E-Mail Policies: We've Got Mail

Hi, Bob. How are the kids? Guess what? We just signed Keanu Reeves to reprise his role in Speed III. I hope I see him walking around the lot one of these days! Talk to you soon, Janice."

E-mails like these are Jeff Uslan's worst nightmare. Uslan, manager of information protection at Twentieth Century Fox Film Corp., is doing everything he can to prevent e-mails containing sensitive company information from getting into the wrong hands. After all, virtually all of the media company's assets are trade secrets. A simple oversight--one e-mail getting into the wrong hands--can nix a deal three years in the making or give competitors a jump on a great concept.

Uslan is one of a growing number of managers whose companies keep tabs on employee e-mail. For many companies that monitor both incoming and outgoing e-mail messages, the reasons for doing so are compelling: safeguarding intellectual assets, improving productivity, defending against viruses, and preventing sexual and racial harassment are just a few of the benefits cited. Yet the practice is not without a dark side. For employees, the idea that their employer looks at their e-mail carries with it connotations of Big Brother and can crimp morale as a result. Even employers face a downside to the practice. Recent court rulings have found that companies that monitor e-mail and have not curbed offensive or inappropriate material are liable for damages. Yet for those companies that have taken the monitoring route, there are ways to minimize the risks while keeping the benefits intact.

For most companies, the decision to monitor e-mail is defined by a business rationale. "Our business is entirely intellectual property," says Uslan. "If one of our employees leaks information about a new movie we're going to produce or a star we're going to sign up, management is going to be very concerned. And the last thing writers working on a screenplay want is to see their scripts being e-mailed outside of the studio."

To prevent trade secrets from leaving the Los Angeles-based studio, last year Uslan implemented e-mail monitoring software from Elron Software of Burlington, Mass., that tracks messages sent to and received by the lot's 5,200 employees.

By implementing the software, Uslan says he is addressing many of the company's concerns. In addition to helping prevent leaks of intellectual property, the company now has a set of tools to help block spam and damaging viruses.

Increasingly Popular Trend

Monitoring employee e-mail is becoming a widespread practice. In fact, the American Management Association reported earlier this year that nearly 40 percent of major U.S. companies now do so, up from 15 percent in 1997.

Employers are choosing to monitor e-mail for a variety of reasons, ranging from added virus protection, guarding intellectual property, and limiting liability to preventing sexually and racially charged jokes and other inappropriate content from proliferating throughout an organization.

But at the root of most e-mail monitoring efforts is a desire to maintain productivity and limit liability. "Employers are liable and responsible for maintaining positive work environments for their employees," says Ellen Bayer, global practice leader for human resource issues at the American Management Association in New York City. "If a person is downloading offensive jokes, it impacts their productivity. If they are then forwarding them on to other colleagues who feel they have now been subjected to a hostile work environment, the employer is liable. And in many cases, it also affects workplace morale."

Blocking offensive e-mails and nettlesome spam was the primary reason Rick Klotz opted to monitor e-mail. In April, Klotz, manager of IT infrastructure for Warner Electric in South Beloit, Ill., began a phased rollout of Message Control, a monitoring tool from United Messaging of West Chester, Pa. "I've added quite a bit to my joke collection," Klotz says since implementing the tool. Although the system is still fairly new and monitoring is not yet routine, Klotz expects a formal system to be set up soon. Eventually, he says, the system will be expanded outside of Warner Electric into other areas of Colfax Corp., the organization's parent company.

In addition to scanning and screening for content from the division's 1,500 employees, Warner Electric's system also limits entering and exiting message size to no larger than 10MB. Klotz also plans to more aggressively filter outbound e-mails to guard against losing trade secrets and other proprietary information.

Added Security

For many organizations, the primary reason for implementing an e-mail monitoring tool is not to catch employees who send too many e-mails to friends or inadvertently (or intentionally) transmit trade secrets, but to add another layer of virus protection.

Last year's Melissa virus and others that followed it prompted the Department of Energy to move forward on plans to install a full-fledged e-mail monitoring system. After discussions within the Office of the CIO, the DOE contracted with ACS, a Rockville, Md.-based contractor, to install and manage the Messaging Management System (MMS) from Tumbleweed Communications of Redwood City, Calif.

Today the system monitors e-mail activity by all of the 10,000 employees split at the two DOE sites in Washington and nearby Germantown, Md. One feature of the system--the ability to block junk mail--is something employees have grown to appreciate.

Although the intent is to eventually include content monitoring, security has always been the first priority, says Charlie Smith, lead engineer for the DOE's Office of the CIO. Smith, who is on the payroll of ACS but works at the Energy Department, is in charge of using MMS to protect the DOE's e-mail infrastructure by scanning for viruses and other harmful content such as denial of service attacks via unsolicited e-mail.

