|
Retention and Deletion
Q
Can you offer any practical suggestions on how to manage e-mails that are delivered and stored locally on laptop computers? Implementing and executing a 30-day deletion policy is fairly straight-forward when all e-mails are centrally stored on servers, but this is not always the case.
A
Did you know 27 percent of Fortune 500 companies have battled sexual harassment lawsuits stemming from employee e-mail and/or Internet use. Employees' sexually oriented e-mail messages are becoming increasingly commonplace in sexual harassment cases. And, let's not forget workplace lawsuits triggered by e-mail messages containing discriminatory, menacing, threatening, or otherwise objectionable language and material.
Given the growing role e-mail is playing in workplace lawsuits, employers are becoming increasingly cautious about e-mail retention. All organizations should adopt retention/deletion policies that spell out for employees how to categorize files, where to store files, and when and how to destroy files. Employers should enforce the retention/deletion policy among all employees (full-time, part-time, telecommuters, independent contractors). As for laptops, employers should purchase laptops for employee use at home or on the road. It is easier to enforce a business-use-only policy and a 30-day deletion policy when employees are using company-owned equipment, rather than their own personal laptops.
Q
Although there are risks with e-mail, there must also be benefits of keeping e-mails indefinitely? Surely e-mails must be beneficial defending an employer in a lawsuit. I wouldn't want to lose the ease and benefits of having information in a digital format.
A
All employers should establish an e-mail retention and deletion policy. If your organization's current retention policy calls for saving everything, do so with the understanding that your critical business documents likely are in bed with much more casual, potentially damaging e-mail messages. Like it or not, your employees are probably using your company e-mail system for decidedly unprofessional purposes: sending jokes, making social plans, gossiping, etc.
If you want to reduce eLiability, but are uncomfortable with the idea of deleting all your organization's e-mail messages, strive for middle ground. Some organizations, for example, opt to destroy e-mail backup routinely after 30 days. A month-long retention period enables the employer to retrieve data in the event of a crash. But because only a small number of stored documents are in the system awaiting review, exposure is limited.
The average cost to restore and review one backup session for one representative day of the month is $30,000 - $50,000. If, in the course of a workplace lawsuit, you were asked to produce a year's worth of representative days in which a particular employee was discussed, your cost would be $30,000 - $50,000 times 12, if you were retaining e-mail yearly. That's $360,000 - $600,000 before you ever step into court. (A standard retention schedule is 1 backup session per month for a year, for a total of 12 monthly backup sessions.) Had you not backed up your e-mail, your cost would have been limited to a review of what was on the system when the request was made.
E-mail retention periods vary (daily, weekly, monthly). To be safe, consider retaining e-mail for as brief a period as possible. While you're at it, don't forget to have employees empty their electronic mailboxes. In case of a lawsuit, a forensic investigator would ask for all the messages in your employees' active mailboxes. An empty mailbox is a safe mailbox.
Q
We are a bit concerned regarding e-mail retention timeframes. What is a standard or normal timeframe for keeping e-mail? What about archived files? Are there any legal precedences we should be aware of in setting timeframes?
A
All employers should establish an e-mail retention and deletion policy. If your organization's current retention policy calls for saving everything, do so with the understanding that your critical business documents likely are in bed with much more casual, potentially damaging e-mail messages.
If you want to reduce eLiability, but are uncomfortable with the idea of deleting all your organization's e-mail messages, strive for middle ground. Some organizations, for example, opt to destroy e-mail backup routinely after 30 days. A month-long retention period enables the employer to retrieve data in the event of a crash. But because only a small number of stored documents are in the system awaiting review, exposure is limited.
E-mail retention periods vary (daily, weekly, monthly). To be safe, consider retaining e-mail for as brief a period as possible. While you're at it, don't forget to have employees empty their electronic mailboxes. In case of a lawsuit, a forensic investigator would ask for all the messages in your employees' active mailboxes. An empty mailbox is a safe mailbox.
Q
We are about to implement an e-mail automated deletion policy. To cut off some (probable) opposition, I have been asked to present a high-level business case justification for the policy. Any rule of thumb estimates for costs of downtime, discovery, storage, staff search time, etc. if there is no automated deletion? (We have around 2,500 users.)
Coupled with the automated deletion, what about incorporating into the policy a recommendation if someone wants to keep some important documentation? I hesitate to encourage them to store it electronically--because that could reopen the electronic discovery issue. Suggest they print it? Remain silent on the issue?
