Few mortals can resist the urge to pass on juicy gossip or a good dirty joke. But mortals with corporate e-mail accounts should think twice before hitting send.
Most employees who use e-mail at work have sent or received messages that could put their companies at risk. But the vast majority doesn't believe they've ever sent risky e-mails.
That's the key finding of a recent survey commissioned by Fortiva, a Norwalk, Conn.-based provider of managed e-mail archiving products.
Conducted by Harris Interactive, a market research firm based in Rochester, N.Y., the survey examined the e-mail habits of 1,000 individuals, comparing their actual behaviours to their perceptions.
Almost half -- 48 per cent -- of respondents admitted they had sent or received jokes, images and stories containing sexual or "politically incorrect" content. While a majority -- 73 per cent -- says they're aware of corporate e-mail policies, only 46 per cent say they "always" comply.
"It is surprising to us how much people use corporate e-mail systems for stuff they know is probably inappropriate -- but don't perceive it as exposing the company to risk," says Rick Dales, vice-president of product management at Fortiva.
People are aware a joke might be offensive to some -- but not to the friends they sent it to, he says. They fail to consider it may well be circulated beyond the original trusted audience, complete with the original message header identifying the sender's name and company.
Could a company be sued for offensive e-mails forwarded beyond by an employee's recipients? "Anytime you send an e-mail, if the company e-mail address is used and automatic signatures are added, that may be interpreted as official correspondence and you are a [company] spokesperson," says Dennis Kennedy, an IT lawyer and legal technology consultant based in St. Louis, Mo. "[But] this is more of a public relations than a legal issue."
The survey also found that one out of five employees have sent or received a password or log-in information via e-mail. While this may appear to be primarily a security violation rather than an e-mail usage issue, these areas bleed into one another in the context of e-mail communication, says Dales.
"Having separate policies all over the place is an invitation to problems," agrees Kennedy. "If you have an employee manual, e-mail policy, Internet usage policy, computer security policy and so on, odds are they're not going to be consistent and there will be different rules people don't know about. It's better to have one policy that covers all issues."
Although most businesses place limits on the amount of e-mail that can be stored, 41 per cent of respondents say they'd prefer to keep important e-mails indefinitely.
Document retention is not as simple as everyone hoped it would be, says Kennedy. There is nothing inherently good or bad about keeping e-mails for short or long periods of time. "You have to give what a judge decides is relevant," he says. "If you just delete everything, then you're potentially deleting e-mails that are exculpatory or 'good' e-mails. The point is not to delete 'bad' e-mails, but to retain information in accordance with the time period specified in the policy."
However, the more information you retain, the more important it becomes to structure it in a way that you can access, says Dales. "There are pros and cons to storing larger volumes. You need an organized, systematic way not only to manage how long you retain e-mails, but how you get at them."
Wading through large volumes of redundant information is becoming less of a headache for legal teams as e-mail archiving tools grow more sophisticated, says Kennedy. "In electronic discovery, one of the biggest things is "de-duping", which means de-duplicating."
These tools can get rid of the thousands of copies of the same joke or message that have been sent or forwarded in a corporate network. This helps legal teams hone down to the set of documents they really need to review.
With the right tools, says Dales, companies can be more specific about which types of messages should be retained for what periods of time, instead of having a blanket e-mail policy that stores everything for three years, and then deletes everything.
The survey found that the way employees store their e-mail is another area of growing concern that is as important as the content of their messages. About half of the survey respondents who use e-mail at work have saved e-mail outside of the corporate network. E-mail storage limitations may be leading to practices that raise security issues.
People with laptops often save e-mails there instead of at work, or forward messages to their Hotmail or Yahoo accounts, says Dales. "The danger is that if you're asked to produce information, you must gather it wherever it is. Having everyone keep their own blocks of information makes it expensive and risky."
Corporate information that slips out of a company's control in this way can cause problems. "Even if you have a great retention policy, things that escape outside it are still potentially discoverable," says Kennedy. "And people with laptops at home just don't pay enough attention to security, so you open that information to hackers."