The ePolicy Institute has released an interesting and
somewhat scary survey of just how serious a problem e-mail management and
instant messaging have become for businesses. We’re going to look at what the ePolicy
Institute’s Workplace
E-mail and Instant Messaging Survey

Compare their results to what’s happening in your company,
and pay special attention to the growing use and threat from mishandling Instant

Download the survey

There is a nine-page summary
of the survey results that includes the actual questions asked and the answers
that form the basis of the general conclusions.


For those who really understand business costs, the scariest
part of the ePolicy Institute’s 2004 survey is the fact that fully one-fifth of
companies have been dragged into court by subpoenas demanding to see e-mail and
IM records. Whether this is due to a regulatory action at the state or federal
level, or as part of a civil suit, the costs involved in responding to any sort
of legal action—especially the costs of battling to protect confidential
business information—can really add up.

And that number doesn’t even include suits actually related
to malicious, pornographic, or harassing e-mails. Combine the two and you see
that in any year about one-third of big companies can expect to see court
papers requiring them to produce e-mail and/or IM records.

Just how prepared are you to respond to such actions? Do you
have a good, well-enforced policy of retaining important instant messages?

According to the survey, if your company is like most, then
the answer is probably a resounding “no.” More than half of companies
surveyed (and these are businesses that have periodic contacts with the ePolicy
Institute) either don’t retain records as required or don’t know if they are
doing it correctly. E-mail has been around long enough that companies and
lawyers are up to speed on how important it is. However, IM is newer and only
about 20 percent have IM use and retention policies in place. Since only 11
percent are filtering IM, the lack of a policy could potentially be extremely
risky behavior.

If you happen to be in a regulated industry that includes
financial institutions, but might also be construed to include any company with
publicly traded stock, failure to keep proper e-mail and IM records could
actually be a criminal offense.

Another serious policy matter turned up by the survey is the
report that, while most companies monitor the content of external e-mail, only
about 30 percent actually monitor internal e-mail between employees—the kinds
of messages that can give rise to discrimination or harassment suits.

If you need a bit of leverage to help convince employees to
take e-mail and IM policies seriously, remind them that a lot of people have
been fired for policy violations—even something as innocent-seeming as
exchanging jokes can get you canned in some cases. The survey showed that
one-quarter of the responding companies had already fired someone for e-mail
policy violations.

When creating new policies, it is important for
administrators to remember that before implementing new policies they should
always review those policies with upper management and the legal department.

Final word

The ePolicy Institute may be somewhat biased on this
subject; after all, they offer training and other products in this area, but
from my experience working with small and large companies, the numbers in its
survey look pretty accurate. There certainly weren’t any big surprises for me,
so I recommend that you read this survey and take it very seriously.

Following the old legal truism that what lands you in jail
is often your secretary’s meticulously kept records, some companies have
policies of never storing any e-mail or IM, but that is short-sighted. Not only
could that be construed as obstruction of justice in some jurisdictions, but if
your company is doing everything right with regard to workplace harassment and
such, then your record of all e-mail and IM messages may actually be your
strongest defense.

Many people tend to view IM as much less formal than
business e-mail, akin to phone conversations, but while some states make it
illegal to record telephone chats, there is no such law regarding either e-mail
or IM—in fact, some companies are legally required to keep some records of
computer-based communications.

It’s also important to recognize the fact that IM can be
incredibly useful in a business environment, if only because it eliminates the
need to deal with spam in regular e-mail. IM is likely to gain popularity in
business settings in the future and it is important that your organization be
prepared to handle it.

Also watch for…

  • The RBOT-GR
    Worm isn’t spreading very fast but it has a nasty payload—it hijacks any
    Web cam you are running. It can also steal information from your hard
  • The
    Winamp MP3 and media player has a serious vulnerability for which exploit
    code is already in circulation. The only real fix is to delete Winamp,
    which probably shouldn’t be on business machines anyway. Check out the
    original report and exploit at
    Secunia reports this
    threat as extremely critical since it allows a remote takeover of the
    vulnerability system. Nullsoft has released a patch.