Employer, Protect Thyself
by Melisa LaBancz-Bleasdale
Email and Internet connectivity are two of the most common employerprovided resources and the most commonly abused. There appears to exist an unspoken "acceptable use" policy, which has emerged in parallel with the written one in the employee handbook. This "ghost policy" assumes a certain amount of personal emails and Web surfing will take place during work hours. What it does not outline is how much is too much? The employer relies on the common sense of employees, when it comes to self-policing usage and content. Unfortunately, not all employees have common sense-despite what it may say on their resume.
The hard and fast corporate policy may prohibit personal email use, but most employers balance reality against expectations in order to obtain equilibrium. Each party has an understanding of their roles and rules of engagement, but when it comes to acceptable use, established rules and expectations should not be left to interpretation. An employer is vulnerable to litigious current and former employees without solid answers to the following: What constitutes abuse of employerprovided resources? What is an employee's expectation of privacy at work? Does an employee signature constitute understanding? What sorts of activities cross the line and is "the line" clear and enforceable?
According to a survey sponsored by Red Earth Software, 42 percent of employers monitor their employees' emails. However, Michael Overly, partner at Foley and Lardner, and author of E-policy1, found that only 60 percent of the employers who monitor emails actually have an adequate written policy in place. Foley explains that by monitoring emails without warning, employers are arguably infringing on an individual's privacy, leaving themselves open to workplace privacy lawsuits.
Is a Policy Enough?
Mike Spykerman, CEO of Red Earth Software, explains that companies must take into account several important issues concerning the legality of monitoring their employees' email. The first is to make a distinction between federal law, which he believes to be more biased toward the employer, and state law, which he feels tends to go in favor of the employee. Under federal law, the Electronic Communications Privacy Act (ECPA), allows companies to monitor their employees' email when one of the following three provisions are met; one of the parties has given consent; there is a legitimate business reason; or the company needs to protect itself.
The Internet, along with internal email systems, acts as a perfect vector for a wide variety of legal and security vulnerabilities ranging from loss of proprietary data, the introduction of worms, viruses and malware, to overt employee harassment. Policies form the foundation of what is expected and tolerated from the employees, while content filtering and email monitoring solutions help mitigate legal, security, and business risks.
According to Spykerman, the second important distinction companies need to make is the difference between email auditing (which is also called email monitoring)-where email is checked after the actual transmission-and email interception (which is also referred to as email filtering). Email auditing involves the review of email content after the actual transmission, whereas email interception involves the review of content during transmission. "If your company has no email policy in place, an employee could argue that he or she had a reasonable expectation of privacy," explains Spykerman. "However, if the company has implemented a written email policy where employees are informed about the possibility of email monitoring and warned that they should have no expectation of privacy, the company is protected from this type of privacy claim." Spykerman points out that several court cases have upheld that checking email after transmission is legal (i.e. email auditing), since it is viewed as no different than searching through a file in an employee's drawer.
Policy Enforcement
"If a company employs an acceptable use policy, they also have to employ the tools to enforce that policy," states David Hahn, director of product marketing strategy for MessageLabs. "I believe between 60 to 70 percent of organizations do not have the tools in place. If you look at where organizations are getting stuck, in terms of the legal system, the courts are happy to hear policies exist, but if companies do not have a way to enforce that policy, then what good is it?" Hahn points out that the content parsing in and out of today's email systems contains more than potentially offensive or inappropriate subject matter. It also contains items that may be confidential (such as trade secrets), or that violate regulatory compliance (such as patient records).
A key differentiator for MessageLabs is they are a managed service. By providing a Web-based policy engine, administrators are able to enter in their policies, apply them, and leave the scanning and analysis up to MessageLabs-who will escalate the problems they find in accordance with a company's existing policies. MessageLabs' Email Content Control solution enables organizations to address confidential, malicious or inappropriate email content sent or received by the company. "If someone in your organization is sent images of child pornography and there is a gateway solution in the form of an appliance, or software running at the perimeter, the organization has to accept those images before deleting or quarantining them. That leaves a question mark as to whether or not having those images on the company network raises concerns in terms of legalities," warns Hahn. "The MessageLabs service never lets that type of content get near the network, so there's never a question as to which desktops or laptops or network email service it was on." The service can scan email messages and attachments for user defined keywords, phrases and URL lists or alphanumeric formulae (such as credit card or social security numbers). Additionally, the service will analyze text in the email body, subject and header, as well as text within Microsoft Office attachments.
Red Earth Software offers Policy Patrol, an Exchange server and Lotus Notes add-on for blocking spam, viruses, offensive content, attachment quarantining, adding disclaimers and much more. In addition to filtering external emails, it is one of the few available content filtering solutions that filter internal mail (if installed on Exchange 2000 or 2003). Red Earth points out that filtering internal emails is important to avoid inappropriate emails creating a hostile work environment. Policy Patrol's rules wizard allows organizations to create customized user-based rules by specifying conditions, exceptions and actions.
According to Hahn, "It's up to the employer in the United States to provide a workplace that is free from harassment, sexual discrimination and more. There are certain protective clauses in this country that employers must abide by related to gender, race, religion, and disabilities. By providing a policy, and then relying on the employees to selfenforce it, employers are falling short of their duty." Hahn believes that the courts are in agreement, "You need to make sure that people aren't walking around and noticing pornographic images on desktop screen savers, because your duty as an employer is to provide an environment that is free from harassment." MB/TMP
Disclaimer: Messaging News is not offering legal advice. For legal direction, contact an attorney.