup Automaticc, said it mainly leans on tools such as Slack and hardly uses email anymore. But those services also generate data that could tempt attackers.
“Search is one of the big features of these tools, so deleting old stuff would be counterproductive,” Mr. Mullenweg said, who said his company has no plans to start deleting emails.
Many startups also rely on services like Google’s Gmail, rather than storing and managing email on their own servers as established companies tend to do.

President Barack Obama, in a news conference Friday, said the U.S. will respond to the hacking it traced to North Korea. Kevin Lamarque/Reuters

“We expect our email to stick around forever,” said Jonathan Gray, chief executive of the big data startup Cask, which uses Gmail. “I think most would be best served thinking that way.”
Mr. Gray said his company has strict policies around handling sensitive data from its enterprise customers, but had no internal policy governing how email data would be deleted.
John Schroeder, chief executive of big data startup MapR, said the company takes a similar stance. “We haven’t implemented a deletion policy of any kind,” he said, adding that the company has strict policies for handling customer data.
At the opposite extreme are companies like Intel Corp. , which grappled with email retention issues in a private antitrust suit by rival Advanced Micro Devices Inc. that was settled in 2009.
Some Intel employees failed to take the proper measures to stop relevant emails from being destroyed by the company’s auto-delete system.
Now the company automatically deletes emails after 90 days, unless employees individually take action to store them in folders, said Chuck Mulloy, an Intel spokesman.
These days, Silicon Valley companies seem more interested in reducing the risks with additional technology. Some entrepreneurs have advocated messaging systems, along the lines of the consumer service Snapchat, that are designed to delete messages soon after they are viewed.
Others believe that companies should develop technology that gives individuals or corporate owners of that data the ability to destroy it remotely if it falls into the wrong hands, though the feasibility of the approach remains unclear.
“The sender should have the right to delete the email,” said Muddu Sudhakar, chief executive of Caspida, a Silicon Valley security startup. “These systems need to evolve to support that capability.”

—Steven Rosenbush and Evelyn M. Rusli contributed to this article.