E-Risk Factor
OfficePRO magazine,
November/December 2004
Employers ill-prepared to manage e-mail and instant messaging liabilities, survey shows
BY NANCY FLYNN
Today, e-mail and instant messages are the electronic equivalent of DNA evidence—a primary source of evidence in workplace lawsuits and regulatory investigations. In the United States, one in five companies (20 percent) has had employee e-mail subpoenaed in the course of a workplace lawsuit such as a sexual harassment, racial discrimination, wrongful termination, or hostile work environment claim. That’s more than double the 9 percent reported in 2001, and a 6 percent increase over the 14 percent reported last year, according to the 2004 Workplace E-Mail and Instant Messaging Survey conducted by American Management Association and The ePolicy Institute.
Despite growing legal, regulatory, and other risks, many employers remain challenged by strategic e-mail and instant messaging (IM) management. As a result, 13 percent of organizations have already found themselves embroiled in protracted and costly court battles triggered by inappropriate, pornographic, or otherwise offensive employee e-mail.
If your organization has not yet established clear and comprehensive policies and procedures governing employee e-mail and instant messaging, the organization’s assets, reputation, and future are at risk.
As an administrative professional, you help form the front lines of e-mail and IM defense. Perhaps you ghostwrite your executive’s e-mail, as do 43 percent of admins surveyed by IAAP and The ePolicy Institute in 2001. Maybe you’re among the 55 percent charged with screening and deleting executive e-mail. Possibly you are the liaison between the IT department and employees who are struggling with technology. As the conduit between executives and staff, you can play an important role in the development, implementation, and enforcement of an effective e-mail and IM management program.
What’s the most effective way to reduce e-mail and IM risk? Best practices call for the adoption of the “three-e” approach to e-mail management:
E-Mail and IM Rule 1:
Establish written e-mail and IM policies to govern content, personal use, and productivity.
According to the 2004 Workplace E-Mail and Instant Messaging Survey, 79 percent of employers have implemented written e-mail policies. Unfortunately, only 20 percent have policies governing IM use and content.
The failure to impose IM policies is particularly disturbing considering that, when it comes to fast and loose content, nothing tops IM. Most workplace users (58 percent) engage in personal IM chat. Half send and receive inappropriate and potentially damaging IM content, including attachments (19 percent); jokes, gossip, rumors, or disparaging remarks (16 percent); confidential information about the company, a coworker, or client (9 per-cent); and sexual, romantic, or pornographic content (6 percent).
If employee productivity is a concern, count on e-mail and IM to add to the problem. Fully 90 percent of users spend up to 90 minutes each workday sending and receiving instant messages. Another 10 percent of employees spend more than half the workday (4-plus hours) on e-mail, with 86 percent engaging in personal correspondence.
The best advice: Use your written e-mail and IM policies to—among other topics—establish language and content guidelines, impose etiquette rules; address privacy rights and ownership issues; define the organization’s personal use policy; establish retention rules; and stress that compliance is mandatory.
E-Mail and IM Rule 2:
Retention is a critical legal and business function.
A form of turbocharged e-mail, IM creates a written business record that must be retained and archived to meet legal, regulatory, and business requirements. One of the most alarming findings of the 2004 Workplace E-Mail and Instant Messaging Survey is the business community’s ongoing failure to retain e-mail and IM according to written retention and deletion policies. Merely 6 percent of organizations retain and archive business-record IM, and only 35 percent have an e-mail retention policy in place—a slim one percent increase over 2003.
The courts and regulators take records retention seriously. They make no distinction between electronic business records versus traditional paper records. If business records are produced electronically, you are expected to save and store them for the same period of time as paper records. For example, if your organization retains hard-copy personnel records for three years, then save the electronic versions of the same records for 36 months as well.
If your organization is among the 65 percent of businesses that are operating without a written e-mail retention policy, the time to act is now. Take control of e-mail and IM retention today, or face potentially costly consequences tomorrow.
E-Mail and IM Rule 3:
Educate employees about e-mail and IM policy and compliance.
While more than half of survey respondents (54 percent) report that their organizations conduct some e-mail policy training, the facts suggest that employers are not doing a very effective job of communicating e-mail and IM risks, rules, policies, and procedures. More than a third of e-mail users (37 percent) either do not know or are unsure about the difference between an electronic business record that must be retained, versus an insignificant message that may be deleted.
That is particularly bad news for financial services firms, health-care providers, and other regulated industries. Fully 43 percent of regulated employees surveyed said that they either do not adhere to regulatory requirements governing e-mail retention, or are unsure if they are in compliance.
Don’t take chances with policy compliance. Support your e-mail and IM policies with comprehensive, continuing education. Train all employees, from entry-level staff to the executive ranks. Require all employees to sign and date a hard copy of each policy. Make sure all e-mail and IM users know, understand, and agree to comply with the organization’s policies, procedures, rules, and regulations. Enforce your policy with disciplinary action, up to and including termination.
E-Mail and IM Rule 4:
Enforce written e-mail and IM policy.
Employers are getting tougher about e-mail policy compliance, with 25 percent terminating an employee for violating e-mail policy in 2004. When it comes to e-mail policy enforcement, many employers apply a technology solution to the problem.
Fully 60 percent of organizations use software to monitor incoming and outgoing e-mail. Unfortunately, only 27 percent monitor internal e-mail conversations that take place between employees. That’s a potentially dangerous oversight, considering that coworkers are most likely to use inappropriate language, tell jokes, spread rumors, and incorporate other risky content in the informal messages they send to coworkers.
Employers are even less diligent about IM monitoring. Only 11 percent of organizations employ IM management software to monitor, retain, and otherwise control IM. With a third of employees using IM at the office, and 78 percent downloading free IM software from the Internet, most organizations are vulnerable to IM-related legal, compliance, productivity, and security threats—on top of the e-mail challenges they have yet to master.
While no workplace can ever be 100 percent risk-free and compliant, it is the responsibility of employers to keep the workplace (including the computer sys-tem) free from hostility, harassment, and other inappropriate behavior. Put some teeth into your written e-mail and IM policies through a combination of disciplinary action coupled with software technology.
Be sure to use your policy and training programs to inform employees of the following:
E-Mail and IM Rule 5:
Management programs from liability.
The legal principle of vicarious liability holds employers responsible for the misconduct of employees. However, an employer who makes a reasonable effort to prevent a hostile work environment through an e-mail and IM management program that combines policy, training, and enforcement may have a defense against sexual harassment or hostile work environment claims.
Don’t wait for e-mail and IM disaster to strike. Protect your organization by putting a strategic e-mail and IM management program in place today.
Nancy Flynn is executive director of The ePolicy Institute and the author of six books. Her newest titles are Instant Messaging Rules: A Business Guide to Managing Policies, Security, and Legal Issues for Safe IM Communication (AMACOM Books 2004), and E-Mail Rules (AMACOM 2003). Visit www.epolicyinstitute.com to download the 2004 Workplace E-Mail and IM Survey.