If you don't want your employees to use your e-mail system to send porn, chain letters, or company secrets, a written policy is the best way to let them know. Start with a basic statement of who is allowed to use the system and for what. That part you can handle yourself.
And then call in the specialists: a lawyer for advice on compliance and privacy issues, and then your HR and IT people. Nancy Flynn of the ePolicy Institute also advises putting the most senior person possible in charge of explaining and implementing the policy. "It sends a message to employees that management takes it seriously," she says.
A survey by ePolicy revealed that 79% of companies have some kind of e-mail policy, but only 54% are doing any employee training or education. "E-mail education is the most immediate and cost-effective way to address the challenge of managing e-mail content and volume," says Stephanie Mendelsohn, a trial lawyer and electronic discovery expert with law firm Reed Smith in San Francisco. Every year, the policy should be reevaluated to make sure it's up-to-date.
Here are the key questions your policy should address.
According to the federal Electronic Communications Privacy Act, employees have few privacy rights when it comes to e-mail when the computer system is the property of the employer. Still, privacy lawsuits are on the rise, and spelling out what kind of e-mails (if any) you will regard as private can reduce legal trouble.
What's out of bounds?
A policy should spell out what constitutes inappropriate content, including everything from pornography to religious or ethnic insults. This part of your policy should be consistent with your policies on harassment and discrimination. You should also outline procedures for confidential, copyrighted, and proprietary internal material.
"Would you say it aloud to a client or customer? Would you be happy if your boss overheard you say it? If the answer to any one of those questions is no, don't write it in an e-mail," says Patricia Eyres, a lawyer and founder of Litigation Management and Training, a consultancy that advises clients on how to stay out of court.
Fifty-five percent of U.S. companies monitor employees' e-mail, according to an AMA/ePolicy survey. Your policy should explain how monitoring is done and by whom--in-house staff or an off-site vendor. Just stating your intention is not enough. "If you have a policy that says e-mail can be monitored but in 10 years you've never monitored anybody's e-mail, then your de facto policy is that e-mail is not monitored," says Mark Rasch, senior vice president for Solutionary, an Omaha computer security firm.
What gets thrown away?
In the post-Enron world the issue of what to retain versus what to delete has become critical and confusing. Thinking on the subject often comes down to two simplistic approaches: Save everything (fantastically expensive and wasteful) or delete everything (morally bankrupt, possibly against the law, and also impossible).
"'Delete' rarely means it goes away," says Eyres. Forensic experts can find almost anything. And even if your side of an exchange has been erased, the other is probably on somebody's hard drive.
In addition to defining what kind of e-mail you want to keep, you also need to tell your employees where to keep it. Printing out e-mails and filing them is legally okay. "The courts make no distinction between an electronic record and a paper record," says Flynn. It's also important to set a time limit after which all unnecessary e-mail should be purged. How long you need to keep things is partly your own call and partly a matter of complying with the laws that cover your business. (See The Government's Take on E-mail.)
How much personal stuff is okay?
According to e-mail archive and management firm Waterford Technologies of Irvine, Calif., a little more than a third of all corporate e-mail is not work-related. It's not realistic to ban all personal e-mail at work, but many companies do put limits on it, restricting it to particular times or a number of minutes per day.
Another approach is to ask employees to set up white lists of people from whom they can receive e-mails (spouses, children, babysitters, and so on). Some companies require all personal e-mailing be done not through the company system but via Web-based services like Hotmail and Gmail.
What are the consequences?
It isn't necessary to list the range of action in the policy, but it's crucial to state that action will be taken. And to take it.
What devices are covered?
Your policy should cover every gadget your employees use for e-mail. You should also cover home computer use, such as when employees access the company server remotely, as well as instant messaging and company weblogs.