How to stay out of e-mail jail

E-mail and instant messages are the electronic equivalent of DNA evidence. Recent headline-grabbing scandals involving e-mail, such as the termination of Boeing CEO Harry Stonecipher for exchanging sexually graphic e-mails with a colleague, have re-enforced the negative impact e-mail can have on a company, its assets, employees and reputation.

Tips to reduce e-mail risks

• Don’t assume the executive in the corner office knows better. Boeing’s Stonecipher is not the first CEO to trigger e-mail disaster. In 2001, Cerner Corp.’s CEO sent an ill-conceived e-mail that triggered a 25% drop in stock valuation. • Establish e-mail policy governing language, usage and netiquette. • Insist that all employees, from summer interns to the CEO, comply with policy. continued on page 2

The Boeing case comes on the heels of costly, high-profile lawsuits triggered by or based on e-mail evidence, as well as numerous six- and seven-figure regulatory fines levied against e-mail users in the financial services arena. E-mail and instant messaging (IM) create critical business and legal challenges for all organizations, public and private, large and small. Without effective e-mail policies and procedures in place, a company is at undue risk of regulatory fines, costly and protracted lawsuits, embarrassing headlines, and public relations nightmares.

The 2004 Workplace E-Mail and Instant Messaging Survey from American Management Association (AMA) and ePolicy Institute reveals that one in five employers has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation. Another 13% have battled workplace lawsuits triggered by employee e-mail.

To reduce the likelihood of e-mail disaster striking, businesses must strategically manage employee e-mail and IM use. To that end, The ePolicy Institute offers a few e-mail and IM rules, excerpted from my books E-Mail Rules and Instant Messaging Rules.

Rule #1: Develop a comprehensive written policy addressing e-mail and instant messaging usage and content.

A good electronic communications policy should clearly spell out for employees what is, and is not, considered appropriate business communication. It should also make clear how much personal e-mail and IM use (if any) is acceptable.

Most employees use their corporate inbox for both business and personal use, a fact that can be costly to the organization if a lawsuit or regulatory investigation arises. Individual employees face substantial e-mail risks, as well. In fact, 25% of US employers report that they have terminated employees for violating e-mail policy.

The development of an effective e-mail policy can be challenging. For organizations that are looking for some direction, the Electronic Communications Compliance Council (TE3C), a non-profit organization dedicated to creating best practices and resources for companies struggling with regulatory compliance, makes available a free online policy tool. The Policy Builder tool, available at, provides comprehensive templates that can be customized to meet the specific needs of your business.

In addition to establishing policies governing e-mail and IM usage and content, organizations also are advised to implement a written policy addressing the retention of e-mail and IM business records. Unfortunately, employers tend to fall short when it comes to strategic e-mail retention. Fully 65% of businesses lack e-mail retention and deletion policies. In the event of a lawsuit or regulatory investigation, these organizations may have a hard time producing subpoenaed messages, a failure that could result in costly court sanctions and regulatory fines.

The failure to enforce e-mail retention rules has cost companies millions of dollars. In one well-known case, Murphy Oil sought 20 million pages of e-mail from a company called Fluor Daniel. Unfortunately, Fluor Daniel failed to adhere to its own retention and deletion policy, which called for the purging of e-mail after 45 days. As a result, 93 backup tapes with over 25,000 e-mails per tape were available when the legal discovery request was made. The court ordered Fluor Daniel to restore and produce the content on the tapes at a cost of $6.2 million and six months of staff time.

Once your policies are in place, be sure to have employees sign and date a copy of each policy, acknowledging that they have read it, understand it, and agree to comply with it or accept the consequences, up to and including termination.

Rule #2: educate all employees — from the summer intern to the CEO — about e-mail policy and procedures, rules and regulations.

The 2004 AMA/ePolicy Institute survey shows that only 54% of organizations offer e-mail policy training to staff. An untrained staff cannot be expected to comply with a policy they may not be aware of or fully understand.

Use your policy and training program to ensure that, among other critical issues, employees understand that the organization has the right to monitor e-mail transmissions; employees have no reasonable expectation of privacy when using the organization’s e-mail system; and compliance with e-mail policy is mandatory. If you are among the 60% of businesses that monitor incoming and outgoing e-mail, be sure to alert your employees to this fact.

Tips to reduce e-mail risks

continued from page 1 • Educate all employees – part-time and full-time, managers and executives – about e-mail risks, rules and regulations. • Enforce policy with software. A majority of employers monitor e-mail, and 10% monitor IM. If you monitor, notify employees that they have no reasonable expectation of privacy when using company e-mail.

The need for training has been heightened by the rapidly growing use of instant messaging in the workplace. A form of turbocharged e-mail, IM poses substantial risks for employers. With 78% of employees downloading free IM software from the Internet, it’s not unusual for staff to use IM without management’s knowledge or IT controls. For regulated firms in particular, the unmanaged use of IM is a time bomb waiting to explode. Act today to prevent IM disasters tomorrow. Establish written IM policy; educate employees about IM usage, content and retention rules; and manage IM risks with software technology that monitors, filters, retains and archives IM in concert with your written rules and policies.

Rule #3: enforce your e-mail rules and policies.

Policy and employee education are just part of the solution. Be sure to put some teeth in your e-mail management program with a combination of consistently applied discipline and software technology. The most effective means of policy enforcement is to implement a software solution that can automatically monitor and archive e-mail and IM. As the e-mail archiving market continues to grow, the solutions available to meet this need are becoming increasingly sophisticated. Today, businesses can choose between an in-house solution or an external, managed solution offering everything from an integrated policy to full search capabilities for legal discovery.

Business cannot afford to turn a blind eye to e-mail and IM risks. The “Three E” approach to strategic e-mail management should be at the top of every CSO/CIO’s to-do list for 2005: (1) Establish written e-mail and IM policy; (2) Educate executives and employees about e-mail risks, rules and regulations; and (3) Enforce policies with a combination of disciplinary action and software technology.

QuickLink 057623

–Nancy Flynn is founder and executive director of The ePolicy Institute (www.e