Corporate governance and regulation were one of the dominant themes of 2004 and look set to continue to be so throughout 2005. Corporate governance relates to how an organisation is run, and has repercussions for almost every department – particularly Finance, HR, Auditing, Procurement and IT. Due to the nature of the potential content of email, ranging from a simple customer query to financial projections, the use of this application demands particular attention to ensure that its management helps to secure regulatory compliance.

From the late 1990s, numerous new regulations have been introduced in both the United States and Europe, often in the wake of corporate scandals where unethical business practices fell foul of existing financial reporting and disclosure rules. The backlash from these high profile episodes prompted newer corporate compliance legislation, such as Basel II in Europe and Sarbanes-Oxley in the United States. This is now being implemented alongside the likes of the EU Data Protection Directives and the Privacy & Electronic Communications Regulation, to ensure that companies put and keep their houses in order.

In general, the relationship between email and the law is a patchy one, with a mismatch of old and new law dealing with old and new issues. There is no single law relating directly to the use of email, and yet it is touched by several pieces of legislation intended to balance the interests of privacy and human rights with protecting corporate investment and security.


For example, in the UK, the 7th Principle of the Data Protection Act requires that businesses take ‘appropriate measures to prevent the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’ Although somewhat ambiguous in its definition, it essentially means that companies must protect all electronic communications containing customer data, including all emails sent and received.

It is not just customer information that must be considered. In order to be compliant with the regulations, businesses must take appropriate measures to mitigate the risk of disclosing valuable or sensitive organisational data. Unauthorised access to or distribution of financial forecasts, intellectual property or any other company-sensitive information can not only contravene legislation but may also do substantial damage to an organisation’s credibility, reputation and future competitiveness. It is also worth remembering that contracts are often inadvertently created via email – without either party realising it.