E-policy enforcement

Many of your employees may not realize that e-mail messages are organizational records. From a joke sent to a coworker to a contract e-mailed to a vendor, each blitz, instant message or e-mail is the property of the employer.

Whether you have one or 1,000 employees, keeping track of the

appropriateness of each and every message can be a difficult task. E-mail — originally a tool for quick, informal communication — is now a business-critical application. In many cases, an e-mail message, whether business or personal communication, is sent and forgotten. This can lead to trouble for an employer if the message is in some way offensive, harassing, obscene or defamatory.

Tom Gober, a forensic accountant based in Birmingham, Ala., has seen many legal cases in which e-mail has been the single most importance source of evidence. In a recent insurance fraud investigation, Gober conducted a thorough and complete e-mail search. Among thousands of e-mails he had to find the 10 per cent that were vitally important to the fraud case.

How can a company make sure its messaging system isn’t a legal liability? There’s no way to guarantee a risk-free workplace, but companies should think about developing a comprehensive e-policy and purchasing software to uphold standards for e-mail usage.

While some personal e-mail usage may be okay, companies should make it clear that company e-mail is specifically for business communications. Such a statement is called an e-policy, and it’s a corporate statement and set of rules to protect an organization from casual or intentional abuse, as well as IT system failures or litigation against the organization. By prohibiting racist or sexist language, chain letters or pornography and other offensive material, companies can reduce their liability.

E-policies abound on the Internet, but you’ll likely want to adapt them with the help of legal counsel. Most e-mail and Internet use policies clearly state that the e-mail system is company property and use of the e-mail system is for official business only. There are typically sections on confidentiality, personal use, restrictions and e-mail management.

If you have an e-policy, make sure people know about it. Educate your employees and provide examples of risk. Follow up periodically; you don’t want the e-policy to be out of sight and out of mind. You might even place the e-mail policies in employee contracts so that there is a signed agreement, and having a monitoring notice appear whenever employees log on.

Sometimes instituting an e-policy isn’t enough to protect your organization from legal woes. C2C Systems recommends backing up that policy with an automated archiving tool to keep your company protected from potential productivity, privacy and legal issues.

Are you a paranoid archiver who saves everything, or a selective archiver who saves specific material and/or purges the archive periodically? Depending on the business you are in, you’ll want to develop an appropriate archiving strategy and purchase an archiving product that meets your company’s needs. Many companies institute an archiving policy (as part of the e-mail management section of the e-policy) that tells employees what to save, how to categorize files, where to store information, and where and how to destroy files.

Consider purchasing an archiving product with multi-criteria rules to ensure retention, reduced risk and optimized performance. Some products just allow single criteria archiving — Bob’s e-mail goes into Storage A — but multi-criteria rules allow flexibility to meet the needs of an e-policy — Bob’s e-mail related to finance goes into Storage A and his e-mail related to sales goes into Storage B.

You’ll also need this flexibility, since e-policies vary from company to company, sometimes from division to division — even from day to day. For example, a company might have several policies, from regular attachment extensions blocking and spam filtering to message and mailbox size limits. Other e-policies require removing e-mail from the system after a certain number of days.

E-policy enforcement is at the heart of all best practice e-mail user organizations. Dale Holley, network engineer at Sartomer in Exton, Pa., sums it up well: “”I used to think that e-policies were implemented to enforce controls and change everyday practices. I now see them more as a legal protection. We don’t spend time monitoring user’s inboxes and scolding them for noncompliance. Instead, if a user files a complaint concerning illicit or offensive content, we take appropriate action to block it if possible, hand the case over to HR when prudent, and rest assured that the e-policy absolves us of complicity.””

Don’t have an e-policy yet? Here are just a few reasons why your organization should.

  • An inappropriate e-mail can lead to a sexual harassment or hostile work environment lawsuit.
  • When two employees are discussing a product defect, such as the harmful side effects of a medication, the e-mail can become evidence in a class action lawsuit.
  • E-mail messages between a supervisor and an employee (or two co-workers) may be important in a wrongful termination lawsuit.
  • Has a harmful virus hit your organization? It might not have if an e-policy had been in place.
  • Theft of confidential data and sabotage are made easy, thanks to e-mail.

Dave Hunt is the CEO at C2C Systems Inc., a provider of e-mail lifecycle management solutions for Exchange. He can be reached at [email protected].

Got a question for our experts? E-mail [email protected].

SMB Extra Home

Contact the editor

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.