"In the future, how we gather, manage and use information will determine whether we succeed or fail "

--Bill Gates

Corporate email has become a great business tool today - fast, efficient and cheap. More and more companies today are running their businesses purely on the basis of email communications. This being so email also is considered to be a potential threat to a company and its operations if not used judiciously and with proper care. There have been cases of companies closing down due to law suits that spring from inappropriate email communications - cases like critical information leaking, offensive comments pertaining to religion, race, sex and confidentiality breaches are increasingly capturing companies' attention and forcing them to adopt and implement a corporate email policy.

Cases in point like the following amply give out reasons why companies should adopt email policies:

In 1995, Chevron Corp. was ordered to pay female employees $2.2 million to settle a sexual harassment lawsuit stemming from inappropriate e-mail circulated by male employees.

Lockheed Martin's e-mail system crashed for six hours after an employee sent 60,000 co-workers a personal e-mail with a request for an electronic receipt. The defense contractor, which posts 40 million e-mails monthly, lost hundreds of thousands of dollars thanks to this one employee's action and the resulting system crash.

What is a corporate email policy?

A corporate email policy is a set of guidelines and rules for email usage created by the company for its employees. While the email policy is a set of precautionary measures that help in keeping the employees of the company create any inappropriate and unacceptable email communication, it also lays down enforcing principles that govern the rights and responsibilities of the company in an event of a lawsuit or right infringement complaint against the company's employees. It should be understood that a corporate email account that an employee uses is company's property and hence it has the right to carry out precautionary and remedial measures to protect its security, privacy and credibility so far as it is reflected by its email systems.

Statutes

In the United States, the Electronic Communications Privacy Act governs unauthorized access to and disclosure of electronic mail messages. While it is important to be familiar with ECPA, this law does not generally apply to limit the policies that an employer may adopt with regard to use of company email systems by employees and access to or disclosure of employee email. The exceptions to ECPA state that the employer is allowed access to the employee's email either by his consent or due to normal business need.

Creating an email policy

Company policies regarding email should be consistent with company policy regarding other issues relating to privacy, use of company property, and access to employee workspaces. It includes dos and don'ts on various issues concerning usage of an organization's email system. Roughly the aspects that are highlighted in an email policy are as follows:

Purpose of use of company email

One of the studies by Gartner on employee time indicates that an average employee spends 30% of his email time accessing personal emails. This seriously affects the overall productivity of the organization considering the time wasted. Also such personal emails are generally mass mailers and often have huge attachments that put the strain on the overall network connectivity leading to wastage of corporate resources not to mention spam (seen as the worst ever email threat today by a survey by Osterman Research). Companies hence in their policies can limit the amount and nature of personal email that employees can access.

Format of use - signatures, disclaimers

Companies can enforce on their employees a specific pattern or format in which emails are used and written. Common examples are formats for email signature that are attached to a message that is sent. The company can enforce the format of this signature (name, department, telephone and fax numbers etc) to bring a uniform pattern in the way the emails from the company originate.

Also seen are disclaimers that the company can attach stressing the company's extent of liability with the content of the message. It is important to note that such interception of messages and enforcement of rules should be explicitly laid down by the company in its email policy document and should be expressly communicated to the employees.

Language and type of content to be used

Arguably the most important aspect in email disputes is the nature and type of content that is transmitted in the emails. The company' email policy should clearly demarcate the content that is unacceptable for transmission without proper authority. Trade secrets, confidential matters and price lists form part of this. Also it should highlight the nature and kind of content that should not be transmitted by anyone - content that is offensive in nature towards race, sex, religious and political beliefs etc. Any kind of unlawful and inappropriate content should be discouraged from use if it is liable to provoke the recipient's dignity and personal/ professional rights and/ or which is unhealthy to the company itself.
An explicit policy towards the above makes the company less liable to any damages arising from infringement of the rules by the employees.

To illustrate, WorldCom Corp. was at the end of a lawsuit by two of its former employees for certain racially offensive material on its email system. However because WorldCom proved that it took prompt action against the sender of the emails, it was successful in evading serious consequences out of the lawsuit.

Organizations can also enforce certain email etiquette in composing and replying to messages to bring certain amount of discipline among the employees.

Confidentiality matters

Confidential content is subject to a lot of threat in organizations and is capable of deliberately/ inadvertently being leaked out. The email policy should lay down what constitutes as a confidential content, how it has to be transmitted if at all (encryption procedures) and by what authority. Measures to combat failure to comply with this should be expressly mentioned in the policy as well.

Storage and archiving of emails (when and what to delete)

It is good practice to follow proper archiving/ document retention mechanisms to avoid inconvenience and unnecessary trouble at later stages. Companies depending on their dependency on emails and the nature of their business can adopt policies where certain kinds of emails are deleted after a specific period of time or are archived and stored for further retrieval. But this has to be done in a systematic manner. Ad hoc measures in doing this will only bring in more trouble for the company.

Publishing and enforcing

The email policy formed by a company should be easily accessible and available to the employees. It should ideally be available on the corporate intranet for everyone to access. Also issues mentioned in the policy should be laid down clearly in no ambiguous terms for everyone to understand. In other words different rules and guidelines should be expressly communicated in the policy document. Also mentioned should be steps that the company will take in case of any employee working against the policy. Sometimes an organization may want its employees to view and accept the policy at the time of their recruitment itself. All this makes the company appear reasonably aware and concerned with the respective issues - a major plus for companies in matters like lawsuits. The company can do the following to enforce the email policy amongst its employees.

Training and awareness programs

The company can train its employees into acceptable and non acceptable levels of email content and format and bring a general awareness about the policy guidelines and measure taken on infringement of the same. Prompt actions

Prompt action

Prompt action should be taken in case of disputes or complaints that stress violation of the policy rules. This while doing justice to the complainant shall also bring understanding of the company's commitment and concern regarding the issues laid down in the policy.

Email Monitoring

The most effective and widely used means to enforce email policies is to monitor individual emails. For this it is extremely important that employees are made aware that their emails are liable to be monitored or this itself will be violation of employee's privacy. Many companies today monitor email while their employees may or may not be aware but few have an express policy in place over the issue.

In 1991 two employees of Nissan took the company to court (Bourke v. Nissan) after the company fired two employees as they had been caught sending sexually explicit emails. The employees claimed invasion of privacy, violation of their constitutional right to privacy among other claims. However, since Nissan had an email policy in place and had explicitly stated that employees' emails would be subject to monitoring, the court ruled in favor of Nissan.

Emails can be monitored after their actual transmission (email auditing) in which case it is just like searching an employees computer files for certain information. Alternatively emails can be monitored before they are transmitted (email interception) and needs an policy in place more than the earlier version of monitoring. It is necessary to understand that any measures of enforcement should be applied uniformly without undue discrimination against certain individual(s) and at all reasonable times.

Updating policies

Email policies are best reviewed once every quarter to accommodate changing business conditions and technological developments. With development and growth in intranet usage, email policies can be distributed more easily than on paper. Software to monitor emails have done the job much easier for IT departments to manage and enforce their policies.

your comments on the article

contact the author

Share this newsletter!
If you know colleagues who would be interested in this newsletter, please direct them to http://www.webizus.com/newsletter.html

To unsubscribe from the monthly newsletter, click on the link below to e-mail your request to us. YOU WILL RECEIVE NO FURTHER NEWSLETTERS from Webizus Technologies if you do.
newsletter@webizus.com?subject=unsubscribe

Webizus takes your privacy seriously. To learn more about Webizus' use of personal information, please read our Privacy Policy at http://www.webizus.com/privacy.html

Disclaimer:
Webizus through the content published makes no warranties or guarantees about the products/ services represented or about the articles presented in the newsletter. The articles by various authors are entirely their own opinion. Webizus holds no responsibility to any damage or loss incurred in any form to any person or organization due to the publication of any of the issues.

Copyright ©1999-2002, Webizus Technologies, All Rights Reserved.

For more information mail us on info@webizus.com

Contact us today for a demonstration of how we can cut down your costs and improve your business:
Email us at: info@webizus.com or call us at +91-9821634476 / +91-22-55910132

Download our corporate profile