Manage Learn to apply best practices and optimize your operations.

A Corporate Email Policy Can Rein in Bad Behavior

Email policies, as well as those for blogs and IM, show your users what they can do on their office laptop -- and in the process can reduce your company's risk.

Employees' online activity can threaten your business. A sound policy can help mitigate that risk.

As far as Alan Boyer knows, it happened only once and it will never happen again. He is not eager to share the details, but here are the broad brushstrokes. Some time ago, his employer, Home Interiors & Gifts, a Carrollton, Texas, company that sells home goods through direct sales, was set to announce a major transaction. All the details had been attended to; a press release was in the offing.

Then, before the news could be made public, Boyer, Home Interiors' CIO, discovered something that made his stomach turn: In a casual email, one of the company's 1,200 employees had mentioned the pending deal to a friend. The employee hadn't meant any harm, but Boyer was horrified. He alerted the employee's senior manager. "They were very upset," he recalls.

Fortunately, the damage was contained and the deal proceeded. The employee -- who had signed the company's email policy, which states that employees can send business information only to people who need it to conduct business with the company -- remained employed but was disciplined. "I bet they never send anything out again," Boyer says.

As Home Interiors' big scare illustrates, one of a business' greatest risks in today's digital workplace may just be its employees. Accustomed to whipping off emails to associates and friends, chatting via instant message (IM) while working, or opining on blogs and message boards, employees who don't know when to be discreet can wreak real havoc on employers. The dangers are real: Deals can be destroyed, companies can be sued or fined, and reputations built over decades can topple from a few erroneous keystrokes.

The first level of defense seems simple: a written policy that frames how employees should use electronic communication tools. A good one mitigates risk by spelling out what company equipment can be used for and what kind of information can and can't be disclosed. It also serves to keep employees focused on their actual jobs while on company time and equipment. Even the best policies won't prevent honest mistakes and poor judgment, and many lack enough detail to be truly effective. But they do get employees to think more carefully about what they're saying or sending.

In a survey last year, the American Management Association and the ePolicy Institute in Columbus, Ohio, found that more than 80% of the 526 responding companies had written policies governing the use of email and the Internet, though only a quarter had a policy that covered blogs. More than half of respondents said they had disciplined employees for improperly using email or the Internet; about a quarter had fired employees for such behavior.

Very public examples of poor judgment and even illegal actions aren't hard to find. In 1999, British law firm Norton Rose was humiliated worldwide when one of its junior lawyers, Bradley Chait, forwarded a lewd email discussion that started out as a private sex joke from his girlfriend. The email made the rounds of millions of inboxes around the globe, to the embarrassment of both Chait and his employers. (Chait was disciplined but kept his job.)

Former Credit Suisse Group Inc. banker Frank Quattrone fared worse. He was convicted of obstruction of justice and witness tampering after he circulated a fellow executive's email encouraging colleagues to "clean up" their files on the eve of a government investigation of his firm in 2000. (A federal court recently overturned Quattrone's convictions because the jury had been given faulty instructions; a federal prosecutor will decide if Quattrone will be retried.) In addition to suffering a massive blow to its reputation, the firm has paid millions for Quattrone's legal fees.

Another big issue is porn. Whether or not it's practiced on company time with company equipment, it makes an employer vulnerable to costly allegations of sexual harassment. That's why the Automobile Club of Southern California fired 27 employees who posted comments about their co-workers' bodies and sexual orientation on the social networking site

To get a better idea of how midsized companies are managing employee use of electronic communications, we asked the experts: midmarket IT executives. And their approaches depend largely on their industries. The strictest policy we found was in place at an investment bank; the most lax at a Bible publisher. Here's what we found.

What Is in a Policy? Tips for Creating One
Email, instant messaging and blogs are like pens or telephones; employees can use them to say or do just about anything, from the heroic to the criminal. How can a company possibly write a policy to protect itself from misuse of these tools?

