CHICAGO -- Be careful the next time you hit "send" on a business e-mail because your message could wind up in your boss's hands, in front of a judge or plastered in the newspaper, one expert warned at last week's Enterprise Messaging Decisions conference.
"Litigation is the No. 1 risk that employees face with employee e-mail," said Nancy Flynn, executive director at the ePolicy Institute in Columbus, Ohio. "People make inadvertent mistakes, and the opposing counsel is hoping there are smoking-gun e-mails they can use against you."
Fourteen percent of workplace e-mail is subpoenaed in lawsuits, she said. Drafting and enforcing an e-mail policy -- one that includes specifics on how long a company should keep e-mail -- is the best way to prevent employee e-mail from causing a problem, Flynn advised.
She said two-thirds of companies don't have guidelines for retaining and deleting e-mail.
"[Retention] confuses the greatest number of people, including lawyers, IT people and HR staff. What can we delete? How do we know what to retain?" she said.
Flynn's warning made some realize it is time to revisit their policies.
"We have an e-mail policy, but it's not even close to what it should be. It doesn't even scratch the surface anymore," said Karen Zander, a network administrator at S&S Cycle, an Amarillo, Texas-based company that makes after-market racing parts for motorcycles and has more than 400 e-mail users. "[Our policy] states no personal e-mails, but we don't have a retention/deletion policy. We really need to revamp [it]."
Education is a must
Written policies alone are not enough, however. Flynn emphasized the need for IT managers to also educate employees about risks and compliance.
A recent study ePolicy Institute study found that 73% of companies don't train employees on e-mail retention and deletion. "An e-mail policy and employee education on retention/deletion can be your biggest defense from liability," Flynn said.
She cited actual lawsuits, including the federal government's battle against Enron Corp. The feds posted 1.6 million Enron Corp. e-mails on the Web after giving the embattled company the chance to delete the e-mails. The Enron messages included business records, as well as thousands of personal and embarrassing e-mails from current and former employees.
Policies are important because it's not just the employee that's liable -- but the business, too.
"It's the company that spends the money [defending itself], and it's the company's reputation that is ruined," Flynn said. However, situations like this can easily be prevented if employees are educated on e-mail retention and deletion policies.
"It shows how vulnerable you are," said Kevin Barnas, a senior network administrator for 2,000 e-mail users at Farm Bureau Insurance in Lansing, Mich. "Our policy is more of a guideline. We have people who break the rules all the time. We try to enforce it, but we don't have any support."
Flynn said a company may have to terminate an employee to prove that its policy has teeth. She also said that a single policy should apply to all workers, regardless of job title.
Potential e-mail problems include everything from a poor choice of words from a CEO to a threatening message from an IT manager. Regardless of whether a company is private or public, high-profile e-mail gaffes can often lead to front-page newspaper headlines, billion-dollar lawsuits or significant declines in stock prices.
"Journalists want juicy stories," Flynn said. "Tell employees they are forbidden from releasing internal e-mails outside their company or else they will face consequences and be terminated."
E-mail policies should be enforced swiftly and in a consistent way. If employees can't understand the legal jargon, or if it's buried among hundreds of pages of other documentation, the employees are not going to learn or adhere to the rules.
This hit home with information security officer Tom Lloyd with Glenview State Bank in Glenview, Ill.
"We have a policy, but we incorporated it in a general security policy, not a separate e-mail or document," Lloyd said. "But now we're thinking of sending it out as a separate document. From an employee standpoint, it's easier to read a one-page e-mail policy rather than a 50-page security document that includes an e-mail policy within it."
The easiest way to control e-mail is to control content, Flynn advised. "Bad e-mail is bad for business," she said.
TechTarget is the organizer of Enterprise Messaging Decisions 2004 and owner of the family of Web sites that includes SearchDomino.com.
FOR MORE INFORMATION: