Keeping E-mail in Check

June 1, 2007 | Rita Zeidner

Don't let employee e-mail become a problem for your business.

Security officials at Atlanta’s DeKalb Medical Center, on the lookout for risks that could bring the organization within the scope of government regulators, found them in an unexpected place—e-mail sent by the hospital’s own doctors and nurses.

The e-mails didn’t contain off-color humor. Nor were they sent by rogue employees trying to bring down the hospital’s network with a virus or worm.

The threat, says Sharon Finney, DeKalb’s security administrator, stemmed from medical staff who routinely forwarded patients’ records to their personal e-mail accounts—not to do mischief, but so they could work from home. So far as Finney knows, no patient data landed in the wrong hands. But the practice, which placed sensitive information outside the hospital’s control, was alarming. It may have been only a matter of time before an Internet snoop or mistyped e-mail address breached someone’s privacy.

“People are so under-educated about what the risks are of using a publicly accessible e-mail account,” says Finney, who has since put in place controls to prevent confidential information from leaking out the back door. “They think that when they send an e-mail from their account that e-mail is perfectly secure, that no one else can look at it. That’s just wrong.”

Since the early days of the Internet, HR departments—often partnering with IT, risk managers and legal counsel—have tried to limit their company’s risk through policies governing employees’ e-mail use. Today, some 76 percent of organizations have rules governing e-mail use and content, according to Nancy Flynn, executive director of the ePolicy Institute, a training and consulting firm that studies Internet and e-mail use. More than two-thirds have guidelines aimed at controlling the use of e-mail for non-business purposes.

But corporate e-mail policies, particularly those developed early on, may not address the breadth of potential hazards that HR professionals, security experts, lawyers and others say exist for employers.

A Mounting Threat

A growing number of employers are learning—sometimes the hard way—that e-mail is a mixed blessing. Sure, it is a convenient and quick way to relay a message, but it also carries with it the threat of security breaches and costly litigation. Think the threat is overblown? Consider the following:

More than one-third of U.S. companies surveyed in 2006 investigated a suspected e-mail leak of confidential or proprietary information, according to Proofpoint Inc., a maker of e-mail security products based in Cupertino, Calif.
Some 15 percent of employers have battled a workplace lawsuit triggered by employee e-mail, according to a survey by the ePolicy Institute. The stakes for companies where employees exchange racy, racist or otherwise offensive e-mail are high.
Companies are increasingly being ordered to produce employee e-mail during litigation. “It’s no longer a question of whether records will be subpoenaed, it’s when,” says ePolicy’s Flynn. Organizations that don’t live up to their legal responsibility to preserve e-mails could face stiff penalties. Last year, investment house Morgan Stanley agreed to pay $15 million to settle a civil lawsuit with the U.S. Securities and Exchange Commission over failure to produce tens of thousands of e-mails.

So how can HR professionals reduce their company’s risks? Here are some pointers for identifying and dealing with emerging e-mail challenges.

The Dangers of Personal E-Mail

Using personal e-mail is common in the workplace, but it isn’t always wise. If your employees use America Online at work, your business may be exposed to security and legal risks. E-mail account providers such as Gmail, Yahoo!, MSN and other free, web-accessible Internet service providers (ISPs) carry the same exposure.

Employees use these outside service providers for many reasons. Convenience is a major factor, particularly when employees, like those at DeKalb, want to work off-site but cannot easily access company records or an internal e-mail network outside of the office. And sometimes outside ISPs seem faster or more reliable than the company’s network, especially when the corporate system has a tendency to reduce employees’ productivity by needlessly placing safe e-mails in quarantine.

But there are real risks when workers send and receive data through free service providers, security experts say. “What employees don’t realize is that some e-mail can bounce across hundreds of servers and be copied or manipulated” by Internet snoops, Finney explains. In addition, free ISPs are notoriously lax when it comes to filtering out malicious software, according to John Ewing, a security specialist with CDW, a Chicago high-tech consultancy. Thus, companies lacking strong safeguards are particularly vulnerable to viruses, worms and spyware when their employees use free ISPs on network computers.

Meanwhile, lawyers are grappling with unresolved issues stemming from amendments to the Federal Rules of Civil Procedure that went into effect in December. (For more information on the rules, see "E Is for Evidence.") The new rules place additional responsibility on employers involved in litigation to release electronic documents, including e-mails and instant messages (IMs). Employers that fail to produce relevant information on time—or, worse, that destroy electronic files—could face sanctions.

The law is still unclear as to whether the rules apply to all e-mails accessed through an employer’s network computer, including those sent or received via an outside ISP, or only to e-mails exchanged on the corporate system. “It’s something that’s going to have to be hashed out in litigation,” says Dallas-based employment attorney Audrey Mross of Munck Butrus.

What seems clear now is that employers who are ordered to provide evidence that resides on an employee’s personal ISP will have the daunting task of ensuring that those documents are properly handled and not destroyed by the account holder, Mross says.

It is technically possible for companies to electronically monitor employee correspondence sent from a network computer, regardless of whether it was sent or received via an outside service or corporate e-mail system, according to Carl Bennett, director of information security for Application Outfitters, a high-tech consultancy in Marriottsville, Md. But putting tools in place for handling outside e-mails adds another layer of complexity for an employer.

