Firms use software to police office e-mail

Whenever a doctor, nurse or administrator in Georgia's DeKalb Medical Center sends an e-mail, the message detours through a special box in the three-hospital system's computing cluster. The box analyzes the e-mail, scanning for sensitive information such as patient names, prescription histories, and Social Security numbers.

More than 1,200 times a month, the box finds such private data and routes the message for encryption. Several times a week, though, the system set up by Proofpoint Inc. is unsure what to do, so it alerts a human - information security administrator Sharon Finney - to review a message.

Such oversight is becoming more common. Many organizations, fearful that inside information can slip out through innumerable digital avenues, now govern precisely what employees can or cannot put into e-mails, instant messages, Web postings and even off-line documents. Since employers cannot hold their workers' hands all the time, they are increasingly turning to software that tries to do it for them.

Offices have had strong computer controls for years, from inbound protections such as antivirus programs to filtering technologies that block porn or Web e-mail sites. This new generation of software sticks its nose into even more of what people do all day.

For example, one communications-control vendor, Orchestria Corp., said its software could have prevented the chief executive officer of Whole Foods Market Inc. from posting the rival-denigrating comments on Internet message boards that he later came to regret.

How so? Because Orchestria's software can be set to notice when certain key words - a competitor's name, for example - are entered in documents or Web forms. The software can be set to block such actions or simply warn users that they are breaking company policy.

This automated monitoring is moving beyond highly regulated industries such as health care and financial services thanks to a spate of new rules from government and the credit card industry. Organizations also fear breaches in customer-account data, insider thefts, and other public relations nightmares.

"The driver is ethics and reputation," said Joe Fantuzzi, CEO of Workshare Inc., whose software analyzes data-leakage risks. "Regulated or not, I need to be seen as an ethical corporation. That affects my stock price, that affects whether customers are retained - whether there's a leak or not."

These messaging-compliance technologies are still young. The Radicati Group Inc., a technology-research firm, estimates the market will ring up $670 million worldwide this year and more than triple in size by 2011.

Radicati analyst Masha Khmartseva said the technologies had some problems, including a tendency to mistakenly block or hold up items even if nothing in them flouts corporate policies.

Also, systems that warn employees if it appears they are about to send something possibly untoward - say, the name of a product under development to a recipient outside the company - can produce an annoying stream of pop-up messages, Khmartseva notes.

But get used to it.

"Very soon, everything is going to be controlled," Khmartseva said. "At least that's the idea. We'll see how it's going to happen."

For now at least, the rise of compliance-watchdog software does not appear to be provoking an outcry. It might be a sign of the times.

"Notions of security and compliance are, frankly, viewed differently than they were 10 years ago," said Orchestria's director of sales consulting, David Miller. "We live in a time when compliance and security are critical disciplines, and people accept that. People's expectations are different now. They want to be protected from themselves."