A
Consider: A Fortune 500 company was ordered by a court to turn over any e-mail that mentioned the name of a former employee who was suing the company for improper termination. With no policy in place for purging e-mail, the company faced the prospect of searching more than 20,000 backup tapes containing millions of messages, at a cost of $1,000 per tape. The potential cost for that electronic search: $20 million.
Consider: The average cost to restore and review one backup session for one representative day of the month is $30,000 to $50,000. If, in the course of a workplace lawsuit, you were asked to produce a year's worth of representative days in which a particular employee was discussed, your cost would be $30,000 - $50,000 multiplied by 12, if you were retaining e-mail yearly. That's $360,000 - $600,000 before you ever step in front of a jury.
In addition to establishing an automated deletion policy, educate your employees. Explain the organization's electronic liabilities. Instruct employees not to hold onto old e-mail messages. Discourage employees from storing e-mail on their hard drives as an alternative to their mailboxes.
Be alert to the fact that employees may be storing information on their hard drives to sidestep automatic deletion. Because no software exists to alert employers to the fact that employees are saving messages to the hard drive, education plays a critical role. Make it clear to employees that saving e-mail to the hard drive violates the organization's ePolicy. Stress the fact that, were the organization to be sued, all the material on employees' hard drives would be subject to legal review.
Q
Let's face it. E-mail is a communication method that is here to stay. Many a business deal has been solicited, negotiated, consummated and terminated, all via e-mail. If a 30-day retention policy were put in place, what would users do with the information that is valuable to the enterprise and is contained in e-mails? Are you suggesting there be a long-term repository, or electronic vault for information storage?
A
You are right. E-mail is becoming the most common means of business communication. And certainly business deals are being done and documents stored electronically.
Problem is, whether you like it or not, your employees are probably using your organization's e-mail system for decidedly unprofessional purposes. Organizations whose e-mail retention policy calls for saving everything should do so with the understanding that critical business documents are likely in bed with more casual, potentially damaging e-mail messages.
All organizations should adopt retention/deletion policies that spell out for employees how to categorize files, where to store files, and when and how to destroy files.
Given the growing role e-mail is playing in workplace lawsuits, employers are becoming increasingly cautious about e-mail retention. Managers who are uncomfortable about deleting everything should strive for middle ground. A 30-day deletion period, for example, enables the employer to retrieve data in the event of a crash. But because only a small number of stored documents are in the system awaiting review, exposure is limited.
eRisk
Q
How does "e-risk" differ from more traditional information security risks? Similarly, how would an e-risk analysis differ? Are there e-threats and e-vulnerabilities? What about e-controls?
A
"Traditional IS risks" include external risks posed by hackers, crackers, and others intentionally trying to crack an organization's system for some type of gain--financial or otherwise.
eRisks/eLiabilities also include the dangers that exist whenever employees access the organization's e-mail or Internet system. Without an ePolicy in place to control behavior and a continuing education program established to inform employees about personal and organizational risks, employees sometimes abuse or misuse the organization's computer assets. The motive generally is not personal gain. Rather, the problem stems from a lack of training and controls. Whether you employ one part-timer or 10,000 full-time professionals, your employees put you at risk of lawsuit and other eLiabilities every time they turn on the computer--unless you have an ePolicy and eTraining program in place.
eMonitoring
Q
What about monitoring individual e-mail?
A
Employers should monitor employee e-mail and Internet use to help enforce the guidelines set forth in their written ePolicies. ePolicy development and e-mail/Internet monitoring create a one-two-punch in the battle to reduce electronic liabilities in the workplace.
Q
We have recently published a security policy that references other policies such as our e-mail policy and our Internet access policy. We tried to purchase some software to monitor Internet usage and block access to non-business sites but the cost was not approved. To do any level of
monitoring is costing us time. Any recommendation on how to get approval or what our next step should be?
A
Often, senior management is unaware of the eRisks the organization faces every time an employee accesses e-mail and the Internet. Scare senior management with a few real-life eDisasters. Emphasize the fact that, without an ePolicy program and monitoring software in place, your organization is at similar risk.
For example, you might let management know that 27 percent of Fortune 500s have already battled sexual harassment claims based on employee e-mail and Internet use. Certainly, the cost of monitoring software does not come close to the six- or seven- figure legal bill your organization would face if hit with an e-mail or Internet-related sexual harassment suit and settlement.
For compelling eDisaster stories, check out The ePolicy Handbook. In addition, you may want to subscribe to the ePolicy Institute's free eDisaster of the Week update, a "one-minute" eDisaster delivered every Friday to subscribers' e-mail boxes. To subscribe to the free eDisaster of the Week update, visit www.epolicyinstitute.com (click on eDisaster Stories) or e-mail your request to experts@epolicyinstitute.com.
Global ePolicies
Q
How do you develop and implement meaningful global standards for e-mail, computer system use and security while keeping in line with USA Human Resource concerns and regulations? For instance, we would like to keep employees using company equipment and systems away from pornography sites and on-line gambling (at least during work hours). What's the solution? HR is concerned that being specific creates as many problems as it solves.
A
While there may be different customs, laws, and regulations in the countries in which your organization operates, the fact remains: One of the best--and simplest--ways to reduce electronic liabilities is to develop and implement effective e-mail, Internet, and software polices.
Draft basic e-mail, Internet, and software policies for your organization's employees. Then ask your legal counsel to review the policies to ensure they comply with the laws and regulations in the countries (and states) in which you operate.
Remember, if you operate facilities in multiple states within the United States, you need to ensure your policies comply with the laws and regulations of each respective state. (Some states, for example, have tough anti-spamming laws on the books.)
Even if you operate only one facility in one location, you still want to have your legal counsel review your ePolicies before implementing them.
The time and money you spend creating effective ePolicies is nothing compared to the time and money you would spend defending a workplace lawsuit or other eDisaster stemming from inappropriate e-mail and/or Internet use.
Incidental Violations
Q
How do you address "incidental" exposure to inappropriate materials in such policies? For example, some legitimate business research may require browsing through sites that may inadvertently lead you (via "mouse traps" and pop-up windows) to content that violates a company's policies. Also, you can occasionally mix up a .com with a .net and wind up someplace you never intended. What if another employee happens to witness offensive content as a result and decides to file a complaint?
A
Employees who receive unsolicited and inappropriate e-mail, and/or find
themselves inadvertently viewing objectionable sites would do well to
adhere to this advice: (1) Do not forward or reply to an inappropriate
e-mail message. Notify your Human Resources manager, Chief Information Officer,
department supervisor (or other appropriate manager) that you have received the
message. Ask the manager how you should proceed. By forwarding or replying to
the message, you put yourself in the loop, and you don't want to do that. (2)
If, in the course of legitimate business-related research, you unearth content
that violates your organization's ePolicy, notify management. Let the
appropriate manager know exactly what happened. Document the event in
a written memo. This is the best way to protect yourself from any disciplinary
action that could occur should management, in the course of a routine audit,
discover that offensive images had been on your screen. (3) Always double
check e-mail and Web addresses. (4) It is not uncommon for a third-party to
file a lawsuit based on objectionable or offensive e-mail or Internet content.
An employee who happens past another employee's screen while that employee is
viewing a pornographic site might, for example, file a third-party sexual
harassment claim against the organization. For that reason (and so many others,
as detailed in The ePolicy Handbook) all employers should develop and implement
written e-mail and Internet policies--and back those policies up with monitoring and filtering software.
Software Policies
Q
Do you have a sample policy statement that addresses Freeware/shareware being copied from the Internet? Some policies I have seen are too general to be of any real value. I believe this to be a large exposure that not too many have given serious thought.
A
Freeware and Shareware is addressed on pages 118-126 of The ePolicy Handbook
In two of the sample Software Polices offered in The ePolicy Handbook (p. 244 & 249), the following statements appear:
(p. 244): "Shareware software is copyrighted software that is distributed via the Internet. It is the policy of (organization) to pay shareware authors the fee that they specify for use of their product. Under this policy, acquisition and registration of shareware products will be handled the same as commercial software products."
(p. 248): "No shareware or other 'Public Domain' software may be acquired or used without the advance written approval of the Systems Administrator. Shareware software is copyrighted software that is distributed freely through bulletin boards and online services. It is the policy of ABC Corp to pay shareware authors the fee that they specify for use of their products. Registration of shareware products will be handled the same way as commercial software products."
For more about Freeware and Shareware, visit the Software & Information Industry Association's website (www.siia.net).