Making a Policy, or Not

It’s not uncommon for organizations to post electronic notices telling workers that its e-mail system is for business use only or that e-mails are company property. But companies’ approaches to dealing with personal ISP accounts vary.

After assessing the risks of outside ISPs, some companies forbid employees from using them at work. Of nearly 4,300 respondents to an informal survey conducted by the Society for Human Resource Management (SHRM) earlier this year, 37 percent of HR professionals surveyed said their company has a policy prohibiting employees from using personal e-mail accounts from their office computer. Another 7 percent said their organization plans to develop a policy in the next year.

Experts say anti-ISP policies that place a premium on network security at the cost of employee convenience could end up frustrating employees and crushing morale.

“There is a valid argument for banning the use of personal e-mail services,” says Bennett. On the other hand, he says, employees often need them to get work done.

From an HR standpoint, a policy banning access to outside e-mail services may be difficult to enforce, especially given the increasingly blurry boundaries between personal and business use of web-enabled mobile technology like laptops and personal digital assistants.

Costs are another factor to consider, since employers that allow employees to use outside ISPs can incur huge expenses associated with scouring a network in search of age-old e-mails.

Still, some HR professionals say such bans are a no-brainer.

“There’s just too much risk that business-related records are going to be transferred inappropriately,” says Flynn. “Besides, if your employees are using those public tools, it’s an easy way for malicious intruders to get in.”

To enforce a no-access policy, some companies are using the same software they rely on to keep workers off gambling and pornographic sites.

Keeping Tabs

Many employees, and some HR professionals, view e-mail monitoring as intrusive. But companies increasingly are keeping an eye on employee e-mail use. More than half of the companies surveyed by the American Management Association and ePolicy Institute last year said they monitor their workers’ incoming and outgoing e-mail, up from 47 percent in 2001. And employers are not just concerned about external communications. Twenty-seven percent of employers monitor internal e-mail conversations between employees, up from 19 percent in 2003.

More than two-thirds of respondents to a SHRM survey of HR professionals last fall said HR at their company has a role in deciding the extent to which employees are monitored. Others indicated that they expected to become involved over the next year.

When it comes to e-mail monitoring, technology can do most of the heavy lifting. Software vendors offer a number of minimally invasive tools that automatically filter objectionable content before it comes in or goes out.

The tools are becoming more and more sophisticated and no longer merely match e-mail against a universal set of keywords, such as obscenities. Some products can be customized to flag specific terms such as the names of top company officials, competitors and product codes. A regulated industry like health care can use a filtering tool to scan for protected information like patient or drug names. It was one such tool, designed by Proofpoint, that identified the homebound records sent by DeKalb’s medical staff.

Filters programmed to recognize salary information, Social Security numbers or messages that link employee names to dollar amounts can help HR professionals prevent their own gaffes.

And while earlier monitoring programs frustrated workers by placing questionable outgoing messages in quarantine without notifying the sender, newer tools can be set up to immediately notify the originator that an e-mail may have risky content. Depending on how the tool is programmed, the sender may be allowed to override the warning or be forced to clean up the message before the system will release it.

In addition, some software can automatically encrypt messages that appear to have protected information. The information then can only be decoded and read by the intended recipient.

Highlighting Best Practices

In the end, policies and tech tools can only go so far to prevent risky e-mail practices. Employers still must take steps to ensure that workers understand how their use of e-mail could put their employer and their job in jeopardy.

“This is not a case where you can release a proclamation and let it rest,” says Declan Leonard, a partner with the Northern Virginia law firm of Albo & Oblon.

He and others recommend employers provide ongoing training that alerts all workers to unsafe e-mail practices.

Flynn suggests that employers coach workers in the finer points of e-mail etiquette and explain the consequences of violating the policy. Companies should also notify employees that they might be monitored, she says. That alone might be enough to keep them from taking unnecessary chances.

Employers should give workers a hard copy of the company’s e-mail policies and require workers to sign off that they’ve read the document. Such an attestation supports the case of an employer who disciplines a worker for violating its e-mail policy. And hard copies still are taken more seriously than electronic ones, lawyers say.

Training for HR professionals should focus on preventing leaks of confidential employee or applicant information, such as salary data or Social Security numbers, and ensuring that e-mail policies do not violate employment and labor relations laws.

For example, companies that bar a union access to its e-mail system may find themselves battling an unfair labor practice charge. (In a case many employers and business groups are watching closely, the National Labor Relations Board is considering an employer’s appeal of a ruling that upheld a union employee’s right to use the corporate e-mail system for union business during non-work hours. A decision is pending.)

And, as with any disciplinary policy, HR should be on the lookout for managers who selectively enforce e-mail policies.

Employee education can go a long way in emphasizing what’s at risk for the business and the worker, says Mross. Ongoing litigation at Wal-Mart provides a case in point. To bolster its decision to fire high-ranking marketing executive Julie Ann Roehm late last year, the retailer dredged up old e-mails Roehm sent to her alleged paramour—another Wal-Mart employee she supervised. Wal-Mart claims the e-mails, some peppered with sweet nothings, demonstrate that the couple engaged in improper conduct along with dubious business dealings.

Just knowing that e-mails may be brought to light in a lawsuit may be enough to get employees to think twice before casually shooting off an electronic message. After all, cautions Mross, “Who wants their personal correspondence becoming some lawyer’s Exhibit A?”

Rita Zeidner is manager of the SHRM Online HR Technology Focus Area.