Employees Must Think before Clicking the Send Button: Is There an Undelete Button?

Just because e-mail is one of the quickest ways to communicate with others does not necessarily mean it is the most appropriate way to do business at all times. When you are training employees in the use of e-mail, there are some other important factors to consider.

Confidentiality
E-mail is not private. Messages that are sensitive or private must never be sent through e-mail. Employees should understand there are many persons who have legitimate access to their e-mail, not the least of which are senior managers, systems administrators, auditors, and sometimes investigators. Additionally, there are attackers who are illegitimately engaged in accessing e-mail accounts.

Negotiations
These exchanges are best conducted either face-to-face or through telephone conversations. Regardless of whether they are related to an employee's salary, contract negotiations, or the price of cabbage, dialogues of this nature are best held until the parties can discuss them verbally.

Bad News
Train all employees never to use e-mail to deliver bad news or to discuss performance-related or emotionally charged issues. Senior managers must thoroughly understand this principle. Without the benefit of facial expressions, vocal intonations, and body language, hurt feelings can result.


Plain, Professional Language
Obscenity, vulgarity, profanity, defamation, off-color remarks, and just plain nasty talk have no place at work or in e-mail. Electronic communications are not private and can be read by a variety of persons today and in the future. Plain, courteous, professional language is the language of business. Risks associated with this type of activity are extremely damaging to the organization and to the individual employee.


Attachments
Organizations must be cautious about sending and receiving e-mail attachments. Instruct employees to copy and paste items into the body of the e-mail. If it is not possible, the sender should ask the recipient if the item can be sent as an attachment. Employees should be cautious about opening attachments and they should be mindful that this is primary way that viruses are distributed. If the e-mail users are technically minded, train them so they recognize that attachments with extensions of .exe, .vbs, and .src should never be opened. Systems administrators should consider using software that denies executable attachments from being delivered to the organization's interior networks.

Spam
Instruct employees never to reply to unsolicited or unwanted e-mail, affectionately known as spam. Replies usually have the effect of confirming active e-mail accounts for spammers who may sell or trade viable e-mail accounts to other spammers, thereby compounding the problem. Irate replies usually go to empty e-mail accounts as spammers often use one-time e-mail addresses.

Message Priority
Do not indicate that your e-mail is urgent if it is not. Do not oversell e-mail messages. Reserve urgent notifications for those e-mails that are truly important.

Forwarded E-Mail
Instruct employees they must not forward e-mail, attachments, and the latest newsletters willy-nilly. They may find them interesting, but most recipients will not. Be respectful of your intended e-mail recipient's time. They may not be very excited about receiving the latest and greatest magazine articles about salad dressing.


Salutations and Signatures
Incorporating salutations and signatures into the text of an e-mail threat will establish the employee's role and position. An additional benefit is derived from using salutations and signatures: they provide beginnings and endings to messages attributable to specific individuals.

Spelling and Grammar
Instruct employees to use proper language construction, spelling, and grammar that distinguish professional conduct. Use spell-checking and grammar-checking software before sending e-mail. Avoid word and sentence constructions that have double meanings. Do not editorialize or rant in e-mail messages. Red herrings cost time and money. Employees should be frequently reminded that it is possible their messages will be introduced in a court of law.

Encrypted Communications
There are many ramifications of encrypted e-mail communications. Employees can exchange e-mail, assured of its integrity and confidentially. While this is certainly an advantage, it is easy to e-mail proprietary information to outside parties, using crypto-technology. E-mail encryption programs can be easily purchased and in some cases are free. If organizations are going to monitor e-mail communications, they are not going to be able to read encrypted messages. More than one employee has used the company's encrypted e-mail to send sensitive information to waiting competitors without fear of being caught.

E-Mail for Managers
Managers should remind employees that e-mail and the attendant systems are the property of the organization and are being monitored. Each time a manager reminds employees of this fact, it should be documented so it can be retrieved and formally acknowledged by employees. Human Resources units should have signed acknowledgments from all employees.

All employees are subject to the organization's policies. No one is outside this policy unless specifically and formally exempted. Exemptions must be justified and individually approved. Being a senior manager is not sufficient justification for an exemption. Managers and auditors must enforce the organization's e-mail policy consistently and equitably. Do not allow special rights to some employees that are not enjoyed by all employees.

Out-of-Band Communications
If communications are very sensitive, employees and managers particularly must know about out-of-band (OOB) communications. OOB communications are outside the regular communications channels. They may include conversations through cellular telephone calls outside the workplace, e-mail communications between computers outside the workplace, encrypted communications, etc. OOB communications alternatives should be available to employees with a reason to use them.

What's in that Cute Little E-Mail Mailbox?

The problem with e-mail storage and retention is basically this: you do not know what your employees are keeping in their e-mail mailboxes. If you are auditing workstations and you review the results, you may be shocked or amazed at what is found. Talk to your employees, explaining the risks surrounding the retention of e-mail and the reason for the destruction policy. Policies should direct employees not to retain old e-mail messages. Policies should consider that some employees may want to store e-mail on their workstation hard drives or on floppy disks, and this practice should be discouraged. Make it very clear that saving messages to hard drives and floppies violates retention policies. If e-mail is going to be saved, it must be saved in project folders or other pertinent files. In this way, e-mail is accessible and retrievable. Emphasize the risks associated with the retention of e-mail outside of policy mandates. Employees should understand that workstations are audited and one of the areas of compliance is the storage of e-mail on hard drives and other media. Through training, employees should be instructed how to delete e-mail, and should receive an explanation of how the delete folder works. Many employees will not understand that e-mail messages may sit in the delete folder unless the user manually takes steps to empty it.

Consider installing and configuring software that automatically empties employees' e-mail folders at designated intervals. Assign limited e-mail space on your mail server for individual accounts. Reducing the size of e-mail accounts will encourage employees who retain e-mail to delete it, as they will simply run out of room. Exhibit 3 is a sample policy for e-mail retention.

E-Mail Policy: Avoiding Hidden Risks

In today's business environment, organizations must be aware of potential liabilities by developing and implementing comprehensive management programs that address e-mail creation, content, retention, privacy, and deletion. E-mail has replaced the telephone call as the preferred means of business communication. Through e-mail threads, employees record their thoughts and read the thoughts of others. Wrongful statements, disparaging remarks, and off-color jokes can be read at future dates. The result is written ammunition that can make or break organizations should a lawsuit or criminal action follow.

In recent litigation about diet pills, some of the most embarrassing evidence against the manufacturer came from internal e-mail exchanges among its own employees. One insensitive message reported an employee expressing her dismay at the thought of spending the balance of her career paying "fat people who are a little afraid of some silly lung problem." The remark was a reflection of the employee's attitude to a rare but fatal condition some diet-pill users developed. Of course, the judge and jury in awarding damages carefully considered these e-mail messages.

In the past, if an investigator was trying to discover what employees were saying or thinking at a given time, the best evidence would generally come from notepads, calendars, diaries, desk pad scrawl, and other informal documents. However, with the use of the computer workstation and the prevalence of e-mail in the workplace, experts can have access to a virtual library of written documents located on hard drives, file servers, and backup media. E-mail records provide important insight about how decisions were made and the timeframe in which they were made. The fact that organizations lack viable e-mail policies means that senior managers do not give it the priority it deserves. It is a mission-critical tool present in daily business and personal life. If not managed properly, e-mail can pose serious risks.