Email is a quick, cheap and easy means of communication. This makes email a great business tool, but at the same time a potential threat for employers. Email threats such as confidentiality breaches, legal liability, lost productivity and damage to reputation cost companies millions of dollars each year. How can a company protect itself from these threats? The first step in securing your company is to create an email usage policy. After you have created your email policy you must make sure it is actually implemented. This can be done by giving regular trainings and by monitoring employees’ email using email security software.
What are the email threats that companies face?
By using email, companies face several threats. These range from legal threats to network congestion:
Legal liability
In most cases the employer is held responsible for all the information transmitted on or from their systems. As a result, inappropriate emails can result in multi-million dollar penalties. In the last few years there have been several high profile lawsuits such as the case against UK firm Norwich Union, who were forced to pay £450,000 in an out of court settlement after an employee sent an email stating that their competitor Western Provident Association was in financial difficulties. In the US, Chevron settled a case filed by four female employees for $2.2 million. The employees alleged that sexually harassing emails sent through the company email system caused a threatening work environment. One of the sexually offensive messages was a ‘joke’ sheet titled ’25 reasons why beer is better than women’. A company can also be liable if one of its employees sends an email containing a virus.
Confidentiality breaches
Most confidentiality breaches occur from within the company. These breaches can be accidental, for instance by selecting a wrong contact in the To: field. However, confidentiality breaches can also be intentional, as Borland International Inc. experienced first hand: A Borland employee used the company’s email system to send out confidential information to competitor Symantec, his new employer. The trade secrets included product design specifications, sales data and information regarding a prospective contract for which both companies were competing. The employee and recipient were both charged with trade secret theft. Whether it is by mistake or on purpose, the result of the loss of confidential data is the same.
Damage to reputation
There is no doubt that the contents of corporate emails reflect on the business. A badly written email, or an email containing unprofessional remarks will cause the recipient to have a bad impression of the company the sender is representing. UK law firm Norton Rose had to find this out the hard way when two of their employees originated the ‘Claire Swire’ email, a sexually explicit email that ended up being read by over 10 million people around the world. Especially since the company in question was a law firm, and the employees were attorneys, this email caused severe damage of reputation.
Lost productivity
Lost productivity due to inappropriate use of a company’s email system is becoming a growing area of concern. In the US, a survey revealed that 86 per cent of workers used their company email to send and receive personal emails. A recent study by the Gartner Group found that unproductive internal emails take up 30 percent of employees’ time spent reading email. It concluded that banning email which contains gossip, jokes, and other time-wasting content would save a considerable amount of employees’ time. In addition to personal emails, unwanted spam messages are a huge time waster.
Network congestion & down time
Spam and personal (mis) use of email can cause a company’s email system to waste valuable bandwidth resources, not to mention employees’ time. A Gartner Group study held under 13,000 email users, found that 90 percent receive spam at least once a week, and almost 50 percent get spammed more than 6 times a week. Personal emails cause network congestion since they are not only unnecessary, but tend to be mailed to a large list of recipients and often include large attachments such as mp3, executable or video files that users do not zip. Viruses are another important area of concern. If a virus hits the company system this can cause network congestion or even down time.
Email retrieval on court order
Email records are increasingly used in lawsuits since they tend to contain important evidence. For instance, if your company is faced with a wrongful termination lawsuit, chances are that you will be ordered to search all company emails for messages relating to that person. This is usually not just a matter of a quick keyword search. The retrieval often involves restoring thousands of emails on servers and result in slow and painful searches. Worse still, the court could even confiscate your computers as evidence. Not to mention the fact that the search might uncover some embarrassing evidence you never knew you were 'safekeeping'. If on the other hand you regularly delete email as stipulated in corporate email policy guidelines, the court might not force you to do an expensive search since it has enough reason to believe that it will not yield any results.
Why do you need an email policy?
By having a good email policy in place you can secure your company in several ways. Firstly, the email policy helps prevent email threats, since it makes your staff aware of the corporate rules and guidelines, which if followed will protect your company.
Secondly, an email policy can help stop any misconduct at an early stage by asking employees to come forward as soon as they receive an offensive email. Keeping the incidents to a minimum can help avoid legal liability. For instance in the case of Morgan Stanley, a US investment bank that faced an employee court case, the court ruled that a single email communication (a racist joke, in this case) cannot create a hostile work environment and dismissed the case against them.
If an incident does occur, an email policy can minimize the company’s liability for the employee’s actions. Previous cases have proven that the existence of an email policy can prove that the company has taken steps to prevent inappropriate use of the email system and therefore can be freed of liability. WorldCom Corp. for instance, faced a court case from two former employees for allowing four racially offensive jokes on its email system. WorldCom successfully defended themselves because they had an email policy that spelled out inappropriate content and because they took prompt remedial action against the coworker who sent the racially harassing emails.
Finally, if you are going to use email filtering software to check the contents of your employee’s emails, it is essential to have an email policy that states the possibility of email monitoring. If you do not have such as policy you could be liable for privacy infringement.
How do you create an email policy?
Now that you know why you need an email policy, the next step is to create one. Basically an email policy should include all the do's and don’ts concerning the company’s email system:
Email risks: The policy should list email risks to make users aware of the potential harmful effects of their actions. Advise users that sending an email is like sending a postcard: if you don't want it posted on a bulletin board, then don't send it.
Best practices: This should include email etiquette and writing rules in order to uphold the good reputation of the company and to deliver quality customer service. Also include instructions on compressing attachments to save bandwidth.
Personal usage: The policy should state whether personal emails are accepted and if so, to what extent. You can for instance set limits on the amount of personal emails sent each day, or you could require personal emails to be saved in a separate folder. You will probably want to prohibit the sending of chain letters and mass mailings and limit or eliminate certain email attachments from being sent or received. In every case, include examples and clear measures taken when these rules are breached.
Wastage of resources: Warn users that they are making use of the company’s email system and that they should not engage in non-business activities that unnecessarily tie up network traffic. The policy must also cover the use of newsletters & newsgroups. For instance you can require a user to request permission before subscribing to a newsletter or newsgroup.
Prohibited content: The policy should expressly state that the email system is not to be used for the creation or distribution of any offensive, or disruptive messages, including messages containing offensive comments about race, gender, age, sexual orientation, pornography, religious or political beliefs, national origin or disability. State that employees who receive any emails with this content should report the matter to their supervisor immediately. Moreover, employees should not use email to discuss competitors, potential acquisitions or mergers or to give their opinion about another firm. Unlawful messages, such as copyright infringing emails should also be prohibited. Include examples and clear measures taken when these rules are breached.
Document retention policy: Unless your organization is required to archive email messages, which is the case for government, health care and financial institutions, it is best to create a policy rule that dictates deletion of emails after a certain amount of days. However, it is a good idea to provide an option to save certain emails in a different folder to avoid deletion. If you provide this option, spell out which emails may be saved and which must be deleted.
Treatment of confidential data: Include rules and guidelines on how employees should deal with confidential information and trade secrets. Make employees encrypt any confidential information that is sent via email and change passwords regularly. Also include measures that will be taken if an employee is found to be sending out confidential information unlawfully.
Email disclaimer: If you are adding a disclaimer to employees' emails, you should inform them of this and state the disclaimer text that is added.
Email monitoring: If you are going to monitor your employees' emails, you must state this in your email policy. Warn that employees should have no expectation of privacy in anything they create, store, send or receive on the company’s computer system and that the company may, but is not obliged to monitor messages without prior notice. If you do not mention that the company is not obliged to monitor messages, an employee could potentially sue the company for failing to block a particular message.
Publishing the email policy
The email policy should be made available and easily accessible to all employees. The policy should be included in employee handbooks and company intranets. It is best to include the email policy, or a short statement regarding the policy, in employment contracts. In this way the employee must acknowledge in writing that he/she is aware of the email policy and of the obligation to adhere to it. When the policy is updated a new copy can be circulated via email as well as on paper. Preferably have each new update signed by employees.
Enforcing the email policy
There are a number of ways in which you can enforce the company email policy:
Provide training
Regularly train users in applying the email policy. Help users send effective emails by informing them of best practices, explain that offensive jokes and remarks can be much more harmful than they seem, and stress that employees that witness abuse of the email system must report this to their supervisor. Encryption techniques and the use of digital signatures should also be covered.
Take prompt action
If an employee complains about offensive emails, it is extremely important that this is dealt with fairly and quickly. Internal procedures should be in place in order to allow investigation into complaints. Employees must also be encouraged to come forward if inappropriate email content is detected. Prompt action can potentially save your company a large amount of legal costs, as was the case with WorldCom corp. Within 10 days of hearing the employees’ complaints about offensive emails, supervisors arranged two meetings to discuss the incident. They also reprimanded the sender of the messages by placing a written warning in her personnel file and issuing a verbal reproach. WorldCom supervisors also requested that several workers, including the two plaintiffs, review the company’s email policy. The result was that the court deemed that the employer had ‘acted reasonably’ and dismissed the case against WorldCom.
Monitor email
Monitoring of email is the only way to make sure that no email policy rules are being breached. You can monitor emails that are stored on the company’s systems to detect patterns of misuse, but the best way to monitor email is to automatically block or quarantine messages before they are sent or received. The practicing of email monitoring could also be of help in a court of law, since it shows that the company is serious about preventing offensive messages and unlawful use of the email system. Apart from monitoring mails for legal purposes, attention must also be paid to protect the email system from viruses and spam messages.
Is email monitoring legal?
Some employees may argue that by monitoring their emails, companies are violating their privacy rights. However, court cases have shown that if the employer has warned the employee beforehand that their email might be monitored, the employer has a right to do so. This again stresses the need for an email policy and to include a statement that warns users that their email may be monitored at any time without prior warning. For more information on the legaility of email monitoring, read this article by Red Earth Software.
Back to the Top
Article reproduced with permission from
http://www.email-policy.com/ |
