Employee misuse of corporate e-mail has been a source of liability for numerous organizations, and many are now moving to develop policies that define appropriate usage. Businesses are also increasingly adopting policies to ensure that government regulations are met, sensitive business data is secure and customer privacy is protected.
Below, in no particular order, are the top 10 things IT policy-makers should consider when developing corporate e-mail policies.
1. Clearly outline all personal use restrictions.
One of a company's paramount concerns when developing a corporate e-mail policy should be to explicitly define what constitutes acceptable use of the organization's e-mail system. The policy should clearly state whether personal use is permitted, and if so, how much (number of e-mail messages, percentage of hours in the office, etc.). If employees are granted personal use, steps should be taken to outline what types of correspondence and content will be considered unacceptable or offensive.
 |  |
| Ken Beer is product line manager of Tumbleweed Communications, a Redwood City, Calif.- based provider of secure messaging applications. He can be reached at ken.beer@tumbleweed.com |
Electronic versions of company business plans, human resource files and product development road maps have rapidly replaced physical materials as an organization's most valuable corporate assets. Leading analyst groups estimate that between 70% and 90% of a company's intellectual capital now exists in digital form, and Gartner Inc. values the loss of business information through e-mail at more than $24 billion per year. It's vital that every employee understand the critical seriousness of transmitting the company's digital assets and know that it isn't permitted without specific consent.
3. Be aware of industry-specific government regulations.
The Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act represent a pair of government-mandated privacy regulations that are dramatically changing the way health care organizations and financial services firms can use e-mail. Both acts detail specific measures that regulated companies must take to adequately protect patient/customer data in transit. The Securities and Exchange Commission also has a set of auditing and privacy requirements that regulated companies must adhere to, including the archiving of particular e-mails based on the sender, recipient or content contained therein.
4. Inform employees that their e-mail activities may be monitored.
In recent years, there have been a handful of cases where employees tried to bring legal proceedings against their employers for monitoring what they thought were private e-mail conversations. However, the company is the one that bears the burden for any employee misuse of corporate e-mail and is therefore entitled to responsibly monitor, review and inspect their employees' communications. This right should be articulated in a company communications policy, and each employee should be required to sign a waiver, acknowledging acceptance of the conditions. This also absolves the company of any legal culpability given the Consent Exemption clause of the Electronic Communications Privacy Act of 1986.
5. Implement tools to enforce the policies you've created.
Policy without enforcement isn't much better than no policy at all, and training alone can't ensure employee compliance. When evaluating compliance solutions, the following attributes help facilitate holistic policy enforcement:
- Policy driven. The policy should be written in such a way that the reader can easily determine if/then rules that apply to all inbound and outbound e-mails.
- Centralized administration. All policies should be accessible and alterable from a dashboard console, with the capability to apply ad hoc changes to any number of distributed mail servers.
- Content specific. The solution should offer, or easily integrate with, applications that can scan messages and attachments, and then block, quarantine, archive or allow messages with designated keywords. Other important features include the ability to secure messages determined to contain privileged information, scan messages and attachments for viruses, and eliminate spam, chain letters or virus hoaxes.
6. Carefully define what content can and cannot leave your organization.
To limit corporate liability, filters should be established to look for potentially profane, sexually explicit, racist or defamatory statements in both internal and external company e-mail. To ensure the safety of digital assets, all outbound mail should be scanned for project names and other keywords that might indicate that confidential content may be about to leave the organization. Messages that are flagged by the content filter should be blocked outright, stripped of their attachments or quarantined for review.
7. Employ "intelligent" policy enforcement.
A comprehensive secure-communications policy should define graduated levels of privilege for users within the organization and assign related sensitivity levels to groups of digital assets. When developing rules for the policy engine, IT administrators should leverage this categorization and apply contextual logic to groups of content. For example, different types of sensitive corporate content should demand different levels of clearance to be approved for e-mail distribution, and apply a greater or lesser degree of security to the message depending on the identity of the recipient.
8. Protect sensitive business data from the vulnerability of plain-text e-mail.
Decentralized organizations often demand that users in remote locations exchange sensitive documents via e-mail with one another or with outside business partners. To preserve the confidentiality of this content, hard and fast rules should be established to secure any digital asset that is cleared for transmission above a certain sensitivity threshold (e.g., HR-related personnel data, M&A materials, business plans, etc.).
9. Establish a secure public network.
Policy can also be used to leverage an existing messaging infrastructure and establish a trusted communications channel between distributed sets of users and eliminate the need for a costly VPN deployment. Based on the identity of the sender and the recipient, policy rules can be created to secure all communications between particular individuals (for example, CEO and chief financial officer) or specified groups of users (remote finance departments, legal division and outside law firm, executive management and R&D, etc.).
10. Ensure the privacy of your customers' data.
The only corporate asset that rivals the worth of an organization's intellectual property is the trust of its customers. Given that, corporate communications policies should dictate that any customer data that employees transmit when messaging with one another, business partners or customers themselves should be protected in transit. Failure to secure this data can result in loss of customer goodwill, government-imposed fines and legal repercussions.