Scanning incoming e-mails for viruses and controlling the type of attachments entering and leaving the organization were both factors in Saga International Holidays' decision to implement an e-mail monitoring system. But the most important reason the Boston-based travel agency went with monitoring technology was to protect against the transmission of some or all of its greatest asset--its database of 5 million customers. Last year, Saga implemented MIMEsweeper from Content Technologies of Bellevue, Wash.

The package allows for file blocking, so Saga's IT department can prevent executable files from being sent or received. An employee "would have to get a portion of our entire database out the door to hurt us, and they can't do that because we prevent those types of files from being sent out," says Ron Valcourt, manager of network operations for the 200-employee company that specializes in travelers over age 50. It's not as if Valcourt doesn't trust his employees. On the contrary, he says that monitoring e-mail is simply taken as a matter of course in the day-to-day running of the business.

To provide a secure place for its corporate customers to conduct business, Bank of America's Global Corporate Investment Bank (GCIB) division chose to implement an e-mail monitoring package. The organization of 12,000 employees in 130 domestic locations, which handles trading, equities, loan syndications, foreign exchange and other functions for commercial clients, uses two tools to provide the highest level of service to its customers.

The company installed Veranda from Tally Systems of Lebanon, N.H., to ensure that e-mails are transmitted quickly and efficiently, and to determine the flow of e-mails within GCIB's individual business units. For content monitoring, the company uses Assentor from SRA International of Fairfax, Va., which screens and archives messages in a manner that is compliant with Securities and Exchange Commission monitoring guidelines--something that is essential in the financial industry, notes David Hendricks, a senior vice president who manages messaging services for Dallas-based GCIB.

Different Tools for Different Needs

Although all e-mail monitoring packages possess similar content filtering capabilities and reporting mechanisms, each targets a niche in the marketplace. Some, like Tumbleweed's MMS, aim to provide unified management of e-mail and Web policies, while others, like Binary Research International's MailMarshal, seek to block specific messages by intercepting e-mail and searching for keywords. Still others, like Tally Systems' Veranda, can identify threats by decomposing e-mail objects such as attachments, zipped files and files embedded in attachments.

In addition to choosing the right tool for the job, companies often choose to use some of a package's capabilities and not others. While Cleveland-Cliffs, a supplier of iron ore products, uses Binary Research's MailMarshal to scan for viruses and weed out e-mails with inappropriate business content, it does not intend to use the system to scan for leaks of trade secrets. "It's such an established industry and sales are still done face-to-face in a traditional manner, so we don't have as much need for that as other companies might have," says John Bauer, lead network engineer at the Cleveland-based company.

And 20th Century Fox, which so zealously guards any type of trade secret, chooses not to monitor for sexually or racially explicit content because of its unique industry.

"Say two writers are cowriting a script. They send e-mails back and forth to each other discussing nudity, so the e-mails contain many of the things that could be considered explicit or harassing. So we don't even try to monitor for that type of content," Uslan explains.

Employees' Concerns

While it's clear that more and more employers are seeing the benefit of implementing full-fledged e-mail monitoring systems, it's less clear how well employees are accepting the situation.

Perhaps that's because more employees than you might think are actually abusing their e-mail privileges. According to a recent study of 1,000 employees done by Vault.com, an Internet-based career and human resources website, 14 percent admitted to forwarding sexually explicit or otherwise improper e-mails to friends or coworkers, and 83 percent said they send personal e-mails during the workday. (The study did not discuss the number of personal e-mails sent during a typical workday, so the overall impact on productivity was not determined.) Compounding the problem, 51 percent said the tone of their e-mails is sometimes misconstrued as angry, abrupt or overly casual.

When the DOE first implemented its system, some employees did indeed complain. But Smith--and his superiors at the Department--weren't concerned about the "Big Brother" types of complaints. "How can you legitimately complain about not receiving something that has no business in the workplace anyway?" Smith asks.

But once the shock wore off, many employees even began to like the system. Once they realized they didn't have to be inundated with junk mail, Smith says, "they actually started asking us to do the blocking."

At Warner Electric, employees are taking their time testing the system's boundaries. "They want to know how hard we're going to come down on them, and if we plan to turn them in to human resources," says Klotz. The first real case of e-mail abuse will help the company decide how to handle these issues, he adds.

To avoid employee complaints and misunderstandings about the intentions of such systems, companies should have a clearly communicated policy on what type of monitoring is routinely performed on e-mails, including a statement that e-mail transmissions are the property of the employer. Employers should also make employees aware that e-mails are automatically saved on a back-up computer system even though they have been deleted by the author.

By informing employees of e-mail policies, "you give them a chance to self-regulate," says Rita Risser, an attorney with Fair Measures Corp., a Santa Cruz, Calif.-based company that trains executives and managers in management practices.

Although there is no law that says employers legally must inform employees of e-mail monitoring policies, doing so can help protect the company against liability claims made at a later time, says Ginny Bain, an attorney in the labor and employment section of Smith Helms Mulliss & Moore of Greensboro, N.C. "We are beginning to see privacy suits and wrongful termination and discharge suits with regard to e-mail monitoring, but the employee has yet to prevail," she says. The reason: Privacy law is based on the reasonable expectation of privacy. Therefore, employees must prove that they had a reasonable expectation of privacy, and courts have held that employees don't have that with regard to e-mail on an employer's property during work hours.