Remember that an e-communications policy isn't a general code of conduct. Your company should already have policies against sexual harassment, discrimination, leaking corporate secrets, insider trading, and other illegal or unethical behavior. You don't need to rewrite them; just refer to them.

So first, build a team. Besides the top IT executive, include the CEO, human resources and lawyers. Plan to develop the policy in consultation with an outside expert in electronic communications, recommends Nancy Flynn, executive director of the ePolicy Institute.

To get started, consider using a template from a research firm, or study other companies' policies online. And if you do decide to start from scratch, don't go it alone. Get your lawyer to explain your industry's laws and regulations. Solicit input from the troops. When IBM developed its blogging policy, it posted an internal wiki so everyone could contribute ideas before a draft was finalized.

Issues to cover include the following:

  • Productivity. Can employees use corporate tools like email for personal use, and if so, when, where and how often? What about network-hogging activities like forwarding videos?

  • Appropriate use on the job. Is there anything you don't want employees to say on corporate email, IM or blogs? Do they know they shouldn't plagiarize, libel or download pirated music or software? Is porn banned, and what constitutes porn, exactly? Is it OK to swear in interoffice email? Here's your chance to refer to your company's code of conduct.

  • Appropriate use off the job. Employees are individuals with free-speech rights. But you may not want your customers to know that your head of marketing publishes a popular blog on her sexual escapades with all your top clients. (It's been done: Think about former Capitol Hill staffer Jessica Cutler.) So you're better off listing the behavior you don't want associated with your corporate name so your company can defend itself if a fired blogger claims discrimination. This is a legal minefield, so don't proceed without a lawyer.

  • Document retention. If you can't quickly hand over email correspondence that gets subpoenaed during litigation, you could be slapped with a massive judgment, like the $1.45 billion that Morgan Stanley & Co. was ordered to pay to investor Ronald Perelman last year. Which emails do you want employees to keep, and for how long? How often should they purge?

  • Privacy and security. Given the laws and regulations that govern your industry, what types of communications should be made with what types of tools? Are your brokers allowed to transmit client account numbers over email? What should be encrypted? Is it OK to copy corporate data onto disks and take them home? Should you have allowed your head of HR to store every employee's Social Security number and salary on her laptop, which got stolen last week?

  • Enforcement. How will you enforce the policy? Courts have found that employees have almost no privacy at work. Will it be someone's job to monitor employees' email and voicemail? Secretly videotape? Read employees' personal blogs? If so, will you warn employees in advance? Courts have been more willing to accept such monitoring when employees are forewarned.

Finally, if they don't know about it, they can't follow it. Companies can make employees aware of the policy by making it a condition of employment or having them sign it once a year.


Email and Surfing

To prevent time wasting or risky use of corporate email and Web connections, many companies warn employees that they reserve the right to snoop on their online activities. And in more regulated industries like banking, firms really do. (Many others don't have time and instead wait for a manager to report suspicious activity; then they audit the worker's online activities.)

GMP Securities, for one, analyzes email messages after they are sent. The idea is to make sure that employees of the Toronto-based investment bank haven't broken laws by disclosing confidential client information or guaranteeing certain returns on investments, for example.

GMP doesn't monitor email messages before they are sent because that would require a continuous stream of alerts that would make it difficult for employees to do their jobs. "We felt that was going to be far, far too intrusive," says Steve Kruspe, senior vice president and CIO of the $223-million company.

GMP's email profiling software, made by Fortiva Inc. (a privately owned vendor based in Toronto), places copies of questionable emails in a queue for review by the company's compliance department. The department contacts anyone who appears to have broken a law or company policy. Kruspe says this after-the-fact analysis is an effective deterrent. "For most people, if they know we're going to be made aware of communications they shouldn't be sending and they know we're going to find [out] about it and they know we're going to come and see them about it, [that's] typically enough to cause them to think twice" about the information they send out, he says.

GMP isn't alone. According to the ePolicy Institute survey, 55% of employers store and review employee email.

