E-mail is a quick, inexpensive, and convenient business tool, but at the same time it can pose a serious threat to a company due to legal liability, data breaches, or lost productivity caused by employees who abuse the privilege for personal reasons.

A company can help protect itself from such threats if owners or managers  implement and then enforce an e-mail policy, a document that clearly outlines the rules and limits for employees who use e-mail -- and the employer’s right to monitor employee e-mail messages.

“An e-mail policy is critical to avoid ambiguity that could create unfounded expectations of privacy in employer-provided e-mail,” says Mark Levitt, vice president of Collaborative Computing and the Enterprise Workplace at IDC, the Framingham, Mass.-based research firm.. “This also helps to reduce the extent to which employees become upset or angry when they find out that their e-mails have been monitored.”

The following is a look at writing the policy, properly implementing it and ways to enforce it.

Step 1: Drafting a policy

Before you can implement a company e-mail policy, you need to write one.

You may be able to turn to experts for cheap and easy help, according to John Soma, Executive Director of the Privacy Foundation, and a law professor at Sturm College at the University of Denver.  “Each industry typically has some sort of trade association, and they may already have some kind of e-mail policy templates you can modify to suit your company’s needs,” says Soma. “It’s foolish to reinvent the wheel, to invent your own e-mail policy from scratch -- instead, use what resources are available.”

Once you've begun to work on your draft, be explicit, says Jonathan Singer, an analyst at the Boston, Mass.-based Yankee Group. He advises crafting a policy that is abundantly clear and to the point: “If there’s any ambiguity, it can cause a problem in court, so make sure it’s worded as simply as possible.” The bottom line to the e-mail policy, says Singer, needs to be: “This is the company’s e-mail and employers have no right to privacy when using it.”

Levitt, a former attorney, advises that companies should hire a lawyer with experience drafting e-mail policies. “They need to take into consideration relevant federal and state laws, particular industry regulations and practices, and the business and human resource practices and culture of the employer,” he says.

Step 2: Introducing the policy

Employees should sign a document that confirms the e-mail policy has been read, understood, and agreed to.

Typically, this is done upon hiring, but also should be in every employee handbook, says Singer. "It’s key for a business owner to have every employee sign off on this policy.” The signoff signifies that they are aware of the policy and they agree to abide by it.

Experts say you should  warn your employees that their e-mails may be monitored. It’s not so much a legal consideration, but an ethical one so that you are above board with important staff members who represent your company. Forewarning employees about monitoring may also prevent them from doing something that can get them in trouble down the road. Not only do you want to prevent employees from sending confidential company or customer information to themselves, competitors or other members of the public via e-mail, but you want to prevent accidental breaches of confidentiality as well.

Soma says an e-mail policy must be implemented fairly to all employees, consistently from the gopher to upper managers, and constantly so that it is an ongoing policy.

You have to allow employees use e-mail for some personal reasons if it’s quick and not abused, adds Soma, such as a quick note to say you’re going to the grocery store after work. “It’s no different than quick call on the phone -- as long as personal e-mails are used and not abused,” says Soma. “If you don’t allow it, it will immediately decrease productivity and the morale of organization.”

Step 3: Reviewing the policy

After signing off on the e-mail policy, it’s not a bad idea to remind employees to review it from time to time. Singer suggests adding it in an employee handbook but it’s not something you need to review every month.

Monitoring employee e-mail can be performed in various ways: manually perusing through messages with network administration privileges, software that scans messages or monitors keystrokes, or outsourcing these e-mail monitoring services to an offsite company.

Lastly, you need to decide how and how often to monitor employee e-mail, experts say.  Some small and medium-sized businesses flag employee e-mail based on specific words or domain addresses, while others don’t do anything other than archive all e-mails in case a situation arises such as a sexual harassment complaint.  You need to decide what level of e-mail monitoring is best for your business.