News Stay informed about the latest enterprise technology news and product updates.

E-mail policies save face, lawsuits

Companies that don't have a sound e-mail policy open themselves up to potential lawsuits and public embarrassment. An expert offers insight on what your organization's plan should include.

CHICAGO -- Be careful the next time you hit "send" on a business e-mail because your message could wind up in your boss's hands, in front of a judge or plastered in the newspaper, one expert warned at last week's Enterprise Messaging Decisions conference.

"Litigation is the No. 1 risk that employees face with employee e-mail," said Nancy Flynn, executive director at the ePolicy Institute in Columbus, Ohio. "People make inadvertent mistakes, and the opposing counsel is hoping there are smoking-gun e-mails they can use against you."

Fourteen percent of workplace e-mail is subpoenaed in lawsuits, she said. Drafting and enforcing an e-mail policy -- one that includes specifics on how long a company should keep e-mail -- is the best way to prevent employee e-mail from causing a problem, Flynn advised.

Don't leave employee compliance to chance

Companies should:

--Simplify e-mail retention for employees.
--Limit retention to defined business records.
--Train employees to spot nonrecords.
--Provide rules/policy for disposing of nonrecord e-mail.
--Enforce rules/policy for drafts and duplicates.

She said two-thirds of companies don't have guidelines for retaining and deleting e-mail.

"[Retention] confuses the greatest number of people, including lawyers, IT people and HR staff. What can we delete? How do we know what to retain?" she said.

Flynn's warning made some realize it is time to revisit their policies.

"We have an e-mail policy, but it's not even close to what it should be. It doesn't even scratch the surface anymore," said Karen Zander, a network administrator at S&S Cycle, an Amarillo, Texas-based company that makes after-market racing parts for motorcycles and has more than 400 e-mail users. "[Our policy] states no personal e-mails, but we don't have a retention/deletion policy. We really need to revamp [it]."

Education is a must

Written policies alone are not enough, however. Flynn emphasized the need for IT managers to also educate employees about risks and compliance.

A recent study ePolicy Institute study found that 73% of companies don't train employees on e-mail retention and deletion. "An e-mail policy and employee education on retention/deletion can be your biggest defense from liability," Flynn said.

E-mail policy do's and don'ts

Do: Establish comprehensive written e-mail policies.
Do: Educate all employees about risks and compliance.
Do: Stress e-mail is a business tool, and spell out what is appropriate business communication.
Do: Implement e-mail retention/deletion strategies.
Do: Establish e-mail security policies.
Do: Have all employees sign and date a copy of each policy.
Do: Install policy-based content filtering software to monitor and block e-mail that violates policies or regulatory rules.

Don't: Expect employees to train themselves. Make employees aware of risks, rights, responsibilities and repercussions.
Don't: Create separate policies for executives or managers.
Don't: Forget international associates and laws governing e-mail/monitoring abroad.
Don't: Forget to include discrimination and sexual harassment policies in your e-mail policy.

She cited actual lawsuits, including the federal government's battle against Enron Corp. The feds posted 1.6 million Enron Corp. e-mails on the Web after giving the embattled company the chance to delete the e-mails. The Enron messages included business records, as well as thousands of personal and embarrassing e-mails from current and former employees.

Policies are important because it's not just the employee that's liable -- but the business, too.

"It's the company that spends the money [defending itself], and it's the company's reputation that is ruined," Flynn said. However, situations like this can easily be prevented if employees are educated on e-mail retention and deletion policies.

"It shows how vulnerable you are," said Kevin Barnas, a senior network administrator for 2,000 e-mail users at Farm Bureau Insurance in Lansing, Mich. "Our policy is more of a guideline. We have people who break the rules all the time. We try to enforce it, but we don't have any support."

Flynn said a company may have to terminate an employee to prove that its policy has teeth. She also said that a single policy should apply to all workers, regardless of job title.

E-mail pitfalls

Potential e-mail problems include everything from a poor choice of words from a CEO to a threatening message from an IT manager. Regardless of whether a company is private or public, high-profile e-mail gaffes can often lead to front-page newspaper headlines, billion-dollar lawsuits or significant declines in stock prices.

"Journalists want juicy stories," Flynn said. "Tell employees they are forbidden from releasing internal e-mails outside their company or else they will face consequences and be terminated."

E-mail policies should be enforced swiftly and in a consistent way. If employees can't understand the legal jargon, or if it's buried among hundreds of pages of other documentation, the employees are not going to learn or adhere to the rules.

This hit home with information security officer Tom Lloyd with Glenview State Bank in Glenview, Ill.

"We have a policy, but we incorporated it in a general security policy, not a separate e-mail or document," Lloyd said. "But now we're thinking of sending it out as a separate document. From an employee standpoint, it's easier to read a one-page e-mail policy rather than a 50-page security document that includes an e-mail policy within it."

The easiest way to control e-mail is to control content, Flynn advised. "Bad e-mail is bad for business," she said.

TechTarget is the organizer of Enterprise Messaging Decisions 2004 and owner of the family of Web sites that includes


Read why messaging headaches are multiplying

See why the e-mail archiving market is poised to explode

Dig Deeper on Lotus Notes Domino Archiving

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.




  • iSeries tutorials's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...