Read an Excerpt
C H A P T E R 1
Why Every Organization Needs Electronic Rules and
Policies Based on Best Practices
Since the initial publication of The e-Policy Handbook in 2001, electronic business communication tools and technologies have taken the workplace by storm. Consequently, many employers find themselves drowning in risk as they struggle to manage the use—and curtail the abuse
—of what were originally conceived as time-saving, productivity-enhancing technology tools.
Without question, e-mail has become the business world’s communication tool of choice, forever altering the ways in which we exchange information and conduct professional and personal relationships.
Meanwhile, new tools and technologies—instant messenger (IM), blogs a social networking and video sites, cell phones and camera phones, text messaging, ‘‘confidential’’ electronic messaging, and the BlackBerry
Smartphone, to name a few—have joined the electronic business communication mix at a breakneck pace.
The good news: The ever-expanding universe of high-tech tools facilitates users’ ability to quickly and conveniently transmit business-critical data and stay connected with colleagues and customers around the globe. The bad news: Emerging technologies dramatically increase employers’
exposure to potentially costly and protracted risks including workplace lawsuits, regulatory fines, security breaches, and productivity drains, among others.
Fortunately, for savvy employers determined to manage technology use and minimize risks, there is a solution. Through the strategic implementation of a comprehensive e-policy program that combines written electronic rules with formal employee training supported by policy-based monitoring, management, and archiving tools, organizations can effectively minimize (and in some cases prevent) electronic risks while maximizing compliance with legal, regulatory, and organizational guidelines.
e-Policy Rule 1: Through the implementation of a comprehensive
e-policy program that combines written rules with employee
education supported by discipline and technology tools, organizations
can effectively minimize electronic risks and maximize
compliance.
In the Electronic Office, Risks Abound
Even if your organization does not currently use IM, operate a business blog, or provide executives with BlackBerry Smartphones, you cannot afford to ignore new and emerging technology. If you fail to provide the hot, must-have technologies of the day, chances are your tech-savvy employees (particularly younger employees whose social lives revolve around IMing, texting, and social networking) will bring them in through the back door and load them onto your system without management approval or IT oversight. Left undetected and unmanaged, that’s a recipe for disaster!
Manage Powerful, Popular Electronic Business
Communication Tools Proactively
Considering that the average personal computer can hold 1 million pages of information, it’s no surprise that 90 percent of the business documents we create and acquire are electronic, according to the Association of Records Managers and Administrators (ARMA) as reported by
Baseline Magazine.1
Employers who are concerned about managing all that electronic information—and related risks—should act now to put written policies in place governing the use of established tools and new technologies at work during business hours and at home on employees’ own time.
Old and new alike, all electronic business communication tools must be addressed by comprehensive, best-practices-based rules and policies as detailed in this book. Failure to establish and enforce written rules and e-policies puts the organization at risk of electronic disasters including a but not limited to: regulatory audits, security breaches, lost productivity a shattered stock valuation, negative publicity, lost credibility, and workplace lawsuits, which employers and legal professionals alike consistently identify as their number-one e-mail and Internet-related concern.
2
e-Policy Rule 2: You cannot afford to ignore new and
emerging technology. If you fail to provide the hot, must-have
technologies of the day, chances are your tech-savvy
employees will bring them in through the back door. Left undetected
and unmanaged, that’s a recipe for disaster!
Employers Face Ever-Increasing Legal Liability
As early as 2001, when the first edition of The e-Policy Handbook was published, employers cited legal liability as their primary reason for monitoring employee e-mail and Internet use.3 Since then, we have witnessed the expanding role of e-mail and other forms of electronically stored information (ESI) as evidence in civil lawsuits and criminal trials.
In 2006, 24 percent of organizations had employee e-mail subpoenaed a compared to just 9 percent in 2001. Another 15 percent of companies went to court to battle lawsuits specifically triggered by employee
e-mail in 2006, according to the Workplace E-Mail, Instant Messaging a and Blog Survey from American Management Association and ePolicy
Institute.4
Electronically Stored Information Plays an
Ever-Expanding Evidentiary Role
There is no doubt that the evidentiary role of workplace e-mail and other electronically stored information will continue to expand. The United
States Federal Court made clear this fact in December 2006, when the much-anticipated amendments to the Federal Rules of Civil Procedure (FRCP) were announced, affirming the fact that all electronically stored information is subject to discovery (which means it may be subpoenaed and used as evidence) in federal litigation.
When it comes to electronic evidence, it is the content that counts a not the tool or technology used. Whether created, transmitted, acquired a posted, downloaded, or uploaded via e-mail, IM, the Internet, a cell phone, or any other tool, ESI creates the electronic equivalent of DNA
evidence. ESI can—and will—be subpoenaed and used as evidence for or against your company should it one day become embroiled in a workplace lawsuit. Will you be prepared?
e-Policy Rule 3: Electronically stored information (ESI) creates
the electronic equivalent of DNA evidence. ESI can—and will—be
subpoenaed and used as evidence for or against your organization
should it one day become embroiled in a workplace lawsuit.
Regulators Grow Increasingly Watchful
Over the years, government and industry regulators have turned an increasingly watchful eye to the content created and the business records generated by e-mail and other electronic business communication tools.
For example, failure to comply with Security and Exchange Commission (SEC) rules governing written e-mail and IM content and record retention policies has cost brokerage firms hundreds of millions of dollars in fines.
The Health Insurance Portability and Accountability Act (HIPAA),
Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley Act (SOX) are just three of the tens of thousands of regulatory rules with which workplace computer users must comply—or face consequences including monetary fines and possible jail time.
In spite of potentially costly penalties, regulated firms have been slow to adopt the type of business record–related rules and policies detailed in Chapter 3. Only 34 percent of organizations have e-mail record retention policies and schedules in place, and merely 13 percent of companies retain and archive business record IM, according to American
Management Association/ePolicy Institute research.5
Among regulated employees, 43 percent either don’t adhere to regulatory rules governing e-mail retention or they simply do not know if they are in compliance.6 Overall, 43 percent of workers can’t distinguish business-critical e-mail and IM that must be retained from insignificant messages that may be purged.7
It’s no surprise that employees are confused and employers ill-prepared when it comes to the management of all-important ESI. Only 21
percent of companies provide employees with a formal definition of ‘‘electronic business record.’’8
This book is designed to educate employers and users about the importance of establishing and complying with rules and policies governing electronic business record retention, deletion, and archiving, as well as overall electronic risk management. Strategic business record retention and deletion rules and policies are essential for all employers, regardless of industry, size, or status as public or private entities.
Employ Tougher Rules to Combat Growing Risks
Along with increased risk, there has been growing awareness among employers of the devastating impact that inappropriate electronic content and unprofessional behavior—accidental or intentional—can have on users’ careers and the corporate bottom line. Consequently, employers are increasingly putting teeth in their electronic policies.
In 2007, more than a quarter of employers (28 percent) fired employees for e-mail misuse. That’s double the 14 percent reported just six years earlier in 2001. An additional 30 percent of bosses terminated workers for Internet violations in 2007, according to the 2007 Electronic
Monitoring and Surveillance Survey from American Management Association and ePolicy Institute.9