Managing Internal E-mail and Chat Capabilities a Growing IT Concern

Enterprise Networks & Servers, Mar 2004 by Shacklett, Mary

With the daily onslaught of computer viruses and intrusions that filter through e-mail, information security and the protection of IT assets are important enterprise concerns that are assigned to IT.

However, above and beyond break-ins and the destruction of data is a growing body of legal and interpersonal issues that require policies and enforcement that IT cannot accomplish alone. Because many organizations are only in the process of defining policies for these areas, there is a tendency to look to IT for resolutions. Unfortunately, in many cases, IT best serves the organization by declaring which issues it has the expertise to address, and which issues are better tackled by other corporate departments such as Human Resources.

This article reviews present e-mail and chat exposures to companies, and includes tips for IT on how to address these internal e-mail threats.

E-mail Can Get You in Trouble

Workplace lawsuits and sexual harassment are among the most common risks that employers are facing today. In a 2003 example, an employee of company ABC emailed an employee of XYZ with an invitation for a date. The trouble was, the employee being e-mailed already was married, and was upset to receive an open e-mail solicitation from another company's employee who happened to know both her and her husband. When company XYZ's employee complained to her Human Resource Department, her HR director contacted the HR manager of company ABC, where the offending employee worked. The original e-mailer was fired by company ABC for breach of company e-mail policies, which were clearly stated in the company's employee handbook. The firing action averted a potential legal liability for company ABC.

Could IT have done anything to prevent or to address this situation? The answer is no, although IT performed to the maximum of its capabilities which was to produce the e-mail records that documented the incident. The IT departments of companies ABC and XYZ worked together by gathering the appropriate e-mail documentation behind the incident, and by routing the facts to appropriate management and HR decisionmakers. IT's charter in this situation was to provide supporting e-mail evidence, and to follow the directives of HR and others who were in charge of investigating and confirming the policy breach.

How Much Should IT Monitor Corporate E-mail?

Commercial software is available to monitor the e-mail and Internet usage habits of company employees, and according to the ePolicy Institute, approximately 62 percent of all employers monitor employee e-mail and Internet use. The question is, how far should IT go in this process? And who should take action against e-mail policy violators?

One rule of thumb is: If the e-mail violation pertains to the confidentiality of customer or other stored information, or to illicit use of software from home or other sources, or to imported viruses or attempted intrusions, policy development and execution are typically an IT function. However, when the e-mail violation is of an interpersonal nature that pertains to appropriate employee conduct, the responsibility typically falls to a Human Resources department.

When there are interpersonal e-mail violations, HR often issues a warning to an employee for the first infraction, and then resorts to penalties as severe as termination upon subsequent violations. Violations, of course, must be monitored and verified. That's where Human Resources relies on IT for e-mail records and e-mail activity audit logs.

Administering E-mail Policies

IT managers and network administrators can save time and confusion by proactively recommending a line of demarcation between IT and HR when it comes to monitoring and addressing e-mail issues. With a general guideline in place that assigns IT the responsibility for corporate information guardianship issues, and HR the responsibility for the definition and enforcement of policies that address the personal use of e-mail, these policy responsibilities (and who is in charge of them) can be clarified up front.

A similar approach applies to e-mail training. IT can show employees how to use the corporate e-mail system and its capabilities, but HR should educate employees on what the corporate e-mail usage policy is.

What IT Should Know

Even when the lines of e-mail responsibility are firmly established between IT and HR, it is still important for IT to have a working understanding of the HR side of e-mail policy if for no other reason than it is still IT that must provide logs and evidence for e-mail abuse when HR requests it.

The improper use of e-mail is a significant HR issue because e-mail can be recovered and used against a company in a court of law. The ePolicy Institute states that 10 percent of companies have been ordered by courts to turn over employee e-mail related to workplace lawsuits, 8.3 percent of organizations have battled sexual discrimination or sexual harassment stemming from employee e-mail or Internet use, and 51 percent of companies have disciplined or terminated employees for violating corporate e-mail policies.