Inserting e-mail boilerplate in outgoing e-mails

(hope this is the right forum for this post)

Hello!

As much as I hate the idea, I have a client who needs to insert boilerplate disclaimers in all their outgoign e-mail in order to remain in compliance with European Union privacy regulations regarding personal data (And avoid a 300,000€-$441,000 fine).

My cursory understanding is that the best place to do this is on the server side as some sort of SMTP filter. Or can I somehow do this with procmail?

What's the best way to do this? Any ideas?

Thanks in advance,

Jacob

DH Support might have a good/recommended way of doing what you want to do. Recommendations from other customers MIGHT cause you to get in trouble.

Wholly - Use promo code WhollyMindless for full 97$ credit until 12/11/07.

Why not add a signature. I beleive most email programs support it. I know Outlook Express does. It can be text or a file. Once it is set up, it is added to all outgoing emails from that account.
Silk

My website

Wholly on 12/05/07 07:49 PM said:

> DH Support might have a good/recommended way of doing what you
> want to do. Recommendations from other customers MIGHT cause you
> to get in trouble.

Obviously, I don't want to have any trouble with DH. That being said, any solutions given may be something I can implement on DH, and they may not (i.e. I'll file them away for future reference.)

silkrooster on 12/06/07 00:32 AM said:

> Why not add a signature.

Because users don't necesarily always follow the requirements that you set for them and I'm looking for a more comprehensive way to solve this issue without having to bang heads with people. Getting them to not send out e-mails with loads of CCs is another problem I have to deal with.

Jacob

He's looking to FORCE the trailing text.

Government and lawyers think that everyone reads that sh*t.

Wholly - Use promo code WhollyMindless for full 97$ credit until 12/11/07.

It looks to me like you're onto something with the whole procmail file comment. I don't know much about them yet so I can't help too much, but the idea interested me and I started looking around. This entry in an FAQ I found appeared especially useful:

In reply to:
Q: How can I change the contents of a message but otherwise proceed through my .procmailrc as usual?

A: This is what the :f flag is for....

Good catch!

Wholly - Use promo code WhollyMindless for full 97$ credit until 12/11/07.

Personally, I would rather not be inserting text into e-mails. I find it to be ugly and poor form.

However, PROFESSIONALLY, I have to make sure that my clients remain compliant with EU and local laws regarding privacy.

There are quite a few cases of the administration levying heavy fines for violations and obligating business to close up shop because they can't pay the fines.

I think it is poor government policy, and enforcement should be in line with the real damage caused; i.e. a big security breach that affects real people with real harm to their privacy or identity thefts should have a heavier consequence than something that is *in violation* but hasn't really harmed anyone.

Unfortunately, the administration is choosing to make examples of the businesses that they manage to trip up and catch not following the law to the letter and they're not concerned about putting people out of business, losing jobs, or ruining families. Until the majority of businesses are in compliance and they don't have to scare everyone, this is the situation and the problem that I have to solve.

I won't get into the problems of having DH servers outside of the EU (i.e. in the US where the legislation isn't harmonized with the privacy protections of the EU) but that's a problem too.

Jacob

It's a shame that governments attempt to insulate rather than educate. By requiring businesses to add disclaimers/warnings to email they think it makes all the privacy concerns go away when the REAL answer to privacy is to not send that information in the first place unless you're using encrypted email - you shouldn't even trust that the person talking to you is who they claim to be unless it's signed.

But governments haven't figured out how to read your encrypted mail so they don't want to encourage that.

But the need to do this is understandable. I don't have a couple hundred grand to pay the fines.

Wholly - Use promo code WhollyMindless for full 97$ credit until 12/11/07.

What kind of boilerplate is it that the EU has mandated? Is it something actually useful like providing a method for investigating how the sender got your email address and contact information in case you've received the email in error? Or is it just something that says that the sender is covered by EU regulation - either through being an EU entity or through some voluntary certification process?

