When E-Mail Puts You at Risk

Bringing Down the House

Legal troubles aside, one wayward message can have disastrous consequences for a business. For example, one large, innocuous graphics file accidentally forwarded to the whole company can bring down an e-mail system.

Experts say e-mail policies need to explain to employees how to handle attachments and other documents that might cause problems.

"I've had major companies tell me they're more concerned about this issue than they are about [all the other] issues combined," Overly says.

The Key to Encryption

Sometimes it's useful for companies to encrypt e-mail, Bruce says. But what if employees decide to encrypt their own e-mail so that the employer can't read it?

Overly says most policies should include a provision saying that employers must have the key to decrypt any messages that an employee encrypts on an employer's system.

Many companies routinely destroy paper documents that they aren't legally required to keep--but many do not extend this policy to e-mail, experts say.

"If a company is sued, it is routine for the other party to ask the company to produce all their records [on the subject], including e-mail," Bruce says. "E-mail is a really juicy target because it can be searched by keyword."

Bruce says that there's no reason not to routinely delete e-mail messages. However, an e-mail-deletion system must preserve any documents that the company is legally required to keep. And if the company becomes involved in litigation, it must stop deleting e-mail that might be relevant.

Some companies' policies say that e-mail can be stored for a limited time only, and that e-mail messages that need to be preserved should be converted into another form.

To Monitor or Not to Monitor?

The policy should deal with enforcement, as well. Some employers enforce their policy with monitoring software that flags messages containing suspicious words. You can set monitoring software, for example, that prevents documents with code words for secret projects from being e-mailed to anyone outside the company. It can also catch words that might be discriminatory or offensive.

In some cases, using monitoring software may help a company defend itself against sexual harassment lawsuits, for example--it can help show that the company was really trying to prevent harassment, Bruce says. However, if a company is monitoring e-mail, it's vital to make sure the employees know about it, Bruce warns.

Jeff LePage, MIS director at American Fast Freight, in Kent, Washington, has been using Content Technologies' MIMEsweeper to monitor e-mail at his company for about a year. He says the employees' knowledge that the filter was there has cut down on the number of adult-oriented jokes and other inappropriate messages. He says that once the policy and software were explained to employees, few complained.

"I would have thought people would take it differently, but most people don't seem to mind," LePage says. "There were a few individuals who were detractors. But how do you fight something like this--demand that you should be able to send dirty jokes to everyone in the organization?"