Beware the unmanaged risk of e-mail and instant messaging

According to a recent survey, 65 percent of companies lack e-mail retention policies. Only 54 percent of the corporations surveyed conduct any kind of formal e-mail policy training. One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation. Read what one e-mail risk expert has to say.

As a result of a class action lawsuit concerning its manufacturing of the diet drugs Fen-Phen and Redux, pharmaceutical giant American Home Products Corporation was fined $3.5 billion. Part of the evidence that led to the settlement was some internal e-mail that had been sent by a couple of AHP's executives. The presence of that e-mail alone did not decide the case but it contributed to AHP's decision to settle.

Here's another sobering fact: In a 2004 survey of 840 companies conducted by American Management Association (AMA) and the ePolicy Institute on workplace e-mail and instant messaging it was found that 65 percent of companies lack e-mail retention policies. Only 54 percent of the corporations surveyed conduct any kind of formal e-mail policy training. Combine that with the fact that one in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation and you have some pretty frightening stats.

Nancy Flynn, the founder and Executive Director of the ePolicy Institute, is on a mission to reduce employers' IM and e-mail risks. Nancy has authored six books on the topic and will also be a featured speaker at the INBOX Email event held in San Jose on June 2 and 3. In light of new compliance regulations and the increase in workplace lawsuits, Flynn stresses, "Employers should look at e-mail and litigation in terms of not if we someday have our employee e-mail subpoenaed but when we have our employee e-mail subpoenaed."

Compliance regulations

With new compliance regulations such as HIPAA and Sarbanes-Oxley, and SEC and NYSE regulations in the financial services arena, companies have to be extra vigilant regarding e-mail risks; they must be able to prove that they've taken appropriate measures to retain e-mail and IMs as stipulated by the applicable regulations. According to Flynn, "Regulatory commissions, such as the SEC, have issued six- and seven-figure fines to companies who are unable to turn over e-mail records that should have been retained."

Workplace lawsuits

Companies also have to be on the lookout for e-mail that could be used in a workplace lawsuit. According to Flynn, what most companies don't realize  "is the fact that e-mail and instant messages are a primary source of evidence in court cases. They are the electronic equivalent of DNA evidence." And like it or not, there is such a thing called "vicarious liability," which means that an employer can typically be held responsible for the actions of its employees. Flynn acknowledges that there is "no such thing as a 100 percent risk-free e-mail environment." You can't, for example, completely control what employee A says to employee B in an instant message. But if employee B decides to sue your company for being a hostile work environment on the basis of employee A's e-mail, you need to be able to prove to the court that you took appropriate measures to prevent the action at the front of the lawsuit.

These measures are what Flynn calls the three E's of e-mail risk management:

  • Establish a written policy (for e-mail and IM usage, content, and retention).
  • Educate your workforce ("And that's everyone from the summer intern to the CIO").
  • Enforce your policies.

Your policy should include details about e-mail and IM usage and content, and retention policies, and you should take strong steps to educate your workforce with presentations.

When asked about how companies can go about enforcing policies, Flynn replied, "You use discipline—up to and including termination—for anyone who violates the policy." And she also advocates using monitoring technology such as FortivaSupervision, to randomly sample a percentage of each user's correspondence.

If an employer practices proactive risk management such as the ones in the steps above, a court is less likely to hold it responsible for actions named in a lawsuit.

Don't forget IM

Flynn notes that many companies don't know that retention and content policies should apply also to instant messaging, which is, "just turbo-charged e-mail. We know that only 11 percent of companies have installed software to control and manage their employees' IM use while about 78 percent of employees are IMing at the office. It's a time bomb waiting to go off." Flynn says there is a huge misconception out there that IM is not a written business record and that you can say anything you want. "Users think that once you close your window, the message is gone, but that's not true. Even if you're not retaining the message, the person you're chatting with might be. Also, it's an enormous security issue if your employees are transmitting IMs on business issues. These messages are transmitted via the public Internet. They could include customers' social security numbers and important account information." Employers need to find out what the business presence of IM is in their workplace and how it is used.

So what's the holdup?

One of the reasons companies hesitate to create and enforce retention policies is cost—cost of software, cost of personnel needed to manage it, etc. But Flynn says that that cost is minimal compared to paying a six-figure settlement. Also, a lawsuit can result in embarrassing headlines and loss of credibility for a company. "There have even been cases in which companies' stock valuation has dropped because of inappropriate e-mail use that has been reported by the media."

About Toni Bowers

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

Editor's Picks

Free Newsletters, In your Inbox