The more I think about this the more I beleive it is their problem not yours, unless you will get a fine as well.
Injecting anything into a message, really makes me question how secure an email really is. If you can inject a message, there really is nothing stopping you from altering the original message or even the header.
I would think doing so would cause you to have legal reproductions from those creating the emails and possibly the government.
If I were you I would really think hard about doing this. Creating a pdf about how to create a signature with a warning about the law, would be just as helpful.
Silk

My website

We're getting off topic here - but despite the concerns about adding or altering, how about TAKING the content or forwarding it elsewhere...

We really need to help solve this poor guy's problem.

Wholly - Use promo code WhollyMindless for full 97$ credit until 12/11/07.

I think silkrooster's and your points are very valid. I would fear that users sending emails that are delivered with content they never wrote, let alone even saw, could be problematic.

While the employer may feel this is a "safeguard" against employees not including the necessary boilerplate, I see it as an attempt to avoid enforcing a company email policy and having employees truly understand what is required of them in the handling of the data.

To me, what seems like an immediate convenience would likely, in the long run only exacerbate the problem in that it takes the employee out of the responsibility loop altogether.

Lawyer #1- "Employee Susan, did you not clearly state in your email that blah blah blah ...?"

Employee Susan - "No I didn't. The company "automagically" added that to my email, I guess. I vaguely remember hearing something about that at one point, but I never really paid any attention to it, and I suppose they could have added anything they wanted without me even knowing it. I didn't write that, so I shouldn't be held responsible for it."

Lawyer #1 - "So then, this email is *not* what you wrote after all, even though it purports to be from you; is that correct? "

Arguuuugh!

--rlparker

I use Procmail for processing incoming messages. I've never used it for processing outgoing messages (which is what these are) so I don't know if there's some sort of hack to glom onto outgoing messages and process them using procmail (and alter the body).

I don't believe that simply adding a header is going to be sufficient as in normal use of an e-mail client, the majority of the headers are hidden from the user however I will consult with our legal counsel later today to see what their opinion is on whether a case based on a disclaimer in the headers of the message would likely have success.

Jacob

This is the kind of crap you get when you have too many lawyers on retainer.

Obviously they should be restrained, not retained.

Wholly - Use promo code WhollyMindless for full 97$ credit until 12/11/07.

There are two parts to the boilerplate that is needed. One is a notice informing that your info is part of a data store maintained by ACME Corp for the purpose of BLAH BLAH and an address which you can write to for deletion:

For those who are curious, I'll give a bit of a primer on the EU privacy directives:

(Directive 95/46/EC on the protection of personal data)

The EU drafted the original law which was then handed off to the original member states (countries) for them to draft their own laws in compliance and implement the requirements of the EU directive.

I'm dealing directly with the Spanish implementation which you can read here in English if you want a headache: <a href="https://www.agpd.es/upload/Ley Orgánica 15-99_ingles.pdf">https://www.agpd.es/upload/Ley Orgánica 15-99_ingles.pdf</a>

Each business which deals with any type of personal data has to register with the Data Protection Agency and detail their data stores and the type of data that each data store can contain. So, normally you might have the following data stores

1) Accounting
2) Employees
3) Clients

You have to specify the type of data contained in each data store and the level of security required with each data store.

The registration is required and it doesn't matter whether you use computers or have exclusively paper-based files.

Personal data is any data related to an individual. Address, phone number, e-mail address, name, birthdate, and any transactional information (invoices, visits, e-mails, etc.). Also included is any financial information.

All information needs to be under lock and key (whether digital or paper-based) and can only be accessed by employees who have authorization and used for the purpose for which it was collected. Backups also have to be under lock and key and permission has to be granted also for info provided to 3rd parties.

So, for practical matters, when you receive and record somebody's address or telephone number or e-mail, you have to tell them how you plan to use that information:

"We're going to incorporate your information in our client files and use your imformatiopn to do whatever it is that you've contracted/asked us to do. We're also going to include your information in our publicity data store which may be used to market you our services or for publicity"

The person is informed that they can delete their personal information when they feel like it (usually in writing)

Examples of violations:

A hotel chain which receives a resume from someone looking for a job and passes it from one hotel of their chain to another (which has vacant posts) and calls up the job seeker to offer them a job is in violation.

A business that hasn't told their clients that they may receive publicity via mail or e-mail and then sends out Christmas cards is in violation.

E-mails sent to the wrong address with personal data are in violation.

E-mail with addresses of other people in the CC field are in violation.

Fines range from 600€ to 600,000€

You can see how convoluted it gets...

Jacob

Wow. How disconcerting it must for people who are supposedly so zealous in guarding their privacy to know that whatever government happens to be in power at any given moment now knows exactly where to go to find whatever data they want, and even have the individual datasets pre-cataloged for them. wink

<sarcasm>Of course, Europeans probably have no reason to believe that such data might ever be abused by a draconian government, given history and all.</sarcasm>

Of course, political ranting does nothing to solve your immediate compliance problem. Have you considered using client-side templating to insert the boilerplate?

--rlparker

In reply to:
Wow. How disconcerting it must for people who are supposedly so zealous in guarding their privacy to know that whatever government happens to be in power at any given moment now knows exactly where to go to find whatever data they want, and even have the individual datasets pre-cataloged for them.

I don't know exactly how you're reading this into the post, but I do know that the EU is still considered safer from the prying eyes of government than the US. The company I work for has several clients (private banks) who insisted on us creating a data center outside of the US because they felt that current US law allowed too much opportunity for the government to subpoena data under broad investigations which would compromise the security of their clients.

I think the rules as described require the registration of the types of databases but not the actual contents of said databases.

In reply to:
I don't know exactly how you're reading this into the post, but I do know that the EU is still considered safer from the prying eyes of government than the US.

What I was referring to was that, while *present* EU governments seem more trustworthy than the AmeriKan government when it comes to respecting the privacy of your data, that can change at any time (and in the case of Europe, has done so fairly frequently).

In reply to:
The company I work for has several clients (private banks) who insisted on us creating a data center outside of the US because they felt that current US law allowed too much opportunity for the government to subpoena data under broad investigations which would compromise the security of their clients.

I don't disagree with that at all, and I suspect it evidences sound logic, but governments come and go and their proclivities often change.

In reply to:
I think the rules as described require the registration of the types of databases but not the actual contents of said databases.

Absolutely! To me the problem lies in the cataloging of the datasets existence, structure (what data is stored), locations, and protection methods employed. While the actual data is not stored, it's cataloging makes it trivial to find the data in order to seize it, and I'm envisioning circumstances where the "seizure" is not done with the auhority of present law, but by force and/or intimidation.

My concern here is similar to my concern over the registering of guns in the U.S., where any entity gaining access to the 'registration data" now has a shopping list of where to go to disarm the citizenry. I see this catalog of datastores potentially being used as a tool to facilitate the building of "uber-lists" by a future totalitarian government or a cabal that co-opts a government.

And, yeah, I *do* need to replace the aging tinfoil on my office windows; I hear the stuff looses its effectiveness after 20 years or so. wink

Sorry for wandering off topic here; I really do think that the better solution for the OP might be client-side templating in that it:

1) Reinforces, to at least some degree, the employees' responsibility for handling data safely and legally whn they see the template into which they put their content bearing the disclaimers. SUre, after a while it will be almost unnoticed by them as they see it constantly, but having it added at the server means they will *never* see it (except at the quarterly education meeting, etc.)

2) Maintains the integrity of the email "as sent" by the sender, eliminating the spectacle of "I didn't write that - someone added it to my email" documentary evidence problem in court.

--rlparker

Inserting e-mail boilerplate in outgoing e-mails