NFIB

Protect Your Business With an Email Policy
11/ 18/ 2003

by Kelle Campbell

Did you know that e-mail written by employees in the workplace could be legally attributed to employers? The potential legal pitfalls, such as breach of confidentiality and hostile workplace lawsuits, could significantly hamper your business and damage your reputation.

Not only can e-mail easily be sent "astray," but you also may have to turn over e-mail records to resolve disputes involving contracts, lawsuits or law enforcement issues. More mundane but still damaging are downloaded viruses and loss of productivity as a result of personal e-mail communications.

An increasing number of companies are establishing e-mail policies in order to keep electronic communications professional, maintain productivity and minimize their liability. The following guidelines should help you put together or refine your policy:

If you already have rules regarding issues such as confidentiality, use of business property or harassment, make your e-mail policy as consistent with them as you can. Of course e-mail users' general tendency to write casually and e-mail's semi-permanence in computer storage (even when you think that they're deleted) may require special action.

For example, some companies include "netiquette" rules to ensure a certain degree of professionalism in electronic communications. If you think this is necessary, provide stylistic guidelines and advice on how to handle concerns such as attachments, particularly large ones.

Also, decide if you'll allow personal e-mails, and if so, to what extent. Your employees spend a significant portion of their lives in the workplace and so may need to use your e-mail system to maintain balance between work and life. In addition, employees may wish to receive messages from mailing lists, e-newsletters and newsgroups. Although these resources can provide professionally useful information, you may want to caution employees about inadvertently posting sensitive information or defaming a competitor.

Even if you do allow personal use, you will very likely want to emphasize that company e-mail is for business communications. Nancy Flynn, managing director of the ePolicy Institute and author of The ePolicy Handbook, recommends setting guidelines for appropriate business communications. Some policies just state that e-mail should be related to the organizational objectives, but others are more specific. For example, the University of Wisconsin-Green Bay's policy states that e-mail is "to inform faculty, staff and students about activities, events or policies that relate to the University's educational services and businesses."

You may want to prohibit personal comments about others, discussions about flaws in products, chain letters, copyright infringements, e-mails for an employee's own money-making endeavors and any content contrary to company policy.

Additionally, you should prohibit pornography, racist or sexist language and other offensive material. Doing this can reduce or even eliminate your "hostile work environment" liability if such materials are ever received or sent. Explain what actions should be taken if an offending e-mail is received, encourage recipients to come forward and establish procedures for investigating complaints.

If you decide to monitor for inappropriate e-mails (which may include filtering offending messages), make this clear in your policy. Explain how much privacy employees should expect plus the conditions and procedures under which you will access their e-mail messages. Many policies state that the e-mail system is the organization's property and that e-mail messages are subject to inspection without prior notice to the employee. Although courts have upheld organizations' right to monitor, privacy rights advocates are still fighting these decisions, so keep track of state and federal rulings on e-mail monitoring.

Some companies place their e-mail policies -- or at least a section about e-mail monitoring -- in employee contracts so that they have signed agreements. In addition, some have a monitoring notice appear whenever employees log onto a computer.

Also consider some of the larger legal issues. How do you wish employees to send confidential and sensitive information? Should they use encryption software, limit the material to the company intranet, keep this data offline completely or use some other measure?

Do regulatory bodies require that your company data, including e-mails, be kept for specific periods? Specify which e-mails need to be archived and recommend a timeline for deleting non-archived messages. Organizations involved with litigation may need to hold on to electronic data for indefinite periods.

Finally, ensure that your employees have seen and understood the policy. Make it available via handbooks or the company intranet, and use it during training or orientation sessions. Whenever you update the policy, circulate the new version and consider having it signed by employees.

The American Management Association's 2003 survey revealed that three-fourths of respondents had a written e-mail policy. If you still feel at a loss about joining the ranks of the policy-protected, you can download samples at www.email-policy.com and adapt them with the help of legal counsel.

Small Business Sound Off
Does this story hit home?  Share your story with us