As a result of a class action lawsuit concerning its
manufacturing of the diet drugs Fen-Phen and Redux, pharmaceutical giant American Home Products
Corporation was fined $3.5 billion. Part of the evidence that led to the
settlement was some internal e-mail that had been sent by a couple of AHP’s executives. The presence of that e-mail alone did not
decide the case but it contributed to AHP’s decision
to settle.

Here’s another sobering fact: In a 2004 survey of 840
companies conducted by American Management Association (AMA) and the ePolicy Institute
on workplace e-mail and instant messaging it was found that 65 percent of
companies lack e-mail retention policies. Only 54 percent of the corporations
surveyed conduct any kind of formal e-mail policy training. Combine that with
the fact that one in five U.S. companies has had employee e-mail subpoenaed in
the course of a lawsuit or regulatory investigation and you have some pretty
frightening stats.

Nancy Flynn, the founder and Executive Director of the ePolicy Institute, is on a mission to reduce employers’ IM
and e-mail risks. Nancy has authored six books on the topic and will also be a
featured speaker at the INBOX Email event
held in San Jose on June 2 and 3. In light of new compliance regulations and
the increase in workplace lawsuits, Flynn stresses, “Employers should look
at e-mail and litigation in terms of not if
we someday have our employee e-mail subpoenaed but when we have our employee e-mail subpoenaed.”

Compliance regulations

With new compliance regulations such as HIPAA and Sarbanes-Oxley, and SEC and NYSE regulations in the
financial services arena, companies have to be extra vigilant regarding e-mail
risks; they must be able to prove that they’ve taken appropriate measures to
retain e-mail and IMs as stipulated by the applicable
regulations. According to Flynn, “Regulatory commissions, such as the SEC,
have issued six- and seven-figure fines to companies who are unable to turn
over e-mail records that should have been retained.”

Workplace lawsuits

Companies also have to be on the lookout for e-mail that
could be used in a workplace lawsuit. According to Flynn, what most companies
don’t realize  “is
the fact that e-mail and instant messages are a primary source of evidence in
court cases. They are the electronic equivalent of DNA evidence.” And like
it or not, there is such a thing called “vicarious
liability,” which means that an employer can typically be held
responsible for the actions of its employees. Flynn acknowledges that there is
“no such thing as a 100 percent risk-free e-mail environment.” You
can’t, for example, completely control what employee A says to employee B in an
instant message. But if employee B decides to sue your company for being a
hostile work environment on the basis of employee A’s e-mail, you need to be
able to prove to the court that you took appropriate measures to prevent the
action at the front of the lawsuit.

These measures are what Flynn calls the three E’s of e-mail
risk management:

  • Establish a written policy (for e-mail and IM
    usage, content, and retention).
  • Educate your workforce (“And that’s
    everyone from the summer intern to the CIO”).
  • Enforce your policies.

Your policy should include details about e-mail and IM usage
and content, and retention policies, and you should take strong steps to
educate your workforce with presentations.

When asked about how companies can go about enforcing
policies, Flynn replied, “You use discipline–up to and including
termination–for anyone who violates the policy.” And she also advocates
using monitoring technology such as FortivaSupervision,
to randomly sample a percentage of each user’s correspondence.

If an employer practices proactive risk management such as
the ones in the steps above, a court is less likely to hold it responsible for
actions named in a lawsuit.

Don’t forget IM

Flynn notes that many companies don’t know that retention
and content policies should apply also to instant messaging, which is,
“just turbo-charged e-mail. We know that only 11 percent of companies have
installed software to control and manage their employees’ IM use while about 78
percent of employees are IMing at the office. It’s a
time bomb waiting to go off.” Flynn says there is a huge misconception out
there that IM is not a written business record and that you can say anything
you want. “Users think that once you close your window, the message is
gone, but that’s not true. Even if you’re not retaining the message, the person
you’re chatting with might be. Also, it’s an enormous security issue if your
employees are transmitting IMs on business issues.
These messages are transmitted via the public Internet. They could include
customers’ social security numbers and important account information.”
Employers need to find out what the business presence of IM is in their
workplace and how it is used.

So what’s the holdup?

One of the reasons companies hesitate to create and enforce
retention policies is cost–cost of software, cost of personnel needed to manage
it, etc. But Flynn says that that cost is minimal compared to paying a
six-figure settlement. Also, a lawsuit can result in embarrassing headlines and
loss of credibility for a company. “There have even been cases in which
companies’ stock valuation has dropped because of inappropriate e-mail use that
has been reported by the media.”