At the other end of the spectrum is a division of commercial real estate brokerage Colliers International. Compared with banking, the real estate industry is not heavily regulated; and at many firms, including Colliers, brokers are independent contractors. So Colliers is more like a federation of independent businesses than an employer with a traditional hierarchy.

Colliers' Northern California and Nevada division, with 12 offices and nearly $110 million in sales last year, has no email policy, says Vic Fischer, the division's vice president of information technology. Why not? "I would say it's because the managing partners as a group don't see it as a serious concern. They believe that the brokers know what professional standards are and will behave accordingly. For the most part, I have to say that's true. They really are fairly well behaved as far as email content is concerned," Fischer says.

Even so, he is aware of what could go wrong, and he often suggests instituting an email policy that would cover not only content but also archiving. In the absence of an official archiving policy, Colliers is in the habit of keeping everything. "So it's probably OK. But my view of it is, we should know that it's OK by having a retention policy and enforcing it," Fischer says.

When it comes to the risk of reduced productivity, most companies allow their employees a limited amount of appropriate personal use of email and the Web. They often define "appropriate" to mean nonsexual and nondiscriminatory, because that can help shield a company from sexual and racial harassment suits. But most companies don't define "limited." If companies quantify how many minutes employees may spend on private email and surfing, they've got to track the minutes. It's possible to do that with software, but it's expensive, not to mention confrontational. Most companies would rather accept a small amount of private use of corporate technologies as a cost of doing business and then intervene only when a manager says an employee's productivity is slipping.

But Nancy Flynn, director of the ePolicy Institute, says guidelines that don't define phrases like "limited amount of appropriate use" are too vague to be useful. "To some employees, that may be eight hours a day of looking at porn, and we've had many cases of people spending eight hours a day doing that," she says. Or, as many CIOs told us, some employees spend an inordinate amount of time shopping on eBay or checking private email.

Some companies have tried to outlaw all personal use of company assets, including Internet connections and email. But most don't really expect employees to abide. In fact, Home Interiors relaxed its policy after Boyer argued that it wasn't practical to prevent all personal use. He finds it convenient to use his work laptop for some personal email at home. In light of that, "I'm not completely comfortable saying, 'You can't use this at all'" outside of work, he says. "You're not going to say to someone, 'You can't use the phone for personal business.' People have lives, and they're going to [conduct] part of their lives at work. That's just the reality." Now Home Interiors allows a "modest amount" of personal use as long as it doesn't affect employee job performance and conforms to the other restrictions in the policy.

Instant Messaging

Instant messaging presents an interesting problem. Younger workers grew up on it, but many CIOs have rarely, if ever, used it. They don't see the need for IM, but they do see how it opens up corporate networks to viruses and other security risks. Boyer, for one, says Home Interiors not only forbids IM but has blocked network access to Microsoft, Yahoo and other Web-based IM clients.

"It's too big a security issue. It's more of a company risk in terms of assets than email," he says. After all, people can send attachments over IM too. Only with IM, there's no record of what was sent. "I can go back and monitor email; there's nothing they can do about that. I control that," Boyer says. "But on IM, I have no way to monitor that."

Why would a company want to monitor IM? Because every IM that contains data about a business transaction is an electronic record that the company must be able to produce on demand in case of a lawsuit. Companies that can't find relevant electronic records on demand have been made to pay hundreds of millions of dollars.

Flynn thinks it's unwise to flat-out forbid IM, especially in companies where younger workers insist on using it. "It's the No. 1 communication tool of choice among teenagers. If you're hiring people right out of college, they expect to communicate through IM. If the company doesn't provide it, they'll bring it through the back door," she maintains.

Boyer disagrees. Speaking of his IT staff, he says, "My guys are those kind of guys" -- meaning young people who grew up on IM. "They want it locked down. Their primary goal is the availability and security of our environment. They view it as a security risk."


