A disgruntled artist at an animation studio stands up and looks over his cubicle to make sure the coast is clear. Slumping back in his chair, he opens his anonymous Gmail account, attaches documents about a top-secret movie the company is working on, and smiles as he clicks the “send” button, electronically transmitting this sensitive info to a rival company.

What this employee fails to realize is that his boss remotely monitors e-mail and Web activity to catch such insubordinate acts. The animator is fired, then sued, and will likely never find work in the industry again.

Roughly 25 to 40 percent of firms in North America monitor employee e-mail in some capacity, says Mark Levitt, vice president of collaborative computing and the enterprise workplace at IDC, the research firm in Framingham, Mass. “Employers have both a right and a responsibility to ensure that e-mail is used for the good of the organization and is not used in an unlawful or damaging way,” says Levitt, a retired attorney.

When it comes to the debate over privacy, Levitt says an employer's owns the e-mail systems -- which includes the software, network access, computers, and so forth. Therefore, the company has the legal right to oversee how its systems are being used or abused. In one sense, e-mail monitoring is a way to protect the organization’s confidential business information. “Employers need to know if employees are sending e-mails to competitors containing confidential information about product designs or strategies,” says Levitt.

Liability and potential lawsuits

Aside from divulging trade secrets, there are other key reasons to monitor e-mail. A company needs to protect itself from legal liability if a worker is misusing e-mail to send offensive messages to or about co-workers in the office, such as inappropriate sexual remarks. New laws and regulations require companies to protect private customer information and that means making sure employees are not divulging customer information to a third-party via e-mail.

There are also productivity issues. A business owner will want to to know if an employee is sending personal e-mails all day. Small businesses have fewer staff members and it hurts the bottom line to have one or more being unproductive.

“The question isn’t whether an employer should monitor workers’ e-mail -- the answer to that is yes, and it is legal -- but it’s how they should go about it,” says John Soma, law professor at  Sturm College at the University of Denver and Executive Director at the Privacy Foundation, an organization that conducts research and educates the public about technologies that affect personal privacy when improperly implemented.

“The first step is to make sure employees consent to it by signing a disclaimer that acknowledges the company has a right to monitor e-mail,” says Soma. “You can do it when an employee is hired, at contract renewal or at a company meeting -- but the key is consent.” Letting employees know up front their e-mails can be monitored may also serve as a preventative measure.

Ways to monitor e-mail

According to Jonathan Singer, an analyst at the Boston, Mass.-based Yankee Group research firm, companies can monitor their employee’s e-mail messages in a variety of ways.

“How extensively you want to monitor outgoing e-mail likely depends on the nature of your business,” says Singer. “A small tech start-up company for example, may want to make sure their secrets aren’t being divulged, while a financial services firm would want to ensure customer records aren’t sent out to places it shouldn’t.” In other cases, such as a mom and pop pet store, industrial espionage may be less of an issue.

Singer says there are several ways to do this:

  • Manually. You can manually go through an employee’s messages by using the administrative access that most e-mail systems provide.
  • Filtering software. You can install filtering software that detect key words, attachment files or specific e-mail domains and pre-emptively blocks these types of e-mails.
  • Keystroke loggers. Keystroke logger programs can send a record of every key pressed on the computer back to an employer or IT department for review. The latter is a drastic measure and should only be deployed if a company has suspicions that an employee is engaged in illegal activities.