Employee Acknowledgment
Q
Four things are excellent about The ePolicy Handbook--the writing style, the size of the book, the procedures recommended, and the price! However, one suggestion got me into a firestorm even after it passed our legal department. Is an "Employee Acknowledgment" sometimes called "Personal Responsibility Statement" provision in the Handbook, or "Employee Sign-off"/ "User
Agreement" provision in other publications, necessary or is it optional? Your comments would be appreciated. Thank you.
A
A written ePolicy serves two primary purposes: (1) It gives employees rules to work by, spelling out exactly what is--and is not--allowed to be transmitted via the organization's e-mail and Internet system; and (2) It gives the employer the opportunity to notify employees in writing that they have no reasonable expectation of privacy. In other words, if management will be monitoring everything that's transmitted or stored on the organization's e-mail and Internet systems, say so.
That said, bear in mind that addressing the issue of privacy within your ePolicy is one thing. Securing employees' consent to have their electronic messages read is another.
At The ePolicy Institute, we advise employers to first review written e-mail, Internet, and software policies with employees. Then have every employee sign and date a copy of each policy to demonstrate that each employee accepts personal responsibility for adhering to the respective policies' rules.
Call it an acknowledgment, sign-off, or user agreement--it should be a mandatory part of the ePolicy process.
Policy Implementation
Q
Once we have developed the policies, what are some of the most effective ways to distribute, implement and enforce such policies? E-mail? Staff meetings? Intranet? Internal company classes on the topics? What strategy offers the most likelihood of employee understanding and practice?
A
You are right on target. When it comes to reducing workplace
liabilities, designing an ePolicy is step one.
Step two is the establishment of an ongoing employee
education program, designed to educate employees about eRisks and encourage compliance with the ePolicy program.
Your organization's ePolicy should be a written document. Review the policy
with each employee and have each employee sign-off on the policy, acknowledging
that the employee has read and understands it. Keep a copy of your written
ePolicy in your employee handbook, easily accessible to all employees at any
time. Walk all new hires, part-timers, full-time employees, freelancers, and
subcontractors through your ePolicies.
Use e-mail to remind employees about your ePolicies, but don't rely on e-mail as the sole means of communication. Consider posters, rallies, eConsciousness-raising sessions, etc. as part of your continuing education effort.
Don't forget your managers and supervisors. They, too, should be included in your eRisk/ePolicy education program.
For additional information about ePolicy implementation and employee
training, you may want to review The ePolicy Handbook. In addition, The ePolicy Institute, works with organizations on the development and implementation of effective ePolicy programs.
Policy
Q
Enterprise Unified Messaging changes the policy paradigm by creating a single message store regardless of data type, blurring the distinction between voice and data. As a result, security, privacy, and acceptable use policies need to be adopted to consistently fit this model as well. No one would think twice about using their business phone for a personal call, but many organization expressly prohibit the use of e-mail for personal use and monitor accordingly. How are people resolving these kinds of issues?
A
When it comes to the personal use of e-mail, employers typically take one of three paths: (1) Ban all personal e-mail usage. Period.; (2) Allow a limited amount of "acceptable" personal e-mail during working hours. Typically, the personal use allowed includes communication with spouse and children and/or emergency use. Banned communication would typically include advertisements, solicitations, or mass e-mailing; or (3) Allow personal e-mail use, but only after regular working hours.
Whichever approach an organization takes, the terms should clearly be spelled out in the organization's eMail Policy.
Some organizations do ban personal telephone calls. And some
organizations address telephone monitoring and voice mail usage in their
ePolicies. As with any type of ePolicy, it is important to notify employees of
the organization's phone/voice mail policy and reinforce policy with an ongoing
training program. For an example of an ePolicy that incorporates voice mail,
see The ePolicy Handbook.
Intranet Policies
Q
We have terms of use and disclaimers on our Internet site and similar policies for
employee's use of our e-mail system, but what concerns should we have about
employee access/use of our corporate Intranet?
A
Employee use of the Intranet can be just as risky and problematic as their
use of e-mail and the Internet. An offensive, menacing, harassing,
discriminatory, or otherwise objectionable Intranet posting can lead
to workplace lawsuits and other eDisasters. You definitely want to
incorporate your Intranet system in your organization's ePolicy program. See
The ePolicy Handbook for samples and additional information.
| 
