Beware the unmanaged risk of e-mail and IM

One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation. Here are some of the sad outcomes of such lawsuits and what you can do to avoid one with your company.

According to a recent survey, 65 percent of companies lack e-mail retention policies. Only 54 percent of the corporations surveyed conduct any kind of formal e-mail policy training. One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation.

If you need some reasons why not having an e-mail retention policy is a bad idea, just keep reading.

Baseline magazine ran a piece about companies who found out the hard way that not retaining data can hit the bottom line and hit it hard. From the piece:

Philip Morris USA was ordered by a U.S. District Court judge in Washington, D.C., to pay $2.75 million in fines when it came out during federal tobacco litigation in 2004 that 11 managers didn't save printouts of their e-mail messages, as per company policy. As an added punishment, those managers were barred from testifying at trial, according to the order from U.S. District Court Judge Gladys Kessler.

The investment bank Morgan Stanley repeatedly failed to turn over data related to a fraud suit brought in 2005 by Coleman Holdings Inc., the owner of camping gear maker Coleman Co., according to an order written by the judge in the case, Elizabeth T. Maass. One of Morgan Stanley's technology workers concealed knowledge of 1,423 backup tapes, later found in Brooklyn, N.Y., when he certified that the bank had produced all its evidence, according to court documents. At least three other times, the judge said, the bank lost or mislaid backup tapes. Maass read a three-page statement to the jury detailing the missteps-which included overwriting e-mails and using flawed search software that hampered searches of Lotus Notes messages. She told the jury to assume the bank acted with "malice or evil intent" unless it could prove otherwise.

Morgan Stanley lost the case, big: The jury awarded Coleman $1.6 billion.

Nancy Flynn, founder and executive director of The ePolicy Institute, stresses, "Employers should look at e-mail and litigation in terms of not if we someday have our employee e-mail subpoenaed but when we have our employee e-mail subpoenaed."

Compliance regulations

With compliance regulations such as HIPAA and Sarbanes-Oxley, and SEC and NYSE regulations in the financial services arena, companies have to be extra vigilant regarding e-mail risks; they must be able to prove that they've taken appropriate measures to retain e-mail and IMs as stipulated by the applicable regulations. According to Flynn, "Regulatory commissions, such as the SEC, have issued six- and seven-figure fines to companies who are unable to turn over e-mail records that should have been retained."

Workplace lawsuits

Companies also have to be on the lookout for e-mail that could be used in a workplace lawsuit. According to Flynn, what most companies don't realize "is the fact that e-mail and instant messages are a primary source of evidence in court cases. They are the electronic equivalent of DNA evidence."And like it or not, there is such a thing called "vicarious liability," which means that an employer can typically be held responsible for the actions of its employees. Flynn acknowledges that there is "no such thing as a 100 percent risk-free e-mail environment." You can't, for example, completely control what employee A says to employee B in an instant message. But if employee B decides to sue your company for being a hostile work environment on the basis of employee A's e-mail, you need to be able to prove to the court that you took appropriate measures to prevent the action at the front of the lawsuit.

These measures are what Flynn calls the three E's of e-mail risk management:

  • Establish a written policy (for e-mail and IM usage, content, and retention).
  • Educate your workforce ("And that's everyone from the summer intern to the CIO").
  • Enforce your policies.

Your policy should include details about e-mail and IM usage and content, and retention policies, and you should take strong steps to educate your workforce with presentations.

When asked about how companies can go about enforcing policies, Flynn replied, "You use discipline--up to and including termination--for anyone who violates the policy."

If an employer practices proactive risk management such as the ones in the steps above, a court is less likely to hold it responsible for actions named in a lawsuit.

Don't forget IM

Flynn notes that many companies don't know that retention and content policies should apply also to instant messaging, which is, "just turbo-charged e-mail. We know that only 11 percent of companies have installed software to control and manage their employees' IM use while about 78 percent of employees are IMing at the office. It's a time bomb waiting to go off." Flynn says there is a huge misconception out there that IM is not a written business record and that you can say anything you want. "Users think that once you close your window, the message is gone, but that's not true. Even if you're not retaining the message, the person you're chatting with might be. Also, it's an enormous security issue if your employees are transmitting IMs on business issues. These messages are transmitted via the public Internet. They could include customers' social security numbers and important account information." Employers need to find out what the business presence of IM is in their workplace and how it is used.

So what's the holdup?

One of the reasons companies hesitate to create and enforce retention policies is cost--cost of software, cost of personnel needed to manage it, etc. But Flynn says that that cost is minimal compared to paying a six-figure settlement. Also, a lawsuit can result in embarrassing headlines and loss of credibility for a company. "There have even been cases in which companies' stock valuation has dropped because of inappropriate e-mail use that has been reported by the media."

Bottom Line for IT Leaders

One in five U.S. companies has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation. Creating an effective e-mail retention policy should be at the top of your agenda.