With some 33 million blogs online and 70,000 new blogs launched every day (according to Technorati, a search engine that tracks blogs), even companies that don't encourage their employees to blog should pay attention: Any one of their employees could be blogging about the company. They could be publishing confidential information, embarrassing observations about the CEO, or something that's libelous or plagiarized. Companies that fail to establish blogging policies are risking public embarrassment or fines and convictions for breaking the law. If a company has a policy and an employee breaks it, courts are more likely to see the wrongdoing as the fault of the employee, not the company.

Most of the CIOs we interviewed say their companies hadn't yet turned their attention to blogging policies because they were still working out policies involving email and Internet use.

Charlene Li, a Forrester Research Inc. analyst who studies blogging policies, is a major advocate of blogging as a marketing tool; after all, it can put a personal face on an otherwise anonymous corporate entity. Li believes that most companies can proceed with simple rules that cover all forms of communication. For instance, bloggers are covered by their companies' general policies, which usually include provisions against breaking the law, creating a hostile work environment and spilling company secrets.

"The key thing is to not overthink it. This is really simple stuff," Li says. Even so, "you're not going to get it right the first time. ... If you try to make it perfect, you'll be doomed and you'll never get it started." Li advocates learning about policies "on the job, on the blog."

At least one midsized company agrees with her: Thomas Nelson Publishers, a Nashville, Tenn., company that publishes religious and inspirational books. An equity firm took the $247-million publisher private in February.

Thomas Nelson CEO and President Michael Hyatt got into blogging two years ago after he broke his leg. While he was recuperating, he began reading blogs and decided to launch his own. Soon after, he decided to encourage his employees to blog too.

In hopes of creating an open dialogue, Hyatt instituted an unusual blogging guideline for employees who want the publisher to link to their blog. Among other things, the policy allows bloggers to disagree with the company. "You are welcome to disagree with the Company's leaders, provided your tone is respectful," the policy reads. "If in doubt, we suggest that you 'sleep on it' and then submit your entry to the [oversight committee] before posting it on your blog."

Hyatt says the point of this guideline is to encourage healthy debate. "Often when debate happens, it gets ugly. People's feelings get hurt. So you drive it underground and create bigger problems," he says. At Thomas Nelson, "we can have vigorous internal debate. Anyone can disagree with anybody on anything."

Case in point: In response to Hurricane Katrina, Thomas Nelson donated 100,000 Bibles as well as food and money because, as Nelson wrote in his blog, an "official" in Baton Rouge had specifically requested Bibles. Hyatt says the donation also made sense because Thomas Nelson publishes Bibles and has them to give.

Although it's not clear what Thomas Nelson's employees thought about this, several readers of the blog were astounded. The first visible comment, which remains online, calls Hyatt "asinine" and a "fool of the first order." Hyatt says he can take the heat. He stands by his decision but says, "The debate is good and helpful."

Thomas Nelson's other blogging guidelines, which run just over 1,100 words, are disarmingly simple. They include instructions like "Be Nice" (as in, "Avoid attacking other individuals or companies"), "Keep Secrets," "Respect Copyrights," "Obey the Law" and, finally, an admonition to remember the employee handbook.

Hyatt likes the idea of blogging first and finessing policies later. "It's much easier to steer a moving object than to try to steer something standing still," he says. For others who are grappling with blogging policies, he has this advice: "Don't listen to the lawyers." When Thomas Nelson was publicly held, "The lawyers were wringing their hands, saying, 'Oh my God, what could happen?' It was way overrated. If you exercise common sense," it should be enough, Hyatt says.

The lawyers feared that bloggers would publish market-moving information to selective audiences, thus running afoul of Securities and Exchange Commission laws. "But the truth is, it's a public forum. Whatever you say is available to anyone who wants it," Hyatt says. Then he rethinks his advice about attorneys. "I would listen to my attorneys," he says. "But then I would realize that you have to ascertain whether the risks outweigh the benefits of making a culture that's safe for dissent."

Joan Indiana Rigdon was a contributing writer for CIO Decisions. To comment on this story, email [email protected].

Dig Deeper on Small-business infrastructure and operations