Making Money with Email Disclaimers
This Article, originally published in Security Solutions Magazine July/August 2008, explores poorly thought out email disclaimers and gives useful advice for protecting your company with genuinely effective controls over email communications.
By reading this sentence, you, the reader, agree to give me, the writer, ten dollars.
In theory, I have just made a lot of money, but in reality I might hold off on a deposit for the new car for the moment.
Yet, any number of emails I receive have disclaimers at the bottom to the effect that: “The sender cannot guarantee that this e-mail or any attachment to it is free of computer viruses or other conditions which may damage or interfere with data, hardware or software with which it might be used and accepts no responsibility for its content.”
Apparently, merely by reading the email, I am accepting of the conditions in the ubiquitous disclaimer which follows it. Even though I probably read the email first, before even noticing the disclaimer. Would that it was so easy to absolve yourself of any and all responsibility for doing the right thing. Could I affix a large sign to the top of my car, stating that I accept no responsibility whatsoever for any condition in my car, say, dodgy brake pads, which may damage or interfere with other vehicles, say by slamming into the side of them. Never mind lawyers, anyone know a good signwriter?
So why then, are more and more companies adding disclaimers to their emails? Having spoken with numerous lawyers, most conceded that disclaimers hadn’t been widely tested in court, and in most jurisdictions, such agreements couldn’t be enforced where the recipient hadn’t requested the email in the first place, or otherwise regarded like any other unilateral “agreement”. The best answer I heard, quite often, was “it probably can’t hurt”. However, it actually can hurt in quite a few circumstances.
Don’t Make Rules You Can’t Or Won’t Enforce
Most disclaimers include a line to the extent “disclosure or copying of this email is unauthorised”. I’ll keep that in mind, next time I receive an email with the subject “FW: FW: fwd: [fwd] FW: Great Joke” which has been around the world a dozen times before getting to me. While many email users are sophisticated enough to delete headers from emails they forward, the bottom of emails (footers) are seldom checked. Even if the joke is a dud, it’s always amusing to read all the disclaimers underneath, from law firms, accounting firms, police agencies and government offices, all insisting the email should not be forwarded. Nobody’s getting fired, nobody’s getting told off and nobody’s deleting the email (rather than forwarding it). In other words, the rules were never going to be adhered to, so frankly, what’s the point?
Instead of protecting themselves, the companies have embarrassed themselves by having their name attached to all manner of puerile smut (the author is assuming dear readers receive the same manner of witty emails as himself). This is something to consider before configuring your mail server to automatically append a disclaimer to all outgoing emails. Particularly when users might actually need something forwarded, for example “can you please forward this to your sales department” with the email subsequently containing a blanket statement explicitly forbidding its forwarding. The same goes for messages posted to public bulletin boards, newsgroups or mailing lists, with a warning the message is confidential and not for public distribution. Most pointless of all, are marketing emails and press releases, urging recipients to spread the message and subsequently containing a warning specifically banning them from doing so.
This is the problem with generic disclaimers which are added to all emails, yet inappropriate to many of them. For example, the typical statement that, “opinions expressed in this email do not represent those of the company” attached to an email from the CEO of the company.
False Hope
Many antivirus gateways now add a message saying “this email has been scanned for viruses by [insert favourite antivirus company]”. Such messages are of course rubbish. Any virus writer worth his salt would ensure all virus-laden messages carried the same message. On the other hand, readers should recognise that (notwithstanding vendor hype) antivirus software alone simply cannot stop all malicious software. As such, including such a message may actually increase your corporate risk, when someone receives a nasty attachment from you, and then refers to your message insisting the message was safe. My advice? Tell antivirus vendors to buy advertising, rather than conveniently mentioning their company at the bottom of your company’s emails.
On the other hand, as mentioned earlier, some organisations add messages instead, warning “this message may contain viruses”, and encouraging recipients to scan the message for viruses. By doing so, they are effectively admitting they may have sent one. On first read, the above two scenarios suggest that you are damned if you do, and damned if you don’t. However, the right answer comes back to what are you trying to achieve with your mail gateway and any messages appended to emails. All too often, system administrators do things because ‘everyone seems to be doing it’, which is itself not a convincing argument.
Alternatively, these things occur as mail gateways are set to their default configuration. However, anybody familiar with basic IT security guidelines – and the person responsible for your antivirus absolutely should be – knows that default configurations are often inappropriate or insecure.
Making Signatures Useful
Until about 1999, when the Internet wasn’t as prolific and many users were familiar with Unix, it was common to have a “quote of the day” in one’s email signature. Usually, these were brief jokes, witty sayings or some form of profound wisdom. Many of mine were terrific and are unprintable.
Later on, as email became more of a business tool, that practice was widely banned and signatures instead became quite mundane, usually consisting of the person’s full name and contact details (though I never understood why I needed to see someone’s fax number at the bottom of an email). At one point, marketing boffins realised that email signatures could also be useful as advertising. So, the one or two line email was usually followed by the full contact details and then a quick promotional message.
It’s possible then, that email signatures can be helpful for spreading useful information which can protect both you and your email’s recipients. For example, rather than a generic reference to virus scanning, instead an educational message saying “Protect yourself from viruses: Always be duly suspicious of file attachments, regardless of the sender, and use an up-to-date virus scanner on all email” would educate people and likely achieve the same end result or exceed it.
Clutter
With advertising laden signatures came my other pet peeve; graphics embedded in email signatures. Single line emails had a 10 kilobyte file size. Multiply that by a few hundred or thousand a day from a typical Australian company, and this adds up to a significant amount of bandwidth and storage requirements. Although people (especially spammers) have tended to regard email as a practically free alternative to traditional email, it is relevant to remember that many organisations are obliged to archive emails (internal and external) for extended periods and that small clutter does add up, and can turn into a dollar cost when you account for storage media. Do you really need that animated company logo dancing away at the bottom of every email you send?
A Much Bigger Risk
As an information security tool, email disclaimers, howsoever effectively drafted, are rather like the large sign on the gate of most Australian properties, warning of the myriad armed guards and snarling dogs which protect the premises. That is, they make you feel safe but amount to little if any actual protection. This is especially the case when organisations fail to take hard steps at protecting themselves from the risk of emails, both from and to their organisation.
It is vitally important that organisations check their email policy, ensure it is suitable and that all staff are both familiar and compliant with it. An effective policy should protect the ‘confidentiality, availability and integrity’ of your company’s information assets. It should address issues such as:
- User responsibility for Email
- Inappropriate content
- Emails as official records or formal company communication
- Storage of and disposal of email
- Spam and other unsolicited mail (inbound and outbound)
- Private emails and external mail sources (e.g. Hotmail, Gmail etc.)
- Virus, malicious software and file attachments in general
at a minimum, and each control should apply to both inbound and outbound mail.
If you don’t have an email policy, or are not sure about yours, it is worth speaking to an expert. Contact us for some recommendations. As with most policies or legal documents, readily downloadable versions or generic policy documents are usually insufficient or quite inappropriate to your specific environment. Indeed, we have seen policies and email disclaimers which were copied from other organisations and so poorly reviewed, they still contained references to the original organisation.
Training staff in online safety may also show a far greater return on your dollar spend than that shiny antivirus box in your server room, which may not stop as much malicious software as you think.
In the absence of proper email security policies, enforcement and awareness, even the most well-meaning disclaimers are ineffective. That is, they are worth the paper they are written on, which in the case of email, is zero.
So about that ten dollars you owe me…
© Copyright Calamity.com.au. Permission for reprints may be obtained using the Contact Us link.
| < Prev | Next > |
|---|