The Impact of E-Policy Management
The case for meticulously managing email and other messaging systems is easily won by reading the newspaper on almost any given day. There we learn about the latest CEO (or employee) of a highprofile company ensnared in controversy, the subject of media frenzy. The accidental or intentional actions of individuals are often traceable via email. As Nancy Flynn, executive director of The ePolicy Institute says, "Bad email is bad business". She sites examples like Chevron, ordered to pay female employees US$2.2 million to settle a sexual harassment lawsuit stemming from inappropriate email sent by male employees. Or a Fortune 500 company, involved in a wrongful termination lawsuit, that was ordered to search more than 20,000 back-up tapes at a cost of US$1,000 per tape. That's US$20 million spent before the case went to trial. "50 percent of employees report receiving racist, sexist, pornographic, or otherwise inappropriate email at work," says Flynn. "Many people think it is illegal for their employer to read employee email. But it is not illegal. In fact, according to the Electronic Communications Privacy Act (ECPA), an employer-provided computer system is the property of the employer. As such, the company has every right to monitor all email traffic and Internet surfing that occurs on the company's system."
Even with warnings and continual reports in the news, email policy management varies widely in most organizations. "Virtually all messaging management functions are nothing more than a collection of policies that are custom tailored to a particular organization," points out Michael Osterman of Osterman Research, Inc. "For example, an organization's decision about what types of email it will accept and which it considers spam, is really based on internal policies. A medical practice, for example, will be more likely to accept email that includes the names of body parts than will a financial services company. Similarly, how and when employees are allowed to use email, if and how they are allowed to use instant messaging (IM), the types of email that an organization will retain, which content must be encrypted before being sent, etc. All are based on policies that an organization establishes, either explicitly or implicitly—or they are based on a growing variety of government regulations that dictate things like message security and data retention." Osterman believes managing email and other messaging systems is a critical best practice. Yet it is often a missing first step toward proper email management in many organizations. Email policies should cover a wide variety of areas from internal and external messaging rules, to personal use guidelines and the use of corporate assets. "If organ-izations do not address all of these in their email policies, they will very likely suffer quite serious consequences at some point," predicts Osterman.