Keeping e-mail in check: don't let employee e-mail become a problem for your business

HR Magazine, June, 2007 by Rita Zeidner

Security officials at Atlanta's DeKalb Medical Center, on the lookout for risks that could bring the organization within the scope of government regulators, found them in an unexpected place--e-mail sent by the hospital's own doctors and nurses.

The e-mails didn't contain off-color humor. Nor were they sent by rogue employees trying to bring down the hospital's network with a virus or worm.

The threat, says Sharon Finney, DeKalb's security administrator, stemmed from medical staff who routinely forwarded patients' records to their personal e-mail accounts--not to do mischief, but so they could work from home. So far as Finney knows, no patient data landed in the wrong hands. But the practice, which placed sensitive information outside the hospital's control, was alarming. It may have been only a matter of time before an Internet snoop or mistyped e-mail address breached someone's privacy.

"People are so under-educated about what the risks are of using a publicly accessible e-mail account," says Finney, who has since put in place controls to prevent confidential information from leaking out the back door. "They think that when they send an e-mail from their account that e-mail is perfectly secure, that no one else can look at it. That's just wrong."

Since the early days of the Internet, HR departments--often partnering with IT, risk managers and legal counsel--have tried to limit their company's risk through policies governing employees' e-mail use. Today, some 76 percent of organizations have rules governing e-mail use and content, according to Nancy Flynn, executive director of the ePolicy Institute, a training and consulting firm that studies Internet and e-mail use. More than two-thirds have guidelines aimed at controlling the use of e-mail for non-business purposes.

But corporate e-mail policies, particularly those developed early on, may not address the breadth of potential hazards that HR professionals, security experts, lawyers and others say exist for employers.

A Mounting Threat

A growing number of employers are learning--sometimes the hard way--that e-mail is a mixed blessing. Sure, it is a convenient and quick way to relay a message, but it also carries with it the threat of security breaches and costly litigation. Think the threat is overblown? Consider the following:

* More than one-third of U.S. companies surveyed in 2006 investigated a suspected e-mail leak of confidential or proprietary information, according to Proofpoint Inc., a maker of e-mail security products based in Cupertino, Calif.

* Some 15 percent of employers have battled a workplace lawsuit triggered by employee e-mail, according to a survey by the ePolicy Institute. The stakes for companies where employees exchange racy, racist or otherwise offensive e-mail are high.

* Companies are increasingly being ordered to produce employee e-mail during litigation. "It's no longer a question of whether records will be subpoenaed, it's when," says ePolicy's Flynn. Organizations that don't live up to their legal responsibility to preserve e-mails could face stiff penalties. Last year, investment house Morgan Stanley agreed to pay $15 million to settle a civil lawsuit with the U.S. Securities and Exchange Commission over failure to produce tens of thousands of e-mails.

So how can HR professionals reduce their company's risks? Here are some pointers for identifying and dealing with emerging e-mail challenges.

The Dangers of Personal E-Mail

Using personal e-mail is common in the workplace, but it isn't always wise. If your employees use America Online at work, your business may be exposed to security and legal risks. E-mail account providers such as Gmail, Yahoo!, MSN and other free, web-accessible Internet service providers (ISPs) carry the same exposure.

Employees use these outside service providers for many reasons. Convenience is a major factor, particularly when employees, like those at DeKalb, want to work off-site but cannot easily access company records or an internal e-mail network outside of the office. And sometimes outside ISPs seem faster or more reliable than the company's network, especially when the corporate system has a tendency to reduce employees' productivity by needlessly placing safe e-mails in quarantine.

But there are real risks when workers send and receive data through free service providers, security experts say.

"What employees don't realize is that some e-mail can bounce across hundreds of servers and be copied or manipulated" by Internet snoops, Finney explains. In addition, free ISPs are notoriously lax when it comes to filtering out malicious software, according to John Ewing, a security specialist with CDW, a Chicago high-tech consultancy. Thus, companies lacking strong safeguards are particularly vulnerable to viruses, worms and spyware when their employees use free ISPs on network computers.

Meanwhile, lawyers are grappling with unresolved issues stemming from amendments to the Federal Rules of Civil Procedure that went into effect in December. (For more information on the rules, see "E Is for Evidence" on page 147.) The new rules place additional responsibility on employers involved in litigation to release electronic documents, including e-mails and instant messages (IMs). Employers that fail to produce relevant information on time--or, worse, that destroy electronic files--could face sanctions.