SEC v. Tourre: Does anyone still need to be persuaded that personal email doesn’t belong on the company network?

News Coverage of a high-profile securities fraud trial reminds us of the perils of using company email for personal communication.  Recall that former Goldman Sachs trader and defendant Fabrice Tourre is accused of civil fraud in a suit arising from the sale of certain securities that he allegedly knew were part of a hedge fund scheme to profit from the housing collapse.

Recall also the central evidence in the case includes a now-notorious email from “Fab” Tourre to his girlfriend:

“The whole building is about to collapse anytime now … Only potential survivor, the fabulous Fab … standing in the middle of all these complex, highly leveraged, exotic trades he created without necessarily understanding all of the implications of those moustruosities!!! [sic]”

 Or how about this message, also to the girlfriend?

 “I just sold a few Abacus bonds to some widows and orphans I met at the airport.”

 Yikes! How many times have you used company email to communicate with family or friends, saying things that don’t belong on a company server? If you’re typical, you’ve done it, and if you’re smart you stopped doing it as soon as you realized that those communications become business records during litigation, government audits, and the like.

SEC v. Tourre brings to mind an unrelated email policy memo that caught our attention when it hit the blogs earlier this year.

For entirely different, but equally important reasons, law firm King & Spalding informed staff that all personal email sites will be automatically blocked from the company network.

The King & Spalding policy is a security measure. The firm wants to guard the confidential client data on its network from theft. The memo says the goal is to keep out malware that’s almost guaranteed to find its way in when employees bombard the network with traffic from Yahoo, Gmail, et al.

The memo does not outline the additional content-related issues, like the ones presented in SEC v. Tourre.  Emails viewed on the company network can be forensically reconstructed at a later date in connection with litigation. This may or may not have been part of the firm’s contemplation, but Habeas Hard Drive would have mentioned it in order to head off grumbling about the new policy.

In a stroke of brilliance, the firm did facilitate compliance by setting up a separate network, not connected to the primary K&S network, for employees to connect their own devices to the internet. No business will be conducted on the secondary network.

The memo further instructs staff to enlist help from the IT department if any of the clients insist on using non-secure email systems (like Yahoo and Gmail) to conduct business.

 Bravo.  A standing ovation for K& S Chief Information Officer Gene Viscelli, who signed the memo, and for the management who backed him up.

Habeas Hard Drive suggests:  1) read the K&S memo (linked above).  2) adopt the policy. 3) Advise your business clients to do likewise. 4) Don’t use company email for personal communication.

by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a digital forensics and data security analyst.  He is a contributor to, The SANS Computer Forensics Blog, and CyberJungle Radio. He holds US patents in email security and authentication. He President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigation Association (HTCIA). Follow Ira’s digital forensics and data security tweets: @ira_victor

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s