PEBBLE BEACH, CALIF. -- E-mail and instant messaging could be the sharpest double-edged swords in the enterprise. They may be great tools for communication, but manage them improperly -- or not at all -- and they can cause mailbags of pain.
That was the message Scott Nathan hammered home to CIOs at TechTarget's recent CIO Conference. Nathan, an attorney who specializes in cyber law and online privacy, said that a strategic plan to managing e-mail and its IM cousin is a must if firms want to avoid embarrassment at best; the wrath of the law at worst.
Nathan said that CIOs are in a unique position when it comes to governing e-mail use.
"CIOs not only have enterprise-wide responsibility for everything electronic, they also have supervisory responsibility for [IT] employees, who make as much if not more use of electronic facilities as anyone in the organization.
"They're really wearing two hats," he said.
Policy is the best policy
Few firms are making e-mail and IM governance a priority.
According to the Columbus, Ohio-based ePolicy Institute, two-thirds of companies in the U.S. do not have e-mail deletion or retention policies. "I don't see how most organizations get away with it," Nathan said.
With about 60% of employees sending adult e-mail from work and half receiving racist, sexist or pornographic missives in their inboxes, companies are left holding the liability bag should any of those e-mails result in a lawsuit. One out of 20 companies has found itself in that very situation.
But a combination of policy and training could shield a firm from e-legal liability, Nathan said.
"All devices, including telephones, ought to have stated policies [about appropriate use] brought directly to the attention of all employees and with their acknowledgment that they've seen it and understand it."
The Texas Transportation Institute in College Station, Texas, has an e-mail policy in place, according to CIO Kassandra Agee-Letton. "New users sign off on it when they become new employees," she said.
There's also little doubt of what's expected of employees at the University of California at Berkeley. "We have formal policies and have used them to deal with employees' actions, but there's never been anything civil or criminal," said Shelton Waggener, director of central computing services at the school.
Carefree, careless correspondence
E-mail is almost too fast and convenient for its own good. People's fingers tend to click faster than their minds, and that can cause problems.
"When you send an e-mail, you don't review it as thoroughly as if you'd written it on paper, put it in an envelope and put a stamp on it," Nathan said.
"People believe e-mail and IM require less care," he added.
Combine this thoughtlessness with a lack of policy, and the result can be lawsuits, embarrassment and even damage to a company's value.
In the Enron case, for example, the federal government posted 1.6 million e-mails from the unplugged energy firm's executives and employees. Many of those e-mails contained personal information that left both senders and recipients blushing. Evidentiary e-mails in other cases have made Social Security numbers, salaries, performance reviews, plus juicy details of affairs and divorces available for all to see.
"People think somehow that because you don't have a direct voice connection or face-to-face contact, that there's some level of disconnect," Nathan said. "The fact is, all of these communications are recorded for some period of time and can end up causing more damage."
Nathan used one CEO in the Midwest as another example of what not to do. The executive fired off a fired-up e-mail to his managers that accused them of letting employees slack off:
"NEVER in my career have I allowed a team to think they had a 40-hour job. I have allowed YOU to create a culture which is permitting this. NO LONGER. You have two weeks… Tick. Tock."
Three days later, the company's stock value had dropped 22%.
"If you work in a publicly traded company, you should assume that someone will be reading your e-mail, and it may not be confined to people you intended," Nathan said.
Whose e-mail is it anyway?
The boomerang nature of the Internet and e-mail has underscored the extent to which employees use company devices for noncompany purposes, Nathan said. It's that kind of unpredictable e-mail use that concerns David Corbly, director of library systems at the University of Oklahoma. He finds e-mail policy a challenge to nail down because of the gamut of users involved.
"The laws about e-mail are always confusing, especially in an academic environment. The faculty is endowed with a good bit of academic freedom, and what we do for the faculty we have to do for the staff and the students," he said. That kind of freedom means Corbly has to be aware of -- among other things -- potential copyright infringements.
Of course, once a lawsuit and investigation start, it is illegal to delete any potential e-mail evidence. Those who do could end up like Frank Quattrone, the former investment banker whose infamous e-mail order to destroy documents during a federal investigation won him a possible trip to prison.
Agee-Letton doesn't worry about that. She feels that the e-mail retention policy protects her department.
But she wonders where the role of CIO ends, and the role of cybersnoop begins.
CIO or e-mail cop?
Agee-Letton told of an employee who supposedly sent an e-mail to a vendor before a deadline. The vendor said they didn't get the e-mail or attachment. The employee then forwarded the time-stamped e-mail in question to her boss to prove it was sent on time.
"HR got involved and asked me to go into her e-mail box and trace that e-mail to make sure she didn't just create a new one and forward it to her boss," Agee-Letton said. She and her IT group pulled up the records of all mail sent on that particular day and wanted to end their association after that.
"I was concerned with the ethical issues of playing detective," she said. "The burden should be on Human Resources. We should offer the technology as the method to retrieve information, and it [our involvement] should stop there."
Nathan said that e-mail recovery is more of an IT awareness issue.
"At the CIO level, there should be awareness of the issues so that they don't feel like fish out of water when they have to work with HR to prevent problems and draft and implement policies," he said.
SearchCIO.com site editor Karen Guglielmo contributed to this report.
FOR MORE INFORMATION:
Click here for a handy list of dos and don'ts for e-mail and IM policy review.