E-mail policies save face, lawsuits

By Joyce Chutchian, Editor 12 May 2004 | SearchDomino.com

Digg This!     StumbleUpon     Del.icio.us

CHICAGO -- Be careful the next time you hit "send" on a business e-mail because your message could wind up in your boss's hands, in front of a judge or plastered in the newspaper, one expert warned at last week's Enterprise Messaging Decisions conference.

"Litigation is the No. 1 risk that employees face with employee e-mail," said Nancy Flynn, executive director at the ePolicy Institute in Columbus, Ohio. "People make inadvertent mistakes, and the opposing counsel is hoping there are smoking-gun e-mails they can use against you."

Fourteen percent of workplace e-mail is subpoenaed in lawsuits, she said. Drafting and enforcing an e-mail policy -- one that includes specifics on how long a company should keep e-mail -- is the best way to prevent employee e-mail from causing a problem, Flynn advised.

Don't leave employee compliance to chance Companies should: --Simplify e-mail retention for employees. --Limit retention to defined business records. --Train employees to spot nonrecords. --Provide rules/policy for disposing of nonrecord e-mail. --Enforce rules/policy for drafts and duplicates.

She said two-thirds of companies don't have guidelines for retaining and deleting e-mail.

"[Retention] confuses the greatest number of people, including lawyers, IT people and HR staff. What can we delete? How do we know what to retain?" she said.

Flynn's warning made some realize it is time to revisit their policies.

"We have an e-mail policy, but it's not even close to what it should be. It doesn't even scratch the surface anymore," said Karen Zander, a network administrator at S&S Cycle, an Amarillo, Texas-based company that makes after-market racing parts for motorcycles and has more than 400 e-mail users. "[Our policy] states no personal e-mails, but we don't have a retention/deletion policy. We really need to revamp [it]."

Education is a must

Written policies alone are not enough, however. Flynn emphasized the need for IT managers to also educate employees about risks and compliance.

A recent study ePolicy Institute study found that 73% of companies don't train employees on e-mail retention and deletion. "An e-mail policy and employee education on retention/deletion can be your biggest defense from liability," Flynn said.

E-mail policy do's and don'ts Do: Establish comprehensive written e-mail policies. Do: Educate all employees about risks and compliance. Do: Stress e-mail is a business tool, and spell out what is appropriate business communication. Do: Implement e-mail retention/deletion strategies. Do: Establish e-mail security policies. Do: Have all employees sign and date a copy of each policy. Do: Install policy-based content filtering software to monitor and block e-mail that violates policies or regulatory rules. Don't: Expect employees to train themselves. Make employees aware of risks, rights, responsibilities and repercussions. Don't: Create separate policies for executives or managers. Don't: Forget international associates and laws governing e-mail/monitoring abroad. Don't: Forget to include discrimination and sexual harassment policies in your e-mail policy.

She cited actual lawsuits, including the federal government's battle against Enron Corp. The feds posted 1.6 million Enron Corp. e-mails on the Web after giving the embattled company the chance to delete the e-mails. The Enron messages included business records, as well as thousands of personal and embarrassing e-mails from current and former employees.

Policies are important because it's not just the employee that's liable -- but the business, too.

"It's the company that spends the money [defending itself], and it's the company's reputation that is ruined," Flynn said. However, situations like this can easily be prevented if employees are educated on e-mail retention and deletion policies.

"It shows how vulnerable you are," said Kevin Barnas, a senior network administrator for 2,000 e-mail users at Farm Bureau Insurance in Lansing, Mich. "Our policy is more of a guideline. We have people who break the rules all the time. We try to enforce it, but we don't have any support."

Flynn said a company may have to terminate an employee to prove that its policy has teeth. She also said that a single policy should apply to all workers, regardless of job title.

E-mail pitfalls

Potential e-mail problems include everything from a poor choice of words from a CEO to a threatening message from an IT manager. Regardless of whether a company is private or public, high-profile e-mail gaffes can often lead to front-page newspaper headlines, billion-dollar lawsuits or significant declines in stock prices.

"Journalists want juicy stories," Flynn said. "Tell employees they are forbidden from releasing internal e-mails outside their company or else they will face consequences and be terminated."

E-mail policies should be enforced swiftly and in a consistent way. If employees can't understand the legal jargon, or if it's buried among hundreds of pages of other documentation, the employees are not going to learn or adhere to the rules.

This hit home with information security officer Tom Lloyd with Glenview State Bank in Glenview, Ill.

"We have a policy, but we incorporated it in a general security policy, not a separate e-mail or document," Lloyd said. "But now we're thinking of sending it out as a separate document. From an employee standpoint, it's easier to read a one-page e-mail policy rather than a 50-page security document that includes an e-mail policy within it."

The easiest way to control e-mail is to control content, Flynn advised. "Bad e-mail is bad for business," she said.

TechTarget is the organizer of Enterprise Messaging Decisions 2004 and owner of the family of Web sites that includes SearchDomino.com.

FOR MORE INFORMATION:

Read why messaging headaches are multiplying

See why the e-mail archiving market is poised to explode

Tags: Lotus Notes Domino Archiving,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Lotus Notes Domino Archiving Avoid Lotus Notes Domino email archiving ACL issues with AdminP Archiving Lotus Notes documents to a specified folder E-discovery rules double-edged sword for CIOs IM, blogs next target for litigation Symantec peddles enterprise vault tool Changing a Lotus Notes database mail file from 'archive' to 'mail' Email archiving for SMBs: No experience required School district hooks up affordable compliance archive Exporting email from Lotus Notes to .EML messages Email archiving: What's right for your enterprise?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary