ePolicy Institute

2004 Survey on Workplace E-Mail and IM Reveals Unmanaged Risks

55% of Companies Lack E-mail Retention Policies, 20% Have Had E-Mail Subpoenaed

NEW YORK, July 12, 2004-One in five U.S. companies (20%) has had employee e-mail subpoenaed in the course of a lawsuit or regulatory investigation, up from 14% in 2003. Another 13% have battled workplace lawsuits triggered by employee e-mail. Yet, in spite of the fact that e-mail and instant messages are a primary source of evidence-the electronic equivalent of DNA evidence-many employers remain largely unprepared to manage e-mail and instant messaging (IM) risks. That's according to the 2004 Workplace E-Mail and Instant Messaging Survey of 840 companies conducted by American Management Association (AMA) and The ePolicy Institute.

"Most alarming is the business community's failure to retain e-mail and instant messages according to written retention and deletion policies," said Nancy Flynn, author of the best-practices guidebooks Instant Messaging Rules (AMACOM 2004) and E-Mail Rules (AMACOM 2003) and executive director of The ePolicy Institute. Only 6% of organizations retain and archive IM business records, and only 35% have an e-mail retention policy in place-just 1% more than in 2003.

According to Flynn, the failure to properly retain e-mail and IM reflects employers' failure to educate employees about e-mail and IM risks, rules and policies. "The fact that 37% of respondents do not know or are unsure about the difference between an electronic business record that must be retained versus an insignificant message that may be deleted, suggests that employers are dropping the ball when it comes to effectively managing e-mail and IM use," said Flynn. This year, 54% of respondents say their organizations conduct e-mail policy training, a 6% increase over the 48% reported in 2003.

According to the survey, 42% of respondents perform a job function that is governed by government or industry regulations. Fully 43% of those regulated employees either do not adhere to regulatory requirements governing e-mail retention, or are unsure if they are in compliance. "For financial services firms and others in regulated industries, the failure to properly retain e-mail and IM can-and regularly does-lead to six-figure fines, criminal charges, civil lawsuits and damaging publicity," said Flynn. "Employers simply cannot afford to approach e-mail and IM retention as a hit-or-miss proposition."

While employers have been slow to put e-mail and IM retention and deletion policies into place, fully 79% of employers have implemented a written e-mail policy. On the other hand, only 20% have adopted a policy governing IM use and content.

More employers monitor employee e-mail than IM. Fully 60% use software to monitor external (incoming and outgoing) e-mail, but only 27% monitor internal e-mail conversations that take place among employees. "Management's failure to check internal e-mail is a potentially costly oversight. Off-the-cuff, casual e-mail conversations among employees are exactly the type of messages that tend to trigger lawsuits and arm litigators with damaging evidence," Flynn said.

Only 11% of organizations surveyed use IM gateway/management software to monitor, purge, retain and otherwise control IM risks and use. With 31% of employees using IM at the office, and 78% of those users downloading free IM software from the Internet, organizations are vulnerable to a growing array of IM-related legal, compliance, productivity and security threats, Flynn said.

Of those who use IM in the workplace, the majority (58%) engage in personal IM chats. Survey respondents report sending and receiving the following types of potentially damaging IM content: attachments (19%); jokes, gossip, rumors, or disparaging remarks (16%); confidential information about the company, a co-worker, or client (9%); sexual, romantic, or pornographic content (6%). From the standpoint of content and retention, employers should view IM as a form of turbocharged e-mail, creating a written business record that should be monitored and managed.

The 2004 Workplace E-Mail and Instant Messaging Survey also reveals that 86% of respondents engaged in some personal correspondence while at work. And Spam continues to plague organizations, with 12% reporting that more than half the e-mail they receive at work is unsolicited electronic junk mail.

Employers are getting tougher about e-mail policy compliance, with 25% of 2004 respondents having terminated an employee for violating e-mail policy versus 22% in 2003 and 17% in 2001.

As detailed in Flynn's new book Instant Messaging Rules, there is no such thing as a risk-free e-mail and IM environment. Fortunately, by developing and implementing a strategic e-mail and IM management program that combines written policy with education and enforcement, employers can head off e-mail and IM disasters, address employee misuse, derail intentional abuse, and limit costly liabilities.

The 2004 Workplace E-Mail and Instant Messaging Survey is co-sponsored by American Management Association (www.amanet.org) and The ePolicy Institute (epolicyinstitute.com). Survey summary, interviews, photos, and e-mail and IM disaster stories available upon request. Media wishing to receive a review copy of Instant Messaging Rules: A Business Guide to Managing Policies, Security, and Legal Issues for Safe IM Communication (Nancy Flynn, AMACOM Books, 2004), should contact AMACOM's Irene Majuk (212/903-8087 or imajuk@amanet.org). Contact AMA's Roger Kelleher (212/903-7976 or rkelleher@amanet.org) for survey summary. The ePolicy Institute's Nancy Flynn (614/451-3200 or nancy@epolicyinstitute.com) for e-mail and IM policy and workplace best practices.