E-mail habits are risky business

If your business lacks a strict policy governing e-mail behavior, you could be putting yourself at risk of legal action. That's because e-mail in the workplace now qualifies as a business record, a new E-Mail Survey points out.

The 2003 E-Mail Survey, released this week, was gleaned from contact with more than 1100 U.S. companies. Among the findings: Employees spend about one quarter of their workday on e-mail, and 76 percent report a loss of time due to system problems.

Fourteen percent of companies say they have been ordered by a court or regulatory body to produce employee e-mail, and 22 percent of companies report firing an employee for a transgression related to e-mail. The study was conducted jointly by the American Management Association, Clearswift Ltd., and The ePolicy Institute.

E-Mail And Law

The survey yielded several distressing results, says ePolicy Institute executive director Nancy Flynn. Most significantly, companies have not implemented e-mail policies during the last two years, even as the importance of such regulations have become clear.

"Businesses have been slow to learn the lessons of effective e-mail management as a preparation for possible litigation," she says. "The most alarming thing is that only 27 percent of the surveyed companies are doing any training about retention and deletion of e-mail, and only 34 percent have any retention and deletion policies in place at all."

Flynn points to the concept of "vicarious liability" as an example of how an e-mail policy can protect a company against legal action. Under this statute, employers are held responsible for the "bad acts" of an employee. But if a company has a comprehensive e-mail policy in place and provides ongoing training, the blame shifts away from the company and toward the individual who made the transgression.

Flynn says such polices are never "one size fits all," but suggests companies "establish, educate, and enforce" when it comes to e-mail practices. For instance, a securities firm has strict legal guidelines as to deletion and retention, while a small private company may have different requirements.

"You should consult with a cyberlawyer and put together a policy that properly retains your business records," she says. "This needs to clearly define what is a business record and establishes a policy as to what can be deleted."

Policies Needed

Those using a corporate e-mail network are well advised to keep all personal communication off of the company's system, she adds.

"When a business record is retained, any personal or embarrassing information included becomes part of that record," Flynn says. "So employers need to encourage their employees to be circumspect in their e-mail communication and not to mix non-business messages with business correspondence."

In some cases, employees should not be allowed to delete mail at all. This may seem like an invasion of privacy, but it protects all involved, she says. "Determining what should be retained is a huge burden on an employee," she says.

An e-mail policy is only the beginning. Instant messaging, which is by nature more informal than "old fashioned" e-mail, may require a similar conduct policy. And since IM can be a home for gossip and loose talk, corporations need to be especially mindful of what occurs on this channel.

Corporations need to train employees how to handle e-mail, especially regarding spam, personal notes, or something that could be construed as harassment, says Ivan O'Sullivan, vice president of worldwide corporate development for Clearswift, which co-sponsored the research. The London-based company sells e-mail filtering systems to corporations.

"Employees need to know what they can put into e-mail and what should be said on the telephone or face to face," O'sullivan says. "Bad work habits can turn what could be a great tool into something harmful."