Employees at Bank of America's GCIB are told up front that e-mail is company property and should be used to conduct company business. According to Hendricks, they are also clearly told that not adhering to the policy can result in disciplinary actions, up to and including termination. While Hendricks' staff does not police the e-mail system for abuse, cases that are uncovered in the normal course of maintenance or investigated as a result of complaints brought forward by others are handled accordingly, he says.

But others take a more congenial approach. These employers stress that all measures are taken to ensure a respectful workplace for all employees. In this case, employers might tell employees that e-mail monitoring is simply a way to remind them what is appropriate and reassure them that if they follow company policy, they have nothing to worry about. "It's important to stress that no one is interested in eavesdropping on private e-mail conversations," the DOE's Smith says.

To make sure all employees have bought into the policy and truly understand it, 20th Century Fox now asks new and long-term employees during their annual review to sign an electronic usage agreement explaining the e-mail monitoring policy. "We let them know that intellectual property is our bread and butter and that their job is to support that intellectual property," Uslan notes. In essence, the agreement draws the line at what the company considers inappropriate usage of all electronic media including e-mail, fax, Internet and telephone.

To give employees an additional measure of comfort, Uslan tries to make sure that the tools are used in a regulated fashion.

"Instead of using it as a sword that is wielded and swung around wildly, we have rules in place. In order for the policy to be invoked and for us to start scanning a specific e-mail account, the request has to first go through human resources, be approved by legal and only then is given to my group," he says. "We explain to everyone that we are the only ones who have control of this software--HR doesn't have physical access to it, and neither does legal."

Powerful Tools

The current crop of e-mail monitoring tools on the market enable a company to track all sorts of things including viruses, content and security breaches. Yet just because tools allow monitoring on a wide scale doesn't mean that a company should use them to their full capabilities.

The key, says Fair Measures' Risser, is to use these tools judiciously and in appropriate ways. "I sometimes feel that bad managers will use e-mail monitoring as a way to catch bad employees, because it's easier than being a good manager," she says. Risser recommends monitoring only when a manager suspects the employee of unacceptable behavior.

It also pays to remember that no monitoring package is foolproof. There are times when employees might use code words referring to specific projects, for example. In that case, there is virtually no way to catch the thief. In other cases, although the e-mail monitoring package might prevent large executable files from being sent, there is nothing preventing determined employees from downloading the same information onto a diskette and walking out the door with it.

Because of these loopholes, it's important to remember that e-mail monitoring is just one part of a more global concept of data security. "It's like locking your front door and leaving your windows open," says Saga's Valcourt. "It's a matter of making things difficult for employees and putting enough questions in employees' minds."

Karen D. Schwartz is a freelance writer based in the Washington, D.C., area. She can be reached at karen.schwartz@bigfoot.com.

While it's clear that employers are seeing the benefit of e-mail monitoring, it's less clear how well employees are accepting the situation.

Informing employees of e-mail monitoring policies can help protect against liability.

Too Much Monitoring

Although more and more companies are implementing comprehensive e-mail monitoring policies, there can be such a thing as too much. A policy that puts too many restrictions on e-mail content can actually cause difficulties in the work environment.

"If you attempt to monitor everything, it creates a higher standard for the employer," says Ginny Bain, an attorney in the labor and employment section of Smith Helms Mulliss & Moore in Greensboro, N.C. "There was a case against Prodigy a few years ago where they had a moderated chat room, and because it was moderated the company was held liable for slanderous statements that were allowed to be placed in the chat room. So if an employer monitors everything and [offensive material] is still getting by, you as the employer might be held liable for it."

In addition to potential lawsuits and employee morale issues, there are other challenges to implementing and managing a full-fledged e-mail monitoring system. As Jeff Uslan, manager of information protection at 20th Century Fox has found, committing to an e-mail monitoring system requires ongoing company resources including assigning one or more staff members to consistently maintain and monitor the system. "And there can be a lot of paperwork," he adds.

Of course, there may be times when it is inappropriate to use e-mail monitoring technology at all. In cases where companies haven't done everything they can to implement and enforce good management policies, for example, simply turning to one of these tools could mask larger problems in the management arena, according to Rita Risser, an attorney with Fair Measures Corp., a Santa Cruz, Calif.-based executive and manager training company.

"These tools are a bad substitute for good management," she says. "If you treat employees like adults, generally they act like adults. If, on the other hand, you have an out-of-control workforce, inept managers, top-down control and an atmosphere of distrust, these tools will really help."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Australian Computer SocietyBayer AustraliaContent TechnologiesCrimp AustraliaElron SoftwareSecurities and Exchange CommissionSRA InternationalTally SystemsTumbleweed CommunicationsTwentieth Century FoxUnited MessagingVault.com

Show Comments