« The Sad and Deplorable State of Internet Security | Main | The Twelve Days of Phishmas 2010 »

Tuesday, 07 December 2010

Legal disclaimers in email messages

Legal disclaimers for email messages are appearing more frequently as organizations recognize the need to exercise control over corporate communications. I'm referring to the two kilobytes of legalese bloat appended to the tail of an email message that proclaims "this message is privileged and confidential!" and blather on, explaining that, if mis-delivered, the recipient should notify the sender, destroy the copy, keep whatever he might have read confidential, degauss the hard drive on which the copy was stored...

Being a long-time advocate of secure email, any time I read a legal disclaimer, I try not to laugh at the futility here, or at best, the misplaced notion of trust. Email is fundamentally like a post card. Postal handlers, the mail boy, or anyone who happens to see the post card as they pass by your office desk can read it.

David Steele, a colleague and attorney, made some helpful observations about attaching such disclaimers to the tail of your mail in a thread on a public list. David explains that the flaw in this practice is obvious. "...Putting disclaimers at the bottom of an email means that the reader has to read down the email to get to the part that says 'this is confidential and don't read it if you're not the intended recipient."

David's solution? "Whenever I send something that is really confidential, I put the notice at the top of the email, with the statement PRIVILEGED AND CONFIDENTIAL COMMUNICATION in all caps as well. I then add a bunch of blank lines to make sure the message is well below the notice. This, in my view, achieves the requirement of providing the notice before the information is read". This practice gives early notice and provides the reader with an opportunity to stop scrolling before reading the correspondence, but it doesn't alter the fact that the message has been disclosed to unintended recipients: for this, you need secure (encrypted) mail.

Many employees pay little attention to the details of a disclaimer policy. They were told to attach disclaimers to faxes and the "right for fax, right for email" logic has proven expedient for many organizations. Unfortunately, the tendency among employees is to attach the disclaimer to every message. I suspect this is because disclaimer policies are simply implemented badly: IT or employees configure mail clients to attach it to every message sent.

The carpet-bomb approach defeats the purpose of legal disclaimers. David Steele weighs in that, "if you use the notice on everything you send out, regardless of whether or not it is confidential, then the notice will become too diluted and have less or no effect when something that is confidential gets sent out to the wrong party." David's message is clear: use it judiciously.

We now have two elements of a best practice when applying legal disclaimers. If you choose to use a disclaimer, (1) place it  at the top of your messages and (2) apply it only when you are sending a message that merits this special consideration.

David offers this example of a disclaimer:

PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.

If  you find this too stuffy and are enough of a counter-corporate culture creature, you could try this version:

This is email. Treat it like a Post Card. While the probability of intentional interception is low, anyone can read it during transit, anyone may have changed it along the way, or anyone may be impersonating me, the purported sender. You may not even be an intended recipient. If this mail or any attachment was delivered to you, and contained malicious code, it probably did *not* come from me, so please don't send me an email with the subject line "your email contained a worm".

I'll save a discussion on the challenge of attaching legal disclaimers to Tweets and instant messages for a future post.

Posted at 09:39 AM in Rants |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories