bbrer99's picture
From bbrer99 rss RSS  subscribe Subscribe

E Mail Rules 

 
 
 
Tags:  international  cell  phone  rental 
Views:  426
Published:  June 09, 2010
 
0
download

Share plick with friends Share
save to favorite
Report Abuse Report Abuse
 
Related Plicks
No related plicks found
 
More from this user
Getting Started with Zotero

Getting Started with Zotero

From: bbrer99
Views: 607
Comments: 0
Cancer Survivorship Endometrial Cancer Module

Cancer Survivorship Endometrial Cancer Module

From: bbrer99
Views: 75
Comments: 0
Tava Tea

Tava Tea

From: bbrer99
Views: 102
Comments: 0
[Finance]Debt Help Using Online Debt Management Services 27654

[Finance]Debt Help Using Online Debt Management Services 27654

From: bbrer99
Views: 55
Comments: 0
Coaching Classes Market in India 2010 - Sample

Coaching Classes Market in India 2010 - Sample

From: bbrer99
Views: 97
Comments: 0
Financial Pacific - U.S. Paper & Forest Products (third party)

Financial Pacific - U.S. Paper & Forest Products (third party)

From: bbrer99
Views: 16
Comments: 0
See all 
 
 
 URL:          AddThis Social Bookmark Button
Embed Thin Player: (fits in most blogs)
Embed Full Player :
 
 

Name

Email (will NOT be shown to other users)

 
 
 
Comments: (watch)
 
 
Notes:
 
Slide 2: E-Mail Rules
Slide 3: Other Books by Nancy Flynn The ePolicy Handbook: Designing and Implementing Effective E-Mail, Internet, and Software Policies (AMACOM) Writing Effective E-Mail: Improving Your Electronic Communication
Slide 4: E-Mail Rules A Business Guide to Managing Policies, Security, and Legal Issues, for E-Mail and Digital Communications Nancy Flynn and Randolph Kahn, Esq. American Management Association New York • Atlanta • Brussels • Buenos Aires • Chicago • London • Mexico City • San Francisco • Shanghai • Tokyo • Toronto • Washington, D.C.
Slide 5: Special discounts on bulk quantities of AMACOM books are available to corporations, professional associations, and other organizations. For details, contact Special Sales Department, AMACOM, a division of American Management Association, 1601 Broadway, New York, NY 10019. Tel.: 212-903-8316. Fax: 212-903-8083. Web site: www.amacombooks.org This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that neither the publisher nor the authors are engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. Library of Congress Cataloging-in-Publication Data Flynn, Nancy, 1956E-mail rules : a business guide to managing policies, security, and legal issues for e-mail and digital communication / Nancy Flynn and Randolph Kahn. p. cm. Includes bibliographical references and index. ISBN 0-8144-7188-9 1. Electronic mail system—Management. 2. Electronic mail system—Security measures. 3. Electronic records—Management. I. Title: Email rules. II. Kahn, Randolph. III. Title. HE7551 .F578 2003 384.3 4 068—dc21 2002152888 2003 Nancy Flynn and Randolph Kahn, Esq. All rights reserved. Printed in the United States of America. This publication may not be reproduced, stored in a retrieval system, or transmitted in whole or in part, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of AMACOM, a division of American Management Association, 1601 Broadway, New York, NY 10019. Printing number 10 9 8 7 6 5 4 3 2 1
Slide 6: Nancy Flynn: To my husband, Paul Schodorf, and our children, Bridget and Tim. Special thanks also to the clients, partners, and friends of The ePolicy Institute for their ongoing interest in reducing e-risks and enhancing e-communications. Randolph Kahn: To my wife, Melissa, and our children, Dylan, Lily, and Teddy, who motivate me to keep exploring and make life such fun to live.
Slide 7: This Page Intentionally Left Blank
Slide 8: Contents Preface Acknowledgments xiii xv PART ONE The Case for E-Mail Management Chapter 1: Introduction E-Mail Rule 1: Strategic E-Mail Management Reduces Liabilities 1 3 12 Chapter 2: Real-World Legal Issues E-Mail Rule 2: Manage Employees’ E-Mail Use Chapter 3: E-Mail Ownership and Cybertheft E-Mail Rule 3: E-Mail Belongs to the Employer, Not the Employee 20 PART TWO Designing and Implementing Effective E-Mail Policies Chapter 4: Why Implement E-Mail Policies? E-Mail Rule 4: E-Mail Can Come Back to Haunt You vii 25 27
Slide 9: viii Contents Chapter 5: E-Mail Privacy E-Mail Rule Policy E-Mail Rule E-Mail Rule Etiquette 5: There Is No One-Size-Fits-All E-Mail 30 6: Control Risk by Controlling Content 7: Establish and Enforce Rules of Online 38 33 Chapter 6: E-Mail Content Chapter 7: Netiquette Chapter 8: Special Netiquette Considerations for Managers E-Mail Rule 8: Apply E-Mail Rules Consistently—from Summer Interns to the CEO 45 Chapter 9: LISTSERV Policy E-Mail Rule 9: Impose Policies and Procedures to Control LISTSERV Participation and Content 49 Chapter 10: Corporate Road Warriors E-Mail Rule 10: Don’t Leave Home Without E-Mail Policies and Procedures 52 Chapter 11: Failure to Establish or Enforce Policy E-Mail Rule 11: Rules Exist for Businesses That Want to Remain in Business 55 PART THREE Retaining E-Mail Business Records Chapter 12: Retaining Business Records: The Legal Foundation for E-Mail Management E-Mail Rule 12: Treat E-Mail as a Business Record 61 63 Chapter 13: E-Mail Business Record Retention E-Mail Rule 13: Retain Business Record E-Mail According to Written and Enforced Retention Rules 70 Chapter 14: Developing Retention Rules E-Mail Rule 14: Apply Retention Principles to E-Mail Records 76
Slide 10: Contents ix Chapter 15: SEC and NASD Regulations E-Mail Rule 15: E-Mail Retention Periods May Be Determined by Regulatory Bodies 79 Chapter 16: Record Retention Versus Backup Tapes or Stored E-Mail E-Mail Rule E-Mail Rule Too 16: Don’t Be Set Up by Backup 17: E-Mail Rules Apply to Automation, 89 81 Chapter 17: Software Solutions Chapter 18: Outsourcing E-Mail Storage and Retention E-Mail Rule 18: Assess the Legal and Business Ramifications Before Moving E-Mail Off Site 93 Chapter 19: Educating Employees About E-Mail Retention E-Mail Rule 19: Make E-Mail Retention Simple for Employees 98 PART FOUR E-Mail Business Records as Legal Evidence Chapter 20: E-Mail Business Records as Legal Evidence E-Mail Rule 20: Prepare to Produce E-Mail for Audits, Investigations, or Lawsuits 105 107 Chapter 21: Records Management E-Mail Rule 21: Manage E-Mail Business Records to Ensure Accuracy and Trustworthiness 117 Chapter 22: E-Mail Discovery E-Mail Rule 22: Manage E-Mail in Anticipation of Litigation, Audits, and Investigations 122 Chapter 23: Destruction of Evidence E-Mail Rule 23: It’s Illegal to Destroy E-Mail Evidence After You Have Received Notice of a Lawsuit or During a Trial 135
Slide 11: x Contents Chapter 24: Discovery Rules for Employees E-Mail Rule Prepared 24: E-Discovery Is Inevitable—Be 139 Chapter 25: Creating an E-Discovery Response Strategy E-Mail Rule 25: Plan Today to Meet the Challenges of Litigation, Audits, and Investigations Tomorrow 142 PART FIVE E-Mail Security Chapter 26: E-Mail Security E-Mail Rule 26: Develop Policies and Procedures to Secure E-Mail 147 149 Chapter 27: Physical and Network Security E-Mail Rule 27: Strategic E-Mail Security Involves Physical and Network Security 157 Chapter 28: Content Security—Inbound E-Mail Rule 28: Inbound Message and Attachment Content Is Critical to E-Mail Security 162 Chapter 29: Content Security—Outbound E-Mail Rule 29: Outbound E-Mail Is Critical to E-Mail Security 168 Chapter 30: E-Mail System Security E-Mail Rule 30: Develop Policies and Procedures to Ensure That Your E-Mail System Is Secure 173 Chapter 31: Spam E-Mail Rule 31: Address the Sending, Forwarding, and Receiving of Spam in Your E-Mail Policy 179 PART SIX Mixed Messages: Managing Alternative Communications Technologies Chapter 32: Instant Messaging E-Mail Rule 32: Retain and Manage Business Records Created by Alternative Communications Technologies 185 187
Slide 12: Contents xi Chapter 33: Other Communications Technologies E-Mail Rule 33: Establish E-Rules and Training for Alternative Technologies 192 Chapter 34: Peer-to-Peer File Networking Technology E-Mail Rule 34: Combine Employee Rules with Network Administration Techniques to Limit Risks 198 Chapter 35: E-Mail Variations E-Mail Rule 35: Apply E-Mail Rules to Nontraditional Use and Technologies 202 PART SEVEN Employee Education Chapter 36: Training Is Key to E-Risk Management Success E-Mail Rule 36: Train, Train, Train . . . Then Train Some More 205 207 Chapter 37: Instilling a Sense of Ownership in Employees E-Mail Rule 37: Employee Compliance Is Key to E-Risk Management Success 212 217 225 249 255 Notes Appendixes Index About the Authors
Slide 13: This Page Intentionally Left Blank
Slide 14: Preface This book is designed to provide guidelines for reducing workplace liabilities and managing e-mail and other data communications. E-Mail Rules is sold as a general overview and guide and does not provide legal advice or a legal opinion on any topic contained within. The authors of E-Mail Rules did not and could not contemplate every situation, problem, or issue that may arise when using e-mail or other communications technology. This book does not purport to be exhaustive of all situations that may arise when using, implementing, or relying on such technologies. Before taking any action on any matter addressed in E-Mail Rules, readers should consult with and be guided by professionals competent to address legal, regulatory, human resources, technology, compliance, policy, and other issues. Specific institutions or industries may be required to follow different or additional rules from those described in E-Mail Rules. Before taking any action, consult a professional for advice regarding the specific laws, regulations, and rules governing your industry. The policies, rules, directives, and sample language contained in E-Mail Rules are provided as examples and are for illustrative purposes only. They are not exhaustive, complete, or appropriate for all institutions or situations. Such polixiii
Slide 15: xiv Preface cies, rules, directives, or sample language should be followed only after receiving competent legal or other professional advice. Depending on the industry, circumstance, or regulatory or legal realities, the policies, rules, directives, and sample language contained in E-Mail Rules may not be adequate, sufficient, or appropriate.
Slide 16: Acknowledgments The authors extend sincere thanks to those who generously contributed encouragement and support, expertise and information to help make this book possible. Most notably, we are grateful to our corporate sponsors, partners, and friends: Chris Witeck and the marketing team at Clearswift; Peter Delle Donne and Margaret Rimmler of Iron Mountain and the Digital Archives of Iron Mountain; and Amena Ali, Jocelyn Johnson, and Chris Gray of Legato Systems, Inc. Nancy Flynn thanks her research assistant, Diana Cely, for her on-target and on-time efforts. She also thanks Paul Schodorf for his unwavering support and clear-headed advice. Randy Kahn is particularly grateful for the substantial contribution and input of Barclay Blair of Kahn Consulting, Inc. Without Barclay’s assistance this book would not be as insightful or technically in-depth. Sincere thanks to Diane Silverberg of Kovitz Shifrin Nesbit for her input. He also gives special thanks to his wife, Melissa, and his children, Dylan, Lily, and Teddy. Without their love, understanding, and encouragement, this book would not have been possible. Randy would also like to thank his father, Ted Kahn, for his support and inspiration. Finally, a special thank-you to literary agent Sheree Bykofsky and AMACOM acquisitions editor Jacqueline Flynn for their belief in this book and help in making it happen. xv
Slide 17: This Page Intentionally Left Blank
Slide 18: PART ONE The Case for E-Mail Management
Slide 19: This Page Intentionally Left Blank
Slide 20: CHAPTER 1 Introduction E-Mail Rule 1: Strategic E-Mail Management Reduces Liabilities Whether you employ one part-time worker or 100,000 full-time professionals, any time you allow employees access to your e-mail system, you put your organization’s assets, future, and reputation at risk. Regardless of industry type, company size, or status as a for-profit or not-for-profit entity, the accidental misuse and intentional abuse of e-mail by employees can (and all too often does) create million-dollar (and occasionally billiondollar) headaches for employers. From lawsuits to laptop theft to lost productivity, workplace e-risks abound. Fully 78 percent of employers report employees abusing e-mail and the Internet.1 In recent years, highly publicized cases of e-mail abuse and misuse have involved household names including Arthur Anderson,2 the New York Times,3 Xerox,4 and numerous U.S. state and federal government agencies. It’s not just inexperienced staff and vengeful employees who are creating electronic liabilities. Hardly a week goes by without at least one CEO, CFO, stockbroker, or lawyer (experienced managers and skilled professionals who should know better) making newsworthy e-mail gaffes that trigger everything from tumbling stock prices to congressional investigations to media feeding frenzies. Cautionary tales for employers, these high-profile e-disaster stories barely scratch the surface of the potential legal and busi3
Slide 21: 4 E-Mail Rules ness liabilities related to e-mail misuse and abuse. Whether sent by the chairman of the board or a summer intern, an ill-conceived or inappropriate e-mail message can savage your organization’s financial resources, talent pool, investment rating, and public profile. Fortunately for savvy employers committed to ending e-mail abuse and reducing electronic risk, there is a solution. By developing and implementing the type of comprehensive, strategic e-mail management program detailed in E-Mail Rules, employers can anticipate e-mail disasters, address employee misuse, derail intentional abuse, curtail e-mail blunders, and limit costly electronic liabilities. Take a Holistic Approach to E-Mail Management Despite the broad scope of electronic business risks and legal liability, most organizations to date have focused solely on the most obvious forms of e-mail abuse—with sexual content, pornographic images, and offensive jokes topping the list. Management angst over adults-only e-mail is reflected in the fact that more than 46 percent of U.S. employers have disciplined or terminated employees for sending sexually suggestive or explicit material via the office e-mail system.5 While employers are to be commended for their efforts to keep e-mail content clean, the current level of e-risk management falls far short of the goal of maximizing the business and legal value and overall effectiveness of workplace e-mail. Organizations operating in the age of e-mail and the Internet need to adopt a more holistic approach to e-mail management. Focusing on the rules of e-mail management, rather than on liability concerns alone, E-Mail Rules was written to help employers harness the power of e-mail and other digital communication tools. By adhering to the rules of e-mail, organizations work faster, more efficiently, and in a legally sound manner. To that end, employers are advised to anticipate and address the challenges stemming from four primary types of email abuse:
Slide 22: Introduction 5 1. Intentional misconduct explicitly designed to harm employers and devastate e-mail systems. Topping this list is the theft of proprietary information. A popular form of intentional misconduct among cyberthieves and e-saboteurs, confidential data theft is big business, accounting for more than $170 million in financial losses in 2002.6 Other examples of devastating e-mail misconduct include attacking e-mail systems, flooding e-mail systems with large attachments packed with restricted content, and sharing passwords with competitors, hackers, and other unauthorized persons. 2. Intentional misconduct that causes peripheral harm. Employees who send harassing e-mail messages to coworkers fall into this camp. While the sender may not intend to trigger a workplace lawsuit that costs the organization time, money, and credibility, employers nonetheless are put at risk. Yet, in spite of the potential cost, only 28 percent of employers have disciplined or terminated employees for sending menacing, harassing, discriminatory, or otherwise objectionable e-mail.7 Another example of intentional, but by no means devastating, conduct involves wasting company resources by making excessive personal use of the organization’s e-mail system. While the user’s motive may be nothing more than a love of shopping or a love affair (rather than revenge, fraud, or theft), the organization nonetheless faces potential damages in the form of lost productivity, legal fees, and settlement costs. In fact, financial losses related to this type of abuse soared from $35 million in 2001 to more than $50 million 12 months later, according to the 2002 CSI/FBI Computer Crime and Security Survey.8 3. Inadvertent acts, foolish accidents, and miscues. When it comes to e-mail, accidents and miscues can cause just as much damage as intentional abuse. Should an employee accidentally hit ‘‘reply all’’ instead of ‘‘reply,’’ for example, sensitive company information may be lost, right along with employee productivity and bandwidth. If an employee walks away from a live e-mail account for ten minutes, that may be all the time a rogue employee needs to do serious
Slide 23: 6 E-Mail Rules damage to, or from, your e-mail system. If you think you’re immune to security breaches, accidental or intentional, think again. Ninety percent of large corporations and government agencies suffered computer security breaches in 2002, with 80 percent reporting financial losses as a result.9 4. Oversight. Occurring primarily at the system level and often stemming from ignorance of potential risks, oversight occurs when an e-mail system has been incorrectly configured or poorly maintained. Failure to install the most current security patches or to protect the e-mail server from outsiders, for example, is a common form of oversight. E-Mail Management Is the Application of Fundamental E-Mail Rules E-Mail Rules is intended as a best practices tool kit for business people confused by and concerned about how to manage their e-mail, what electronic records to retain or delete, how to maximize the effectiveness of their organizations’ e-mail systems, and other workplace e-mail and legal liability issues. Among the E-Mail Rules detailed in these pages are: Retention: You Can’t Just Throw It Away. Organizations rely on e-mail as a critical business tool. With this reliance comes the obligation to treat information contained in e-mail systems as assets to be managed and protected. The first step: creating retention rules based on current law and sound business judgment. E-Mail Rules provides effective retention rules to protect organizations’ assets and futures by ensuring e-mail needed for legal and business purposes is retained, while nonrecord and administrative e-mail is properly disposed of when no longer needed. Disposition: You Can’t Keep Everything Forever. What to retain? Some organizations mistakenly believe e-mail management simply means disposing of everything after 30, 60, or 90 days, regardless of content. Other companies retain all e-mail forever. Neither approach is ideal. While retention of some
Slide 24: Introduction 7 e-mail is required for legal and business purposes, retaining all e-mail is neither cost effective nor efficient. E-Mail Rules offers guidelines for disposing of records in accordance with written retention policy. E-mail efficiency is promoted, while the organization is shielded from allegations that records were destroyed following the initiation of a lawsuit, audit, or investigation. Classification: E-Mail Is Intended for Business Purposes. E-mail often contains confidential documents, trade secrets, transaction details, and other critical information that must be managed as business assets. However, e-mail also is used by many to book lunch appointments and conduct other personal and quasi-business activities. Organizations need to develop and implement classification rules to evaluate and address messages based on content. Transmission: E-Mail Interception Is a Risk. Where an e-mail is sent may be just as important as what it contains. E-Mail Rules addresses the establishment of transmission rules that consider the vulnerability of the environment through which messages are sent. For example, transmission rules might allow the use of a secure Intranet system to send confidential documents but ban transmission outside a corporate firewall via the unprotected Internet. Data Protection: Failure to Control Business-Critical Data Is Not an Option. Unless organizations establish enterprisewide rules for e-mail management, they are at risk of exposing and losing business-critical data. E-Mail Rules shows employers how technology, policy, and employee training can work together to dramatically minimize the exposure of their businesscritical data. Central Management: Necessary in the Age of E-Mail. Although economic forces, corporate culture, and technological architectures have promoted the development of distributed organizations, corporate information and records must still be managed centrally. E-Mail Rules offers guidelines for central management, adding evidentiary value to records, increasing access, and decreasing the expense of record retrieval and reproduction. Employers learn how to manage critical information
Slide 25: 8 E-Mail Rules by corralling messaging records no matter where they are created and stored. Metadata: Information About E-Mail Is Critical. An e-mail message without metadata (the data that manages the data) has limited evidentiary value. Consequently, organizations must develop rules to capture the who, what, when, and where of e-mail if messages are to have legal or business value as records. Technological Solutions: Is the Answer Only a Purchase Order Away? Software manufacturers, having identified the management conundrum created by e-mail, offer technological solutions to e-mail challenges. Effective e-mail management calls for the development of management policies first, followed by the installation of technology to help implement policies. Approaching the problem in reverse order, as many organizations do, results in management policies that don’t truly reflect or address the organization’s needs. User Management: Take Control of the Desktop. E-mail systems are increasingly feature rich, providing users with an ever-expanding range of options for the creation, transmission, and management of e-mail from their desktops. However, many of these features conspire to limit organizational management of e-mail. E-Mail Rules helps readers sort through the options and make informed decisions. Electronic Time Management: Sending, Receiving, Replying, and Deleting—While Still Putting in a Productive Day. The average U.S. worker spends up to four hours a day sending and receiving e-mail,10 creating a time management nightmare for executives and employees. E-Mail Rules offers tips and techniques, from the development and implementation of e-mail policy to the establishment of netiquette rules, to the creation of corporate content guidelines, designed to streamline the creation, forwarding, reading, and replying process. Mixed Messages: It’s Not Just E-Mail Anymore. Instant Messaging and other technologies combining text, voice, and video are entering the corporate mainstream. Messages are sent and received on a dizzying array of portable devices that seem to evade traditional approaches to methodical records retention
Slide 26: Introduction 9 and management. E-Mail Rules helps organizations implement these new technologies while balancing user efficiency with e-mail records management. Self-Assessment: Understanding Your Organization’s Risks and E-Mail Management Needs Where do you stand when it comes to e-risk and e-mail management? Does your organization’s incoming and outgoing e-mail constitute a business record? Do you even know the difference between a valuable business record and insignificant data? Complete the following self-assessment to determine your awareness of organizational liabilities and the E-Mail Rules that can help reduce your risks, enhance employee productivity, and protect your organization’s future. 1. Do your employees use e-mail to negotiate, enter into, or maintain business relationships with clients, customers, vendors, or service providers? 2. Is e-mail used regularly by your staff to communicate with customers or clients? 3. Are spreadsheets, word processing documents, and other business-related content routinely incorporated into or attached to e-mail by employees? 4. Do employees communicate with executives, supervisors, or the human resources department via e-mail? 5. Do employees purchase services or products on behalf of the organization via e-mail? 6. Does the organization communicate with lawyers or accountants via e-mail? Yes Yes No No Yes No Yes No Yes Yes No No
Slide 27: 10 7. Does the organization use e-mail to receive or transmit business-related complaints, recommendations, problems, questions, or inquiries? 8. Is internal e-mail used to communicate information about product development, sales, service offerings, customer service, marketing, or advertising? 9. Does your organization have a written e-mail policy governing employees’ email usage? 10. Does your organization conduct ongoing employee education related to e-mail policy and procedures, business record retention, and security? E-Mail Rules Yes No Yes No Yes No Yes No What Your Responses Mean If you answered yes to the first eight questions, many of your organization’s incoming and outgoing e-mails likely constitute business records. From a legal perspective, the process of formally defining, properly identifying, and effectively retaining business records is the single most important e-mail challenge facing business today. A yes response to question nine places you in the majority. More than 81 percent of large employers have written policies governing employee e-mail use. The problem is that fewer than 24 percent of organizations support e-mail policy with employee training.11 Don’t leave employee compliance to chance. See Parts 2 and 7, respectively, for guidelines on the development of effective e-mail policy and the establishment of continuing education in support of your organization’s strategic e-mail management program. E-Mail Rules Is the Ultimate Reference Guide for Managing E-Mail Whether your concern is e-mail business record retention and deletion, e-mail policy and procedures, legal liability and docu-
Slide 28: Introduction 11 ment discovery, technological tools or security snafus, E-Mail Rules has you covered. By applying the tips, techniques, and tools found in E-Mail Rules, employers can develop and maintain customized, strategic e-mail management programs designed to successfully reduce electronic liabilities, increase employee productivity, and protect corporate assets. Recap and E-Action Plan E-Mail Rule ties 1: Strategic E-Mail Management Reduces Liabili- 1. Any time you allow employees access to your e-mail system, you potentially put your organization at risk. 2. Implement a strategic e-risk management program to help control liabilities. 3. Adopt a holistic approach to e-mail management. 4. Apply e-mail rules that address intentional misconduct, accidents, and oversight. 5. Retention rules are critical—the greatest legal and business challenge facing employers today.
Slide 29: CHAPTER 2 Real-World Legal Issues E-Mail Rule 2: Manage Employees’ E-Mail Use You’ve seen the headlines. Whether ‘‘Fifty Employees Fired for E-Mail Abuse’’ or ‘‘Pornographic Images Found in State Agency’s E-Mail System,’’ the story is the same. Employees’ accidental misuse or intentional abuse of e-mail systems has led to e-disaster, costing employers time, money, and credibility as the news media rush to cover salacious stories on otherwise dry news days. How pervasive is e-mail abuse in the workplace? Common enough that nearly 47 percent of large U.S. employers review e-mail messages, with 63 percent monitoring Internet connections. Fear of lawsuits is the number-one reason for employers’ concern, with 68 percent of organizations citing legal liability as the primary reason to monitor employees’ electronic communications. Not surprising, given that nearly 10 percent of employers have received subpoenas for employee e-mail and another 10 percent have defended sexual/racial harassment/discrimination claims based on employee e-mail and Internet use.1 Mindful of legal, productivity, security, and other electronic risks, more than 81 percent of employers have established written e-mail policies designed to guide employees’ online activity and control content.2 Unfortunately, while written e-mail policy 12
Slide 30: Real-World Legal Issues 13 forms the foundation of an effective e-mail program, it cannot stand alone in the battle against workplace e-risks. On the contrary, it takes a comprehensive understanding of technological and legal issues, combined with written policy and formal training, to successfully battle intentional and inadvertent e-mail system abuse. Self-Assessment: Is E-Mail a Source of Unmanaged Liability in Your Organization? 1. Are employees allowed remote access to the organization’s e-mail system? 2. Do employees use e-mail to document business events, activities, or transactions? 3. Do employees use laptops or handheld computers to transmit e-mail? 4. Is confidential data secured when road warriors travel with laptops or PDAs? 5. Are employees permitted to shop or trade stocks online during the lunch hour and other breaks? 6. Has an employee ever reported a lost, misplaced, or stolen laptop computer? 7. Does the organization retain copies of all business e-mail? 8. Does the organization restrict employees’ personal use of company-owned laptops? 9. Does the organization have a policy governing online group discussions? 10. Are you aware of employees violating company e-mail policy? 11. Can you locate and access old e-mail whenever you need it? Yes No Yes Yes Yes No No No Yes Yes Yes Yes Yes Yes Yes No No No No No No No
Slide 31: 14 12. Do the organization’s in-house lawyers communicate with employees via e-mail? E-Mail Rules Yes No What Your Responses Mean If employees are using e-mail to conduct business, communicate with friends, and engage in other personal business (on site or away from the office), the mix of professional and personal messages creates potential risks. If your company lawyer sends privileged e-mail messages, or executives leave the office with laptop and handheld computers laden with confidential information, a whole new set of potentially costly risks arises. Finally, if you are conducting business via e-mail, and you can’t locate messages documenting transactions and events, you have a problem. Manage your electronic liabilities today or risk e-disaster tomorrow. Beyond Naked Pictures: A Methodology for E-Risk Management While the improper use of your organization’s information system may waste valuable financial and human resources, it is the misuse of e-mail in particular that creates liability. Whether triggered by offensive messages, lost productivity, or security breaches, inappropriate online behavior is bad for business and has an enormous potential legal impact on your organization. Take a Strategic Approach to Electronic Risk Management Before drafting e-mail policy and implementing risk management procedures, be sure you have a clear and accurate picture of your organization’s e-mail and legal risks. Your strategic planning efforts should include: (1) determining and focusing on the specific legal and risk issues that are likely to impact your organization; and (2) categorizing potentially problematic conduct. As detailed in the Introduction, those categories include intentional misconduct explicitly designed to harm the organization and its e-mail system; intentional misconduct that
Slide 32: Real-World Legal Issues 15 causes only peripheral harm; inadvertent acts, foolish accidents, and miscues; and oversight. Forming Your E-Risk Management Team3 Regardless of whether you operate a large organization with a full-time staff of in-house experts, or a small business that relies on part-time help and the advice of paid consultants, you will want to form a working team to oversee the development and implementation of your strategic e-risk management plan and the e-mail policies and procedures that grow out of your research. The size of your team will depend on the size of your organization, the scope of your electronic exposure, and your willingness to commit financial and human resources to e-risk management. For most organizations, the team will be made up of some or all of the following professionals: 1. Senior company official. Increase the likelihood of success by appointing a senior executive to oversee your e-risk management team. The involvement of a top executive will signal to the staff that your organization is fully committed to e-risk management. With the right champion leading the charge, your e-risk management team should have no trouble receiving necessary funding and support. 2. Legal counsel. Legal and regulatory compliance is key to successful e-risk management. Have your legal counsel review organizational risks, employee rights, and employer responsibilities. Involve your lawyer in policy development to ensure that all applicable federal and state laws and regulations are addressed. If you operate facilities overseas, be sure the e-mail-related laws and regulations of each country are reflected in written policies. 3. Human resources manager. Involve your HR manager in all aspects of e-risk management, from research and planning, through policy writing, to employee education and enforcement. 4. Chief information officer. Your chief information officer (CIO) can help bridge the gap between people problems
Slide 33: 16 E-Mail Rules and technical solutions. Information management professionals can play an important role in identifying electronic risks and recommending the most effective technologies to help manage those risks. 5. Computer security expert. While developing your e-risk management and e-mail policy program, take time to assess and address your organization’s computer security capabilities and challenges. If you don’t employ an in-house computer security professional, hire an outside consultant to assess and address your security risks. 6. Training specialist. E-mail rules, policies, and procedures are only as good as your employees’ willingness to adhere to them. Spend at least as much time communicating your e-mail policies as you do developing them. Don’t rely on employees to train themselves. Support initial policy training with continuing education tools and programs designed to keep employees’ electronic communications clean, clear, and compliant. Focusing Your E-Risk Management Team You must gain a comprehensive understanding of employees’ e-mail activity and associated risks before making determinations about conduct and policy guidelines. The types of activity your e-risk management team will want to assess and address include: Intentional Conduct: Shopping for a Bundle of Risks Online Online shopping during the lunch hour is an intentional act that may impact the shopper’s productivity, overwhelm the mail room as packages arrive (a widely reported business concern), or drag the organization into a dispute if the shopper fails to pay for merchandise purchased via the organization’s e-mail system. Without thoroughly evaluating the act and potential harm, management cannot be certain whether online shopping should be permitted or outlawed. By carefully evaluating conduct and risks, the organization may be able to arrive at a solution that allows online shopping while mitigating risks.
Slide 34: Real-World Legal Issues 17 Intentional Conduct: Customer Service May Equal Organizational Disservice Let’s say a pharmaceutical manufacturer is considering allowing customers to submit complaints via e-mail or Instant Messaging. Ease and speed are touted as benefits. But what happens if, thanks to poor record keeping, the manufacturer cannot turn over customer complaints to the Food and Drug Administration if requested to do so? An intentional act that initially seemed harmless, the process of submitting complaints via e-mail, may need to be disallowed because of potential regulatory problems. Had the organization not taken time to evaluate e-mail policies and procedures from a legal and compliance standpoint, the process may have been allowed, and the company would have been at risk. Inadvertent Acts: Faster Is Not Always Better To speed processing, the claims department is eager to transmit medical claims for processing via e-mail. But what happens if confidential medical records are accidentally addressed and sent to unauthorized persons? The solution may involve hands-on management, encryption, or requiring employees to send a confirming e-mail test message, followed by the sensitive information. Oversight: Who’s Really Reading and Writing the Bosses’ E-Mail? According to an online poll conducted by the International Association of Administrative Professionals (IAAP) and The ePolicy Institute, 43 percent of administrative assistants ghostwrite e-mail responses under their bosses’ names. Another 26 percent screen executives’ incoming e-mail, and 29 percent are authorized to delete e-mail addressed to the executive.4 Problems may loom for organizations whose e-mail accounts are equipped with digitized signing capabilities. The same password that opens executives’ e-mail accounts also accesses their digitized signatures. Without an understanding of the technology, misuse of executives’ signatures is a real risk.
Slide 35: 18 E-Mail Rules Employers Can Be Responsible for Employees’ Wrongs Fair or not, an organization may be held responsible for the misconduct of its employees. Known as vicarious liability (and the related legal concept of respondeat superior), this legal principle would come into play if an employee filed a discrimination claim based on an offensive e-mail message sent by another employee. Organizations are at greatest risk when they fail to protect employees from offensive conduct. Fortunately, if an employer makes reasonable efforts—through e-mail policy development and employee training—to prevent a hostile work environment, the bad acts of individual employees may not be attributable to the employer. In fact, the U.S. Supreme Court has made it clear that, through the development and enforcement of comprehensive policies, an organization can create a defense against sexual harassment or hostile work environment liabilities.5 Bottom line: Organizations that take time to develop strategic risk management programs, complete with written policy, employee training, and consistent enforcement, may have a viable defense against vicarious liability claims. Self-Assessment: Anticipating and Addressing Intentional Misconduct, Inadvertent Acts, and Oversight Scenario: You are a member of an e-risk management team that’s developing e-mail rules to limit liability. Should you implement rules governing the following? 1. Forwarding e-mail to an external e-mail account. 2. Sending birthday cards to family members via office e-mail. 3. Designating all business e-mail as privileged and confidential. 4. Limiting online purchases to the lunch hour. Yes Yes Yes Yes No No No No
Slide 36: Real-World Legal Issues 5. Using personal handheld computers to communicate with customers while employees are vacationing. 6. Participating in a recreational LISTSERV via the organization’s e-mail system. 7. Sending free electronic greeting cards to coworkers via the organization’s e-mail system. 8. Sending coworkers e-calendars featuring female and male swimsuit models. 9. Giving administrative assistants access to all employees’ e-mail accounts, so messages may be checked during vacations and absences. 10. Allowing employees to e-mail nonreligious inspirational messages to colleagues. 19 Yes No Yes No Yes Yes No No Yes No Yes No What Your Responses Mean Because employee e-mail conduct should be regulated, your organization may need to enact rules addressing many (or all) of these situations. Remember, seemingly tame or harmless behavior may trigger liability. So craft your rules carefully. Recap and E-Action Plan E-Mail Rule 2: Manage Employees’ E-Mail Use 1. Improper e-mail use creates liabilities. 2. Assign a team to oversee development of your strategic e-risk management program. 3. Understand employees’ e-mail activity and related risks before forming conduct rules and policy guidelines. 4. Employers may be held responsible for employees’ wrongs. 5. Policy and training create a defense against vicarious liability.
Slide 37: CHAPTER 3 E-Mail Ownership and Cybertheft E-Mail Rule 3: E-Mail Belongs to the Employer, Not the Employee As detailed in Part 2, employers should use written e-mail policy to notify employees that e-mail messages, electronic documents, and computer passwords belong to the organization, not the individual. Stress the fact that theft of company records is a serious offense carrying possible civil or criminal penalties. If you are among the 47 percent of employers who monitor e-mail to thwart theft and other disasters,1 take this opportunity to let your staff know. Theft of Proprietary Information In the paper world, employers rarely had to worry about disgruntled or vengeful employees driving to off-site record storage facilities and loading confidential information into their cars. It was just too risky and difficult to warrant an attempt. In the age of e-mail, however, just about any document can be attached to e-mail and sent outside the organization. The problem is so pervasive that 20 percent of employers reported the theft of proprietary information in 2002, with losses totaling $171 million.2 Easy and largely undetected access makes data theft a grow20
Slide 38: E-Mail Ownership and Cybertheft 21 ing concern for business. The transmission is completed instantly, and data remains intact inside the company. A recent survey finds one in ten employees has received confidential information via e-mail. A whopping 79 percent of employees admit to using e-mail to share confidential information with others—innocently or otherwise.3 No Organization Is Immune from Data Theft Imagine that an unhappy employee is planning to leave your organization. In anticipation, the employee has been busy e-mailing work-related files to a home computer. The stolen files include a few embarrassing e-mails written by the boss, along with a confidential client list. The employee plans to use the material as leverage in case management fails to offer severance or opts to enforce its restrictive employment contract. Corporate Espionage on the Rise To help counter corporate espionage and theft of trade secrets, the government of the United States in 1996 enacted the Economic Espionage Act (EEA). The U.S. Department of Justice (DOJ) even maintains a Web site (www.cybercrime.gov/eeapub.htm) on which it posts cases involving trade secret theft by U.S. citizens and corporations, as well as unauthorized use of computer systems. While it’s true that economic espionage and cybercrime cases often involve competitors or spies operating on behalf of domestic and foreign corporations or governments, the DOJ’s site clearly illustrates the fact that insiders, greedy or disgruntled employees and ex-employees, are actively involved in data theft. For example, take the case of Jeffrey W. Dorn, who used information from the employee placement firm he worked for to place a candidate on his own, for which he was paid directly. Dorn pled guilty to ‘‘one count of theft of a trade secret’’ and was ordered to pay restitution of $15,920 to his former employer. Dorn faces a maximum sentence of ten years in prison without parole.4 On a larger scale, in December 2001, Mikahel K. Chang was sentenced to one year and a day in prison, plus three years of supervised release, for theft of trade secrets from his former
Slide 39: 22 E-Mail Rules California-based employer. Chang admitted that he used customer and order databases stolen from his former employer to make sales on his own—selling $300,000 worth of goods and pocketing $60,000 in profits in the process. To put his theft in context, his former employer stated that ‘‘his company would have been put out of business’’ if the databases had not been recovered by law enforcement.5 Authorization and Authenticity New technologies always bring new opportunities for employee misuse and abuse. Strive to anticipate and address challenges by developing and instituting rules before new technology is deployed. Scenario: A CEO who was tired of affixing handwritten signatures to business-related documents empowered an administrative assistant to add his digitized signature to official e-mail. All went well until another employee abruptly quit, and security determined that the ex-employee had used the organization’s e-mail system to purchase luxury items under the CEO’s electronic signature. Both the company and the CEO were impacted by the former employee’s illegal acts. Ban Unauthorized Transactions Put controls in place to block unauthorized e-mail transactions. In this case, had the CEO’s e-mail account not been left active, the thief would have had to download the CEO’s signature to another e-mail account. That might have caused the recipient to doubt the authenticity of the communication, in spite of the presence of the CEO’s signature. Instruct employees and executives to exit e-mail accounts if they plan to be absent for more than a few minutes. Or have the IT department install software to automatically ‘‘time out’’ e-mail accounts after a short period of time. With better controls on the use of the CEO’s e-signature, which was unprotected on the computer workstations of both the CEO and the administrative assistant, perhaps the unauthorized transaction could have been avoided.
Slide 40: E-Mail Ownership and Cybertheft 23 Sample Record Ownership Statement Any record including e-mail messages you create, receive, and/ or use in the course of business is company property, which does not belong to you, other employees, or any third parties. At management’s request, employees must make available any and all company records at any time, for any reason. When terminated voluntarily or involuntarily, employees must turn over originals (if available) and all copies (paper or electronic) of company records and e-mail messages to management. Any third parties working on behalf of the company must return the original and all copies of company records on request or at the termination of their contract with the company. All records located in a company facility or facilities managed by outside entities on behalf of the company are presumed to be company property. All records created or stored on the company computer, e-mail servers, imaging system, communications system, telecommunication system, storage device, storage medium, or any other company system, medium, or device are presumed to be company property. All records that in any way pertain to the company or our business, no matter where they are located, are presumed to be company property, even if in the possession of a nonemployee or an entity other than the company. Recap and E-Action Plan E-Mail Rule ployee 3: E-Mail Belongs to the Employer, Not the Em- E-mail provides a multitude of unique opportunities for intentional and inadvertent misuse and abuse. While there is no completely foolproof way to prevent employee data theft, management can take steps to reduce its likelihood: 1. Monitor and review large e-mail attachments. 2. Advise employees that e-mail and other paper and electronic business records are the property of the organization.
Slide 41: 24 E-Mail Rules 3. Address e-mail ownership and confidentiality in your written e-mail policy. 4. Require employees to sign and date a written policy, acknowledging that e-mail and other paper and electronic business records belong to the organization. 5. Explain that theft of proprietary information may result in an employee’s termination and may be punishable by civil or criminal penalties.
Slide 42: PART TWO Designing and Implementing Effective E-Mail Policies
Slide 43: This Page Intentionally Left Blank
Slide 44: CHAPTER 4 Why Implement E-Mail Policies? E-Mail Rule 4: E-Mail Can Come Back to Haunt You Although most U.S.-based organizations rely on e-mail to run their businesses, not all have established policies, procedures, and rules similar to those applied to paper-based processes and other information systems. Large institutions, for instance, typically have policies and rules regarding workplace conduct but fail to extend these rules to the creation and transmission of e-mail. Behind that oversight lurks potential long-term damage. Content rules help keep e-mail free of personal opinions, off-color jokes, and inappropriate commentary, which can haunt organizations during litigation, audits, or other formal proceedings. Take the case of the large consulting firm sued by a client for inadequate performance. During the trial, damaging internal e-mail messages undercut the firm’s defense. In one message, a consulting firm employee expressed the opinion that one of the consultants in question ‘‘should be taking community college courses, not billing for this.’’1 Had management established and enforced policy banning personal opinions or commentary critical of the firm and its employees, it is unlikely that damning messages like this ever would have been written. 27
Slide 45: 28 E-Mail Rules E-Mail as Legal Evidence One of the ways in which e-mail is entered into evidence in court is to have it classified as a business record that satisfies the ‘‘Business Records Exception to the Hearsay Rule’’ (see below). Normally, when hearing evidence in a case, the courts require direct testimony from individuals who witnessed or had firsthand knowledge of events. Their testimony is considered more accurate and trustworthy than hearsay evidence from those who simply recount what others said. On their own, business records can be considered a form of hearsay and be excluded. Mindful that business records are an important source of evidence, however, the law long ago created an exception to the hearsay prohibition, the ‘‘Business Records Exception to the Hearsay Rule,’’ which allows the admission of business records that are created and maintained in the ordinary course of business. This rule recognizes the fact that corporations and government agencies typically continue to operate long after the creator of a given record is available to testify. It also acknowledges the financial and logistical nightmares litigants would face if forced to provide firsthand testimony for every document used in trial, especially when thousands of pages of evidence may be involved. Courts have admitted e-mail into evidence, but have excluded it as well.2 E-mail may be admitted into evidence for other reasons, too. E-mail that is considered a ‘‘Statement Against Interest’’ may be admitted, even if it fails to rise to the level of a business record. The courts’ reasoning: If e-mail in your system contains a statement detrimental to your organization, it probably is true. After all, few of us are prone to documenting our self-criticism. The bottom line: Fail to legitimize your e-mail system by applying business rules and establishing policy governing creation and content, and the courts may not consider your e-mail trustworthy and your messages as business records. You may not be able to use e-mail that is not a business record as evidence to support your case. But your opponent may be able to use your own e-mail against you as a ‘‘Statement Against Interest,’’ if incriminating evidence is uncovered in your system.
Slide 46: Why Implement E-Mail Policies? 29 Recap and E-Action Plan E-Mail Rule 4: E-Mail Can Come Back to Haunt You 1. Content rules help keep e-mail clean of inappropriate and potentially damaging material. 2. Even though e-mail may be hearsay, it could still be used as evidence in court, if it were considered a business record. 3. Incriminating e-mail messages found in your system may be used against you during litigation.
Slide 47: CHAPTER 5 E-Mail Privacy E-Mail Rule 5: There Is No One-Size-Fits-All E-Mail Policy Not all e-mail policies are alike. This is especially true of employee privacy policies. Privacy laws vary by jurisdiction and must be researched and monitored in conjunction with policy development. Under U.S. federal law, management can use the organization’s written e-mail policy to inform employees that their e-mail may be monitored, and they have no reasonable expectation of privacy when it comes to sending and receiving e-mail. However, a multinational corporation based in the United States might not be able to apply this policy to European, Asian, or Middle Eastern employees. The Supreme Court of France, for example, has ruled that monitoring employee e-mail is improper, even with a written policy giving employees notice that management may be reading electronically over their shoulders. Before implementing domestic privacy policies abroad, have the lawyer(s) responsible for your international facilities review and, as necessary, adjust them to meet the regulatory, legal, and cultural needs of each country in which the organization operates. Federal Law Protects Employers When it comes to e-mail policy, employers are doing a good job with the basics. Fully 81 percent of large U.S. employers have 30
Slide 48: E-Mail Privacy 31 established written e-mail policies. And eighty-four percent not only notify employees of the organization’s legal right to monitor e-mail and Internet activity, they also stress that employees should not expect privacy when using the e-mail system.1 The premise is that if employees know employers can and do review e-mail, then employees will be disinclined to misuse and abuse the system. U.S. courts in general accept the fact that informed employees neither would nor should consider e-mail their own. In fact, even in situations in which employers have assured employees that their incoming and outgoing e-mail would not be monitored, the courts have ruled that employees nonetheless should not expect privacy when using a company-owned system.2 What the Future Holds While courts interpreting the federal Electronic Communications Privacy Act (ECPA) have made it clear that a company accessing its own e-mail is acting within the terms of the law, bills are advanced regularly (most notably in California), seeking to clarify the fact that employee e-mail may not be accessed unless employees receive prior written notice in the form of an e-mail policy. Those bills have routinely been defeated, but that situation could change. To be safe, employers should assign their e-risk management team or legal counsel the task of monitoring legislation related to e-mail privacy on the state, federal, and, if appropriate, international levels. Sample Privacy Statement All records and e-mail that are created, stored, transmitted, or received using company resources (including but not limited to computers, telecommunications systems, e-mail servers, and fax machines) should be for business purposes only. The company reserves the right to access and review the content of any record, nonrecord, document, or e-mail message created, stored, transmitted, or received using company computers and/or other company-provided resources located in company facilities or on
Slide 49: 32 E-Mail Rules company property. Employees are not granted and should not expect any right to privacy with respect to such records, nonrecords, documents, or e-mail messages. Recap and E-Action Plan E-Mail Rule 5: There Is No One-Size-Fits-All E-Mail Policy 1. Make sure your e-mail policy establishes no expectations of privacy. 2. Review HR and other policies to ensure that your e-mail privacy statement conforms to the privacy statement that appears in other company policies. 3. Use your policy to inform employees that they should not expect privacy with regard to the organization’s e-mail, computer, or telecommunications systems. 4. Research and conform policies to the relevant regulations and laws of the states and countries in which employees and offices are located. 5. Develop and maintain a list of excluded employees who are covered by laws in jurisdictions that prohibit review or monitoring of e-mail transmissions and on-line activities.
Slide 50: CHAPTER 6 E-Mail Content E-Mail Rule 6: Control Risk by Controlling Content Controlling Content to Control Risks1 One of the most effective ways for employers to reduce electronic risks is also one of the simplest. By requiring employees to use appropriate, businesslike language in e-mail and other electronic documents, employers can limit their liability risks and improve the overall effectiveness of the organization’s e-communications in the process. Language that is obscene, racist, discriminatory, menacing, harassing, or in any way offensive has no place in the workplace. Use written e-mail policy to ban language that could negatively affect your organization’s business relationships, damage your corporate reputation, or trigger a lawsuit. Real-Life E-Disaster Story: Turning Off Customers Via E-Mail After ordering a baby crib from an online furniture retailer, a new mother e-mailed the company’s customer service department to express displeasure over slow delivery. Needless to say, the customer service department’s reply was not the answer the buyer was hoping for. 33
Slide 51: 34 E-Mail Rules Dear Customer: We got your feedback on doing business with our company. Obviously you never read the attached note we sent you the day after we received your order!!!! Also, our site says we will process your order within 2–3 days of receiving it, not drop it at your door. Further, our order process confirmation says allow up to 5 business days in transit while in the hands of the ground transportation service. We did everything we said we would do for you. Problem is you do not read. Please do not return to us as a customer, since you are exactly the type we do not want. Our rating of you as a customer is: Ignorant and enjoys it. Sincerely, Customer Service Imagine the impact this type of ‘‘customer service’’ would have on your organization’s reputation and bottom line. Is it possible your employees are insulting, defaming, harassing, or otherwise offending customers and vendors via e-mail? Couple content rules with employee education to ensure that electronic communications (external and internal) are as clean and clear as they are safe and secure. What Constitutes Appropriate Online Content? Instruct employees to compose businesslike messages that are free of: Jokes (many jokes are told at the expense of an individual or group of people and may be perceived as harassing, menacing, or defamatory) Obscene language and sexual content Racial comments Harassing or menacing comments
Slide 52: E-Mail Content Negative or defamatory remarks Ethnic slurs Unsubstantiated opinions, rumors, and innuendoes Sample Content Statement Employees may not use the Company’s e-mail system, network, or Internet/Intranet access for offensive or harassing statements or language, including disparagement of others based on their race, color, religion, national origin, veteran status, ancestry, disability, age, sex, or sexual orientation. 35 How to Handle Unsolicited Messages That Violate Policy Use your written e-mail policy to instruct employees how to handle offensive messages that land in their e-mail inboxes unsolicited. Protect employees by instructing them to report unsolicited and offensive e-mail to the appropriate supervisor. Explain that deleting, replying to, or forwarding banned messages may put the employee in the loop—making an innocent recipient party to the violation. Don’t Take Chances with Content If you have any doubt about your employees’ willingness to adhere to the organization’s e-mail policy and ban on inappropriate language, consider applying a technological solution to your people problem. By installing content filtering software that works in concert with your e-mail policy and is programmed to detect and report employee use of banned language, you can stay on top of policy violations. As an added bonus, programming your monitoring software to track competitors’ names along with inappropriate language may alert you to any electronic communication that is taking place between your employees and competitors, for example. What you don’t know could hurt you. For instance,
Slide 53: 36 E-Mail Rules an employee could be planning to open a business or make a career move, courtesy of your customer lists, formulas, or other trade secrets. Just be sure to put your policy into place before installing monitoring software. Remember: When you learn of employee misdeeds, you may have no choice but to take action. Failing to discipline employees for their misconduct may create liability as well. Your rules and policy should guide the technology, not the other way around. Using Conversational Language The most effective tone for electronic business correspondence is professional, yet conversational. How do you achieve that tone? Take the colleague, customer, and competitor test. Imagine you are in an elevator crowded with colleagues, customers, and competitors. What tone would you use? What would you say? What information would you reveal, and what would you keep under wraps? If you wouldn’t say it aloud while sharing close quarters with the people you work for, with, and against, don’t write it in an e-mail message. For additional guidelines and information about cyberlanguage, see Nancy Flynn’s book The ePolicy Handbook: Designing and Implementing Effective E-Mail, Internet, and Software Policies.2 Maintaining E-Mail’s Contextual String E-mail is a contextual medium. As such, the meaning of any given message is typically linked to one or more related messages. This characteristic makes e-mail a fast way to communicate, as a message often collects valuable information as it moves from one reader to the next. Unfortunately, speedy communication is not always safe and complete communication. When an e-mail message is taken out of context and viewed in isolation, the sender’s meaning may be misconstrued or misinterpreted. An e-mail reply, when read in isolation from the message that triggered the response, also may be misunderstood. Litigators regularly take advantage of e-mail’s contextual challenges.
Slide 54: E-Mail Content 37 Imagine a manager sending an e-mail that reads, ‘‘Steve’s team needs to have its draft to the committee by close of business today.’’ Steve in turn shoots off this speedy reply: ‘‘I am all over Sue and Mary. Trust me; they will do what I say.’’ Taken out of context, Steve’s reply could be used to demonstrate he is at best heavy handed and domineering. In the worstcase scenario, Steve might be perceived as unprofessional, with a discriminatory, hostile, or dismissive attitude toward female employees. Be sure to address context in your e-mail policy. If there is any chance the meaning of a message will change materially if read in isolation from the message(s) that preceded it, instruct employees to attach all previous e-mail(s) to clear up any potential confusion. Recap and E-Action Plan E-Mail Rule 6: Control Risk by Controlling Content 1. One of the simplest, most effective ways to control risk is to control content. 2. Use your e-mail policy to ban language that is racist, sexist, obscene, menacing, harassing, discriminatory, or in any way objectionable or inappropriate. 3. Support your written e-mail policy with content filtering software. 4. Establish rules to ensure that the contextual string of e-mail is retained.
Slide 55: CHAPTER 7 Netiquette E-Mail Rule 7: Establish and Enforce Rules of Online Etiquette A Netiquette Primer for Employees1 The power of e-mail is considerable. With e-mail, you can send a message around the globe as quickly and conveniently as you can communicate with an office mate. You can distribute lengthy documents across time zones and continents with just a click of your mouse. And you can respond to a client’s inquiry or a supervisor’s request in a matter of seconds. With all that power, however, comes responsibility. Every e-mail message sent by an employee reflects on the organization’s credibility and the writer’s professionalism. Electronic documents that are poorly constructed and riddled with mechanical errors can sink careers and turn off customers. E-mail messages inadvertently sent to the wrong recipient can compromise confidences, create hard feelings, and cause embarrassment. Electronic correspondence that is menacing, harassing, pornographic, or otherwise inappropriate can trigger litigation. An effective e-mail policy should incorporate the rules of ‘‘netiquette,’’ or e-mail etiquette. By addressing and enforcing netiquette rules, employers can help reduce the likelihood of employees writing and sending inappropriate messages that can trigger lawsuits and other risks. 38
Slide 56: Netiquette 39 Mind Your Electronic Manners Use your e-mail policy to provide employees with basic guidelines for acceptable and effective electronic correspondence. By its nature, e-mail is a ‘‘cold’’ medium. Messages written and conversations held on screen lack the warmth of face-to-face discussions and telephone calls, which benefit, respectively, from body language and intonation. Couple its coldness with the tendency of many writers to type messages quickly and in some cases thoughtlessly, and it is easy to see how e-mail can result in hurt feelings, misunderstandings, and liabilities. Adherence to the basic rules of netiquette can alleviate problems and help cast your employees and your organization in a favorable light. Netiquette Guidelines for Employees 1. Beware of hidden readers. If confidentiality is an issue, don’t use unsecured e-mail. You may intend to send an e-mail to one person. But an inaccurate keystroke or the recipient’s decision to forward your message could land your e-mail on dozens, hundreds, or thousands of unintended readers’ screens. Never use e-mail, without adequate precautions, to communicate trade secrets, proprietary information, or any news that could damage the organization or its employees were the message to be read by an unintended reader. 2. Write as though Mom were reading. Regardless of the intended reader, write your message as though your boss, the media, or Mom were reading. People treat e-mail too casually, sending electronic messages they would never say aloud or record on paper. 3. Remain gender neutral. You never know where your e-mail will land, so avoid sexist language that could offend or irritate others. Your intended reader may be a male, but the ultimate decision-maker could be the female executive (the hidden reader) who receives a forwarded copy of your orig-
Slide 57: 40 E-Mail Rules inal message. Send a message full of masculine pronouns (he, his, him, etc.), and you may turn someone off and lose this business relationship for good. 4. Keep the organization’s harassment and discrimination policies in mind. Eleven percent of U.S. employers with written policies in place have defended sexual/racial harassment/discrimination claims based on employee use of e-mail and the Internet.2 All electronic communication should adhere to the rules set forth in the organization’s harassment, discrimination, and information management policies. 5. Don’t use e-mail to let off steam. Upset or angry? Compose yourself before typing your message. Once you hit ‘‘send,’’ your e-mail is on its way through cyberspace and probably can’t be retrieved. Don’t take the chance of sending a poorly worded or inflammatory message that could worsen an already difficult situation or trigger litigation. Even if communication is urgently needed, ask a trusted colleague to read your document before you send it. If you have the luxury of time, give yourself up to forty-eight hours to calm down before sending a potentially damaging message. 6. Control the urge to ‘‘flame.’’ More biting than a thoughtlessly worded message, an e-mail flame is a document that is hostile, blunt, rude, insensitive, or obscene. Flames are unique to e-mail, as the slow pace of snail mail does not accommodate immediate, heated reactions. Flames, and the obscene and abusive language that feeds them, have no place in a business environment. 7. Respect others’ time. E-mailboxes stuffed with recipes, jokes, advertisements, and requests for charitable donations can drain productivity and waste bandwidth. Do not use the company computer system to send, forward, or reply to spam (electronic junk mail). 8. Never reply to spam. If you are on the receiving end of a spam mailing, do not reply to the ‘‘unsubscribe’’ option. Often, your reply accomplishes just the opposite, confirming your e-mail address and encouraging the sender to for-
Slide 58: Netiquette 41 ward or sell it to other spammers. Replying to spam also can be a waste of time, as senders sometimes use one-timeonly addresses to blast the spam into cyberspace. Your irate reply could land in a black hole. So why bother? For more on spam, see Part 5. 9. Do not mail to the world. Send e-mail messages only to readers with a legitimate need for your information. Mail to your group list only when it is appropriate for everyone on the list to receive the message. Do not reply to a message unless you have something to contribute. 10. Copy with care. Sending a carbon copy (Cc) or blind carbon copy (Bcc) to a recipient who doesn’t need to read your message wastes everyone’s time. As a rule, address your message to the person you want to motivate to act and send carbon copies strictly as a courtesy. Carbon copy recipients are not required to reply to messages. So don’t get upset when a response is not forthcoming. 11. Don’t oversell your message. Just because you have the ability to mark messages ‘‘urgent’’ doesn’t mean you should. Reserve the ‘‘urgent’’ classification for messages that demand immediate action. 12. Ask permission to forward material. Do you subscribe to an e-zine or electronic newsletter that might be of interest to an associate or customer? Don’t hit ‘‘forward’’ without asking permission of the individual who originally sent the material as well as your intended recipient. Forwarding copyright-protected material without permission could land you and your employer in hot water. 13. Inquire about attachments. All employers should address attachments in their written e-mail policies. Some organizations go so far as to prohibit the opening of e-mail attachments altogether. Before sending an attachment, ask if the reader would prefer to receive the information as an attachment, in the field as part of the message itself, or via fax, snail mail, or messenger service. 14. Incorporate a salutation and signature. As mentioned above, e-mail is a contextual medium. Your salutation and
Slide 59: 42 E-Mail Rules signature establish your role in the document’s history, no matter how often it’s forwarded. As an added benefit, your signature signals the end, sparing your reader the aggravation of scrolling the screen for more copy. 15. Beware the exclamation point!!! Some writers try to enliven their e-mail and generate reader interest by slapping an exclamation point onto the end of nearly every sentence. Don’t fall into this trap!!! Pump up your writing with descriptive factual language and well-crafted sentences, instead. 16. Resist the urge to capitalize. Eager for reader attention, many e-mail writers use all capital letters. Bad idea on two counts. For one thing, the eye is accustomed to reading a mix of capital and lowercase letters. Writing uppercaseonly messages will slow the reader down and may impede understanding and acceptance of your message. Another concern is that readers sometimes interpret messages written in capital letters as the electronic equivalent of shouting. Write entirely in uppercase, and you run the risk of offending and losing recipients before they ever start reading. Another concern: Were your message to be entered into evidence during litigation, your opponent or the jury might draw conclusions about your attitude or state of mind based on your ‘‘shouting.’’ Do yourself and your readers a favor. Stick with standard sentence style. 17. Apply the same rule to lowercase letters. Think an e-mail message that’s written entirely in lowercase letters conveys a breezy, informal tone? Think again. Business correspondence that is written entirely in lowercase is likely to paint a picture of you as a lazy, unprofessional writer. 18. Keep an eye on spelling, grammar, and punctuation. Your readers will. You wouldn’t walk into the president’s office or a customer’s showroom and start speaking gibberish. Why would you send an e-mail message that is a written form of gibberish? Professionalism extends to all forms of communication: written, verbal, and electronic.
Slide 60: Netiquette 43 19. Think before requesting a receipt. Imagine writing a crucial e-mail message that must be read and acted on. Short of receiving an electronic response, how can you be certain your message has been received and read? The quickest, easiest route to peace of mind is to select the ‘‘receipt notification’’ option on your screen. When the reader opens your message, you will be notified automatically. It is, however, a good idea to exercise caution with this option. Some readers may resent the implication that you do not trust them to open and read their e-mail. A bigger problem: If you send a message—complete with a request for an electronic receipt—to thousands (or tens of thousands) of coworkers, the resulting traffic might cause the e-mail system to shut down and business to be interrupted. To prevent this type of disaster, employers should outlaw the unauthorized distribution of e-mail messages to the entire workforce. In a pressing situation, the better option might be to phone your recipient with a quick heads up that the message is on its way, and that you would appreciate a timely response. 20. Keep your editorial comments to yourself. What to do if you receive an e-mail message that is short on style but long on mechanical and grammatical errors? Keep your editorial comments to yourself. Just as few speakers appreciate having their grammar corrected publicly by coworkers, there are not many e-mail writers who would enjoy receiving an unsolicited critique of their electronic writing. Leave that job to management or the professional writing coach your employer brings on board to help employees polish their electronic writing skills. 21. Treat others as you would have them treat you. If you receive someone else’s e-mail by mistake, don’t trash it. Hit ‘‘reply’’ to redirect it to the sender, along with a brief note about the mix-up. Many companies automatically affix a warning to e-mail messages, advising errant recipients how to handle e-mail they mistakenly receive. When transmitting e-mail subject to the attorney-client privilege, lawyers typically
Slide 61: 44 E-Mail Rules affix a privilege legend to minimize the likelihood that the attorney-client privilege will be violated if a third party gets a misdirected e-mail. Avoid undermining the privilege legend’s utility; do this by addressing it within your written e-mail policy and netiquette guidelines and instructing employees on its proper use. Employees need to use the privilege legend only when appropriate; overuse can undermine its effectiveness. 22. Consider e-mail’s limitations. E-mail may be the best way to deliver news fast, but it’s not necessarily the best route to a quick reply. Your reader is under no obligation to check incoming messages regularly, if at all. It may be inappropriate to send a follow-up message demanding to know why a recipient has not responded to your message. For an immediate response to a pressing issue, don’t rely on e-mail. Instead, pick up the phone or schedule a face-to-face meeting. 23. Write a descriptive subject line that tells readers what your e-mail is about. Don’t let a vague, misleading, or nondescript subject line stop recipients from opening, reading, and acting upon your message. Recap and E-Action Plan E-Mail Rule quette 7: Establish and Enforce Rules of Online Eti- 1. Use your e-mail policy to enforce online etiquette, or netiquette, rules. 2. Adherence to netiquette guidelines keeps employees’ content clean and employers’ liabilities in check.
Slide 62: CHAPTER 8 Special Netiquette Considerations for Managers E-Mail Rule 8: Apply E-Mail Rules Consistently—from Summer Interns to the CEO Executives and managers should, of course, adhere to the basic rules of netiquette as outlined in the previous chapter. In addition, there are a handful of special netiquette considerations that apply solely to those who supervise employees. Consider the following guidelines when developing your netiquette policy for managers.1 1. U.S.-based managers should regularly remind employees that the organization has the right to monitor employee e-mail. Don’t allow employees to assume they have an expectation of privacy when it comes to the organization’s computer assets. 2. Enforce the organization’s e-mail policy consistently. More than 50 percent of employers report terminating or otherwise disciplining employees for violating company e-mail policy.2 Spell out rules, violations, and penalties clearly in your written e-mail policy. Be fair and consistent with en45
Slide 63: 46 E-Mail Rules forcement. Do not allow one employee or group of employees any special consideration or second chances other employees do not enjoy equally. 3. Be realistic about the organization’s personal-use policy. Thirty-nine percent of employers allow employees free and unrestricted personal use of office e-mail, while 24 percent ban all personal use.3 While workplace e-mail is intended primarily as a business tool, e-mail may be the only way for some employees to keep in touch with family and domestic partners during working hours. On the other hand, total prohibitions on nonbusiness use may be easier for employees to ‘‘interpret.’’ Determine your approach and spell it out clearly, along with penalties for violations, in your written e-mail policy. 4. Never use e-mail to fire employees or deliver bad news. Lacking the benefit of body language, facial expression, and intonation, e-mail is the worst way to deliver bad news to employees. Whether your objective is to terminate an employee or notify a department head of budgetary cutbacks, demonstrate respect for your employees by delivering bad news in person. A one-on-one meeting will give the employee the opportunity to ask questions and absorb the shock of bad news. And, should a wrongful termination lawsuit follow, personal notification may cast management in a better light than electronic notification would. Real-Life E-Disaster Story: The CEO’s Devastating E-Mail When the CEO of Cerner Corporation opted to use e-mail to express his displeasure over employee performance, he hoped to motivate his 400 managers to act. They acted all right, posting the CEO’s angry message on Yahoo! , where it was read by a hidden audience of 3,100 Cerner employees, as well as financial analysts, investors, and Yahoo! subscribers. The result: Cerner’s stock valuation, which was $1.5 billion the day the CEO’s e-mail was sent, plummeted 22 percent, from $44 to $34 per share, in just three days. An excerpt from the CEO’s devastating e-mail follows:
Slide 64: Special Netiquette Considerations for Managers ‘‘We are getting less than 40 hours of work from a large number of our K.C.-based EMPLOYEES. The parking lot is sparsely used at 8 a.m.; likewise at 5 p.m. As managers—you either do not know what your EMPLOYEES are doing; or you do not CARE. You have created expectations on the work effort which allowed this to happen inside Cerner, creating a very unhealthy environment. In either case, you have a problem and you will fix it or I will replace you. NEVER in my career have I allowed a team which worked for me to think they had a 40-hour job. I have allowed YOU to create a culture which is permitting this. NO LONGER . . . You have two weeks. Tick, tock.’’4 47 5. Do not use e-mail to discuss an employee’s performance with other managers. You are not required to like every employee personally, but you are obligated to treat each worker with professional courtesy. If you need to discuss an employee’s professional shortcomings with the human resources director or instruct a department head to terminate an employee who just isn’t working out, do so in person and behind closed doors. E-mail is fraught with too many dangers for sensitive or confidential communication. You could strike your group list key accidentally, sending negative comments about an employee’s work to everyone in the organization. You could type in the address of the employee in question, rather than that of the human resources director, and alert the employee (and the employee’s lawyer) to your feelings and comments. Worst-case scenario: If the employee in question were to file a workplace lawsuit, alleging a hostile work environment or wrongful termination, your electronic discussion with the human resources director could come back to haunt the organization. Remember, e-mail messages, like written performance reviews and other documents, may be subject to discovery and subpoena in litigation. In the event
Slide 65: 48 E-Mail Rules of trial, your e-mail messages concerning this employee could be used as evidence against the organization. Unless you are willing to risk a breach of security and have your words read by an unintended reader, do not use e-mail. It simply is not secure enough. 6. Do not rely on e-mail to the exclusion of personal contact. To varying degrees, your employees, customers, and suppliers all crave human interaction. While some people may be content to communicate electronically nearly 100 percent of the time, others may feel slighted or unappreciated unless you maintain ongoing personal contact. Even in the age of e-mail, relationship skills remain at the heart of longterm business success. Supplement your e-mail communication by holding regular meetings with your staff, customers, and important suppliers. 7. E-mail is a contextual medium. Do not use e-mail if there is any chance your message will be taken out of context or misunderstood. If your message is complex, technical, or otherwise in any danger of being misinterpreted, opt for a telephone call or a personal meeting instead of e-mail. If your message is a reply, be sure to include the original message with your response to keep the contextual string intact. 8. Do not rely solely on e-mail to communicate e-mail policies to employees. Create a sense of policy ownership among employees by holding e-mail policy training sessions. Outline e-risks and explain why the organization has established rules and policies. See Part 7 for comprehensive training tips. Recap and E-Action Plan E-Mail Rule 8: Apply E-Mail Rules Consistently—from Summer Interns to the CEO 1. Executives and managers can, and routinely do, write e-mail messages that result in electronic disaster. Don’t assume the people who sit in corner offices know what constitutes appropriate online content and conduct. Establish and enforce netiquette guidelines with executives, officers, managers, and supervisors in mind.
Slide 66: CHAPTER 9 LISTSERV Policy E-Mail Rule 9: Impose Policies and Procedures to Control LISTSERV Participation and Content LISTSERV is software that allows users to employ e-mail for online discussion. LISTSERVs typically are open to members who subscribe via e-mail. Once they have subscribed, users receive all e-mail that’s sent to the LISTSERV address. LISTSERVs are commonly used for group communication among remote parties with similar business or personal interests. When used properly, LISTSERVs can be a great source of industry information and interaction. But as any subscriber knows, when used improperly, they also can waste time, cause embarrassment, and trigger the occasional disaster. LISTSERV Dangers Using a LISTSERV is as easy as sending or receiving any e-mail message. The system’s ease, however, can be its greatest challenge. If you take advantage of your system’s ‘‘autocomplete’’ feature or accidentally click ‘‘reply all,’’ private messages may inadvertently land on the screens of thousands of industry colleagues. Another problem: Messages sent to LISTSERVs typically 49
Slide 67: 50 E-Mail Rules are archived for future reference. LISTSERV archives often are published on the Web and referenced by a search engine. Therefore, it is almost impossible to stop readers from finding and reading online LISTSERV postings and ‘‘admissions.’’ Subscribers’ embarrassing, angry, or otherwise inappropriate comments live forever. Take Stock of Employees’ Online Group Discussion Subscriptions Scenario: During lunch breaks, Gina routinely used the office computer system to check her stock portfolio and make trades. One day, Gina decided to throw caution to the winds and short sell a medical device manufacturer’s stock, hoping the stock price would drop quickly, boosting Gina’s bottom line. Unfortunately, shortly after Gina’s transaction, rumors of pending Food and Drug Administration (FDA) approval of the manufacturer’s newest product hit the market. In two short hours, the stock price rose $6 per share, dashing Gina’s hopes for her portfolio. Desperate, Gina took the market into her own hands. Using her employer’s e-mail system, she sent an ‘‘anonymous’’ (and as it turned out devastating) posting to a stock bulletin board. Posing as a company insider, Gina claimed the FDA’s pending announcement would be nothing more than a ‘‘no action’’ letter requesting further information from the manufacturer. As Gina’s rumor took hold, nervous investors started unloading the stock. By the end of the most hectic trading day in the company’s history, the stock was down $12 a share, reducing the company’s market capitalization by nearly $100 million. Determined to unearth the rumor’s source, the manufacturer tracked Gina’s ‘‘anonymous’’ e-mail message not only to her employer, but to the computer workstation on her desk. The manufacturer vowed to pursue Gina for triggering a devastating decline in the company’s stock price. In addition, the manufacturer announced plans to pursue Gina’s employer for failing to manage her online activity. Because employers can be held responsible for employees’ wrongs, Gina’s employer found itself defending both its actions and its corporate pocketbook.
Slide 68: LISTSERV Policy 51 Implement Policy to Control LISTSERV Participation and Content Just how popular is LISTSERV for business and personal ecommunications? Extremely.1 Number of public lists Number of local lists Total number of lists Total membership (public and local) Total messages delivered on one representative day 72,830 189,340 262,170 155,205,556 32,963,938 If organizations allow employees to participate in LISTSERVs or similar online discussion groups, rules should be established and enforced. This includes the implementation of policy that clearly spells out what type of LISTSERVs employees may subscribe to, whose authorization is needed to participate, and what employee-subscribers may, and may not, say. Employees who are authorized to participate in work-related LISTSERVs should be required to affix a content statement to all correspondence. Drafted by the organization’s lawyer with input from the e-risk management team, the organization’s LISTSERV content statement should inform outside LISTSERV participants that the subscriber’s comments are personal views, not those of the organization. Recap and E-Action Plan E-Mail Rule 9: Impose Policies and Procedures to Control LISTSERV Participation and Content 1. A tremendous source of industry information when properly used, LISTSERVs can pose dangers to employers when used improperly by employees. 2. Use written rules, e-mail policy, and procedures to control employees’ LISTSERV participation and content.
Slide 69: CHAPTER 10 Corporate Road Warriors E-Mail Rule 10: Don’t Leave Home Without E-Mail Policies and Procedures When employees treat laptop and handheld computers carelessly, leaving them in hotel rooms, rental cars, and airports, the organization’s computer assets and confidential information are up for grabs. A growing problem, laptop theft in the United States accounted for as much as $5 million in losses in 2002, a five-fold increase over the highest losses reported in 1997.1 Institute E-Rules for Remote Workers If your organization employs sales professionals, you’re accustomed to their being out in the field with customers. Perhaps you have equipped your outside sales force with handheld computers, so they can write and e-mail orders back to the office at the close of business each day. It’s a fast and efficient system that works great, until a handheld is lost or stolen. Suddenly, you find yourself with no proof or evidence of orders—a big problem if your salespeople have been hoarding orders rather than transmitting them to the office at the end of each working day.2 It’s an even bigger problem if a handheld 52
Slide 70: Corporate Road Warriors 53 containing proprietary information has landed in the hands of a competitor with no qualms about data theft. According to a survey by the International Association of Administrative Professionals (IAAP) and The ePolicy Institute, 66 percent of executives carry wireless handheld devices. Fully 83 percent take their laptops or handhelds on the road when they travel. Another 24 percent report lost or stolen devices.3 Real-Life E-Disaster Story: Road Warrior Woes During the Persian Gulf War, a British military officer left a laptop computer unattended in a locked car. When the car and its contents were stolen, military command assumed the laptop had been hacked and security breached. The officer, whom some would say was guilty of nothing more serious than treating a laptop too casually, was court-martialed as a result. Marry Policy to Technology Any organization that uses e-mail for customer transactions must develop rules to ensure that electronic records are properly maintained and readily available to fill orders, address customer questions, or defend legal claims. Why invest in technology to improve your business without investing in policies and practices that maximize effectiveness and minimize risk? Recap and E-Action Plan E-Mail Rule 10: Don’t Leave Home Without E-Mail Policies and Procedures 1. Develop and implement rules for road warriors before new systems go live and high-tech gadgets leave the building. 2. Establish e-mail rules to ensure that the organization can always locate and access important e-mail. 3. Institute policies requiring salespeople to transmit orders to the organization on a daily basis or other appropriate interval.
Slide 71: 54 E-Mail Rules 4. Educate road warriors about the costs and liabilities of lost and stolen hardware and data. Reinforce the need for employees to keep a sharp eye and firm grip on laptops and handhelds. 5. Consider establishing backup procedures to protect data in the event that transportable computers are lost or stolen. 6. Limit the amount of confidential or proprietary data stored on laptops and handhelds. 7. Take advantage of technological tools, including antitheft software, encryption, and cables/locks that secure laptops to hotel room furniture.
Slide 72: CHAPTER 11 Failure to Establish or Enforce Policy E-Mail Rule 11: Rules Exist for Businesses That Want to Remain in Business In the eyes of the law, it’s unclear which is worse: having a policy you don’t follow, or having no policy at all. Regardless, in the current business environment, neither approach is acceptable. Organizations must not only have e-mail rules; they also must ensure that employees are aware of, understand, and adhere to them. Vicarious liability (and the related legal concept of respondeat superior) is the legal term used when an organization is held responsible for the bad actions of its employees. From a legal perspective, a written policy is one of the most effective tools an organization has to protect itself from vicarious liability claims. Should the Employer Be Held Responsible? You Be the Judge Let’s say a female employee sues her employer for sexual harassment or related claims. To prove her claim, she offers inappropriate jokes and obscene photos e-mailed to her by a male supervisor. If the organization has an e-mail policy prohibiting 55
Slide 73: 56 E-Mail Rules sexual content, naked images, harassing conduct, or offensive content, and if the organization conducts mandatory e-mail policy training, should the employer suffer? If the organization is conscientious enough to have an e-mail policy and train its employees, then perhaps the employer should not be penalized for bad acts that fall outside the offender’s job description. In certain circumstances, the law recognizes that an employer who makes reasonable efforts through policy and training to prevent employees from creating a hostile work environment should not necessarily be liable for the bad acts of an individual. This was confirmed by the Supreme Court of the United States in the seminal cases Faragher v. City of Boca Raton and Burlington Industries, Inc. v. Ellerth. In both cases, the court made clear that the reasonableness of the employers’ conduct— including the establishment of good policies, supported by employee training—may form a defense from liability for sexual harassment or creation of a hostile work environment, triggered by an employee’s bad acts.1 Establish Rules, Enforce Policy, Avoid Disasters Scenario: A female employee of a publicly traded company complained to management that her coworkers were violating e-mail policy by accessing and transmitting naked images and engaging in other prohibited conduct. Following the offended employee’s complaint that the firm was not enforcing its own policy, management investigated. The investigation revealed that numerous employees were violating the organization’s e-mail policy; those violations carried penalties up to and including termination. Confronted by the reality of a sexual harassment and hostile work environment claim, and its own failure to follow e-mail policy, the firm summarily terminated 50 employee-violators. A tremendous blow to the workforce, the mass firings could have been avoided had the firm adhered to its own policy from the beginning, making an example out of one violator before other employees followed suit.
Slide 74: Failure to Establish or Enforce Policy 57 The Law Appreciates Consistency Not surprisingly, the inconsistent enforcement of e-mail rules creates headaches for employers. Take the case of the employer whose e-mail policy prohibits sending any message that could be considered ‘‘offensive or discriminatory to persons or groups based on nationality, gender, race, sexual orientation, age, etc.’’ As a direct result of that policy, employees have been disciplined on three separate occasions for transmitting inappropriate jokes about Asians, African Americans, and women. In this case, an in-house accountant has e-mailed the entire accounting department a joke that begins, ‘‘Why do so many old people work at the supermarket?’’ Offended by the joke, a 60-year-old female employee meets with her supervisor to register a complaint and asks that appropriate action be taken. The supervisor’s response: ‘‘Everybody gets old. That’s life.’’ After six years without advancement, the female employee concludes (based largely on this conversation with her supervisor) that her boss discriminates against seniors. Even without any real evidence of underlying age discrimination, she might be able to successfully advance the argument that the supervisor’s failure to punish the offending e-mail user for policy violation is tantamount to age discrimination. Her proof: (1) three offensive e-mail messages that were previously sent; (2) the discipline related to each previous policy violation; (3) the most recent e-mail; and (4) the fact that the supervisor refused to take action and enforce the e-mail policy. While the supervisor arguably displayed no overt discriminatory behavior, his failure to follow the organization’s e-mail policy and punish violators may be sufficient for an age-based class-action lawsuit to take root. The same principle applies when e-mail rules are enforced among lower-level employees but not among senior management. Many organizations have policies that require all employees to retain and manage e-mail messages but install software that allows the automatic destruction of executive e-mail. Apparently, these organizations fear that executive e-mail could be subpoenaed in the course of lawsuits. What they should fear, instead, is the possibility that a judge will sanction the organization for engaging in a practice that suggests that the executive team has something to hide.
Slide 75: 58 E-Mail Rules Leave No Room for Interpretation E-mail policies, like all company guidelines, should be clearly written, easily understood, free of legalese, easily complied with, and consistently interpreted. Not wanting to appear harsh, organizations often are eager to give employees some e-mail latitude, as long as the law is not violated. Instead of clearly stating that company e-mail exists solely for business purposes, these employers use language that is open to individual interpretation. For example, ‘‘Personal use of the e-mail system is allowed only to the extent that it does not waste company resources or interfere with the performance of employees’ jobs.’’ Seems like a reasonable approach—until you consider the legal implications. The average employee’s interpretation of ‘‘waste company resources’’ probably differs from the interpretation applied by the legal department or the CIO. The significance of interpretation is illustrated by this true story: A few days before Christmas, a collegial employee sent 90,000 coworkers a dancing holiday card, causing several e-mail servers to fail. Faced with a downed e-mail system and unexpected business interruption, management suddenly and clearly recognized why it is risky to allow employees to determine what constitutes system overuse. Management Loses on Interpretation Is an employee who wastes hours engaging in personal e-mail each day really in any position to determine if the behavior is ‘‘excessive’’? Take the case of the employee who regularly devotes two hours a day (a quarter of the work day) to personal e-mail. Fed up, management fires the employee on the grounds that excessive personal use of the system violates e-mail policy. Filing suit, the terminated employee admits using the e-mail system for nonbusiness purposes, but argues that he was in compliance with the organization’s policy and was getting his work done. One legal principle likely to be addressed in this dispute is the fact that ambiguity in language is interpreted against the policy’s drafter (the organization). In this case, the organization may lose the argument, all because management wanted employees to relax and have a little fun at work.
Slide 76: Failure to Establish or Enforce Policy 59 Write in Plain English to Limit Risks When drafting an e-mail policy, instruct your e-risk management team and legal counsel to eliminate any arcane language or legal gobbledygook. The goal is to produce a well-written, clear, and readable e-mail policy. Leave no room for interpretation. Limit questions. Ensure that employees understand what to do—and not to do—via the organization’s e-mail system. Consider, for example, a policy that states, ‘‘Employees shall refrain from using or accessing the e-mail system to advance the interests of, or otherwise support, any noncompanysanctioned philanthropic or charitable activity.’’ In spite of the policy, an employee uses the e-mail system to sell candy to raise money for his daughter’s volleyball team. Terminated for violating e-mail policy, the employee claims he read the policy but really had no idea what it meant. Would twelve reasonable jurors consider the policy ‘‘clear on its face,’’ as the organization’s lawyer would argue? Doubtful. Thanks to poor writing, the employer could lose this case. Recap and E-Action Plan E-Mail Rule 11: Rules Exist for Businesses That Want to Remain in Business 1. Written e-mail policy helps protect employers from vicarious liability claims. 2. The law appreciates consistent enforcement of policy. 3. Draft clear policies. Leave no room for employee misunderstanding or misinterpretation.
Slide 77: This Page Intentionally Left Blank
Slide 78: PART THREE Retaining E-Mail Business Records
Slide 79: This Page Intentionally Left Blank
Slide 80: CHAPTER 12 Retaining Business Records: The Legal Foundation for E-Mail Management E-Mail Rule 12: Treat E-Mail as a Business Record From a legal perspective, the process of formally defining, properly identifying, and effectively retaining business records is one of the most important e-mail management activities you can undertake. Your ability to separate business records, both electronic and paper, from nonessential and useless information can have an enormous impact on your organization’s business, assets, reputation, and future, should you one day find yourself battling a workplace lawsuit or simply responding to an inquiry from a customer. What Is a Business Record? A business record provides evidence for the company of its business-related activities, events, and transactions. Business records are retained according to their ongoing business, legal, compliance, operational, and historical value to the company. A busi63
Slide 81: 64 E-Mail Rules ness record focuses on content—the value and future use of information—not format or storage mechanism. Business records can include: Traditional documents: paper forms, letters, memos, proposals, and other information we typically think of as records Electronic business content: e-mail messages, Instant Messages, and server log files Photographs, recordings, and videos Whether your organization is public or private, for-profit or not-for-profit, business records are critical to day-to-day activities, including: Decision making Financial and business analysis, forecasting, and reporting Customer service Human resources management Compliance with state and federal laws and regulations Protection of the organization’s legal interests Why Manage E-Mail as a Business Record? Regardless of how they originate or are stored, business records must be identified clearly and managed properly. E-mail is no exception. In 2001, an estimated 1.4 trillion e-mail messages were sent from North American businesses, up from 40 billion in 1995, according to research firm International Data Corp.1 Given the business community’s growing dependence on e-mail, your organization’s legal interests increasingly rest on your ability to define, manage, and access e-mail business records. What Constitutes an E-Mail Business Record? Not every message that enters or leaves your organization’s e-mail system is a business record. E-mail containing informa-
Slide 82: Retaining Business Records 65 tion about lunch appointments, work group discussions, and administrative notices are examples of messages that probably do not have to be managed as ‘‘official’’ business records and may be discarded when no longer needed. Your organization’s welfare depends on your ability to distinguish business records from nonessential information. For example, an internal e-mail inviting employees to the annual company picnic has considerably less value than an external email in which a contractor agrees to complete a specific project for an agreed-on fee. While the picnic announcement has little significance after the event, the contractor’s message may be needed in the future to hold the contractor to the price quoted or settle disputes over the quality or scope of work performed. Consequently, the contractor’s message is a business record and should be treated as such. When it comes to business records, management faces a twofold challenge: (1) You must establish a clear definition of a business record to protect the business and legal interests of your organization; and (2) you must communicate that definition clearly and consistently to all employees to ensure that the definition is applied properly, e-mail is managed effectively, and your organization’s legal interests are served. The result: Valuable information is retained, and useless information that would otherwise overburden your system is purged. Business Record or Not? You Be the Judge Scenario: You are the customer service manager for a large automobile manufacturer. One day, your team receives the following e-mail message: To: customerservice@companyx.com From: frank@brick.space Subject: Airbag problem? hi, this is frank smith here, and i just bought one of your big SUVs off my neighbor . . . got a great price too! I’ve always wanted one.
Slide 83: 66 E-Mail Rules anyhoo, the other day i noticed that the airbag warning light started flicking on and off, then there was a hissing noise from the passenger dashboard and it smelled pretty bad. any idea what the problem is? should i take it in or anything? thanks! frank@brick.space You know Frank’s vehicle is currently under a recall program, and you have heard rumors of impending class-action litigation related to deaths allegedly caused by faulty airbags. Should you manage this e-mail message as a business record? Apply the principle that records are managed based on content, and the definition of a business record as evidence of business-related activities, events, and transactions with ongoing business, legal, compliance, operational, or historical value. Then answer these questions: 1. Would you manage this document as a business record if it were in a format other than e-mail? 2. Would you place this message in a folder and hand it over to the records management department had it arrived in letter form via snail mail? 3. If you answered yes to question 2, is there any reason why the e-mail format should change the need to manage the message in a formal way? Yes No Yes No Yes No 4. If you answered yes to question 3, please explain your reasoning. 5. Does the message provide evidence of business activities, events, or transactions, or does it have ongoing business, legal, or operational value? Yes No What Your Answers Mean If you answered yes to questions 1, 2, and 5, congratulations. This e-mail clearly is a business record. It is a written communi-
Slide 84: Retaining Business Records 67 cation from someone who owns and is experiencing problems with your product, and it must be managed with appropriate care. The operational value of the e-mail could come from a number of sources, including warranty service, customer satisfaction, compliance value, or legal value, as detailed below. Warranty Service Value Although Frank is not the original owner, the vehicle may still be under a transferable warranty. If so, the new owner needs to know how to receive warranty service or transfer the warranty. The e-mail may be used to track warranty claims, as it provides valuable anecdotal evidence of the problem. Customer Satisfaction Value As an admirer of your product, Frank is likely to return as a customer tomorrow if he is treated well today. Perhaps Frank’s e-mail could even be incorporated into a Customer Relationship Management (CRM) or knowledge-base system designed to help other customers with a similar problem. Compliance Value The vehicle is under a recall program related to the problem Frank has described. While your company may have an obligation to inform all vehicle owners about the recall, Frank is not the original owner. However, since his e-mail has put the company on notice that he owns a vehicle under recall, you may have an obligation to inform him of the recall. This e-mail should be managed as a business record on its compliance value alone. In addition, the company should classify any electronic replies to Frank as business records. Legal Value You have heard rumors of litigation related to the airbags in Frank’s vehicle, and Frank has described what could be a chemical leaking into the vehicle’s cabin. This e-mail, therefore, could play a role in potential litigation. Retaining the e-mail along with any records proving you informed the customer of the recall, instructed him to stop driving the vehicle until serviced,
Slide 85: 68 E-Mail Rules and towed his SUV to a garage could help protect you from a future claim filed by Frank. This is a clear case of one little e-mail packing a potentially powerful punch. The content justifies retaining and managing it as a business record. How to Determine if E-Mail Is a Business Record 1. You need the e-mail to prove a business-related event or activity did or did not occur. 2. You need the e-mail to demonstrate a transaction: what was purchased or sold, for how much, in what quantity, when it was delivered, or where it went. Even if only some of this information may be gleaned, the e-mail may still be a business record. 3. You need the e-mail to identify who participated in a business activity or had knowledge of an event. All address lines (To, From, Cc, and Bcc) may be equally important. 4. The e-mail has legal or compliance value. 5. You need the e-mail to support facts you claim to be true, since the person with direct knowledge of the facts is not available to testify. 6. The e-mail addresses a public official’s activities, an investment broker’s client communications, or another topic specifically covered by law or regulation. Legal Reasons to Manage E-Mail Records E-mail business records help protect and promote your organization’s legal interests when evidence of business activities is needed. E-mail would be an important part of the evidence pool, perhaps the only source of evidence, if your organization were: 1. Battling lawsuits filed by shareholders, customers, competitors, or others.
Slide 86: Retaining Business Records 69 2. Assisting authorities in the investigation and prosecution of criminal acts committed by employees, customers, partners, etc. 3. Complying with laws governing what your business must do (pay taxes) and must not do (pollute the environment), how it must treat customers, and so on. 4. Adhering to governmental (SEC), self-regulatory (NASD), and industry standard (ISO) regulations and policies. 5. Establishing contractual and other forms of business relationships with suppliers, partners, and customers engaged in buying and selling goods and services. Recap and E-Action Plan E-Mail Rule 12: Treat E-Mail as a Business Record 1. Consider how your organization defines business records. If appropriate, develop a new definition and make it part of your policy regime. 2. Update records, policies, and definitions to include e-mail and other electronic formats. 3. Manage information based on its business, legal, compliance, operational, or historical value, rather than the casualness of its creation or its storage medium. 4. Capture and retain complete e-mail records—message content and metadata (data that manages or describes the data). 5. Ensure authenticity by reproducing e-mail messages exactly as they were created. 6. Have ready access to e-mail as needed. Be able to locate it by content.
Slide 87: CHAPTER 13 E-Mail Business Record Retention E-Mail Rule 13: Retain Business Record E-Mail According to Written and Enforced Retention Rules A survey by the American Management Association, US News & World Report, and The ePolicy Institute reveals that 50 percent of the nation’s largest employers have no e-mail retention and deletion policy in place.1 This is an oversight with profound implications. Because most organizations now rely on e-mail for critical business communication and activities, it stands to reason that at least some e-mail should be classified as a business record and retained and managed according to written rules and policies. It is, of course, difficult to manage e-mail business records long term without a method for consistently and reliably identifying which messages are business records. Employee training is essential. If employees don’t understand which e-mail messages (created and received) should be retained, it’s likely important e-mails will be mismanaged, lost, or purged. 70
Slide 88: E-Mail Business Record Retention 71 What Is Records Retention and Why Apply It to E-Mail? Records retention is a systematic way of identifying, retaining, managing, and disposing of business records, along with documents and other materials that don’t rise to the level of a record. Business records are retained based on their value, rather than their creation, transmission, or storage format. Records retention rules should apply equally to paper and electronic information, as courts, regulators, investigators, and auditors generally don’t view electronic information any differently from paper for purposes of retention. E-mail or paper, business records are expected to be managed properly. While electronic and paper records both require management, the reality and process of retaining e-mail business records differs from paper record retention. E-mail retention poses three main challenges: (1) overwhelming volume; (2) costs related to capturing, indexing, and migrating messaging to fresh storage media, as well as weeding through e-mail to locate specific messages; and (3) unique digital characteristics that impact retention and long-term management. Records Have a Lifespan Fundamental to records retention is the fact that records have a lifecycle, complete with a beginning, middle, end, and all the messy in-between stages. Records must be managed according to their value to the organization and for the length of their lifespan, from creation to disposition. Scenario: Your CEO issues an internal e-mail memo, announcing an upcoming and historic merger. What is the lifespan of that e-mail? Should you identify and retain it as a business record because it contains information necessary to let your business group know of the merger and its impact? In this case, the answer is probably no. The message’s initial value was to provide administrative notice to employees. Thus, once you’ve notified the troops and the merger has occurred, the instructions and the e-mail have negligible ongoing operational value. On the other hand, were the merger subject to regulator
Slide 89: 72 E-Mail Rules scrutiny, then all merger-related communications probably should be retained for a time specified by regulation. In this case, the e-mail’s lifespan would be longer than required by its administrative value. To ensure proper retention, always incorporate legal and compliance requirements into the retention period. There’s a third way to value this e-mail: The merger may continue to have historical value if it transforms the corporation into a leading multinational public entity, and the CEO is recognized as a revolutionary business leader. Given that scenario, the company archivist could determine that all the CEO’s merger-related communications have historical significance and must be retained permanently. Other Factors Affecting Record Lifespan If and when a court seeks to determine if the retention period for a given record is reasonable, it will review legal requirements, industry standards, and other practices in which the organization engages. Consistency in developing and implementing retention periods for both paper and electronic records may be viewed as inherently more reasonable than destroying all e-mail after a short period without regard to its value (a potentially risky approach employed by many organizations). Don’t Be Afraid to Put Records to Bed While it is critical to retain important e-mail messages and other business records, it’s equally important to establish procedures for the disposal of records once they reach the end of their lifespan. Eliminating ‘‘dead’’ records in accordance with written policy unburdens the organization’s resources and ensures that old information cannot return to harm the organization. Your risk-management job is not complete until dead records are gone. Strive for Complete, Trustworthy, Accurate Records Because incomplete or altered records have diminished legal and business value, the goal of any effective e-mail retention pro-
Slide 90: E-Mail Business Record Retention 73 gram is to maintain complete, trustworthy, and accurate records. In the traditional records management world, this is where the concepts of originals and copies came into play. The goal traditionally was to retain original copies, which were most likely complete and accurate. In the electronic world, where exact copies are effortlessly produced, there generally is no legal difference between an electronic original and its perfect copy. Regardless, the focus of retention should be ensuring that e-mail records are authentic, trustworthy, and complete, and have integrity. That means retaining as much information as possible from that original e-mail record. An e-mail printed to paper without its routing information and metadata is simply a piece of paper with words on it. Trustworthy Records Come from Trustworthy Systems The system used to manage business records includes people, processes, rules, and technologies, all of which must be managed and controlled to create trustworthiness. That trustworthy records generally do not come from untrustworthy systems is a reality recognized by laws and regulations. Keys to trustworthiness: (1) written rules and policies that dictate every step of the retention and management process; and (2) evidence that employees are trained and follow the rules. This is why e-mail rules are so important to business. They minimize the likelihood that a court, regulator, or other party will doubt the reliability of your e-mail business records. Are You Ready to Manage E-Mail Business Records? 1. Does ‘‘storage’’ mean the same thing as ‘‘retention’’ to you? 2. Does your organization have a records management program? Yes Yes No No
Slide 91: 74 3. Does your organization manage electronic records according to its records management rules? 4. Does your organization apply retention periods to e-mail records? 5. Has your organization provided employees with training on e-mail retention? 6. Does the technology (IT) department dispose of the contents of the e-mail system every 30, 60, or 90 days? 7. Have you ever needed an e-mail but were not able to retrieve it as quickly as you would have liked? 8. Have you ever needed an e-mail but were unable to retrieve it at all? 9. If your organization manages e-mail according to retention rules, is e-mail retention based on the date the message was created? 10. Do you ever do any business-related work using e-mail? 11. Has your organization ever needed email to deal with a lawsuit or audit? 12. Will you be able to access any businessrelated e-mail for as long as you need to? 13. Does your organization rely on disaster recovery backup tapes for long-term email retention or storage? E-Mail Rules Yes Yes Yes No No No Yes No Yes Yes No No Yes Yes Yes Yes No No No No Yes No What Your Responses Mean To get records retention right, you need to rid yourself of the notion that storage is the same as retention. E-mail records should be managed according to their value. If you still think it is okay to get rid of everything in the e-mail system after a short period of time, think again. Your e-mail records may one day
Slide 92: E-Mail Business Record Retention 75 be needed to respond to a customer or defend the organization’s interest in a lawsuit. You must take e-mail records management seriously if your organization is to survive and thrive. Recap and E-Action Plan E-Mail Rule 13: Retain Business Record E-Mail According to Written and Enforced Retention Rules 1. A business record provides evidence of business-related activities, events, and transactions. 2. You must develop a means of consistently and reliably identifying business records. 3. Employees require training to distinguish business records from nonessential e-mail. 4. Disposal or purging is as important as retention. Remember that deletion may not mean it is truly gone. 5. E-mail records (like all records) must be complete, authentic, and trustworthy.
Slide 93: CHAPTER 14 Developing Retention Rules E-Mail Rule 14: Apply Retention Principles to E-Mail Records The foundation of a sound records management program, a retention schedule is a detailed document that identifies the different types of information that must be retained and managed as business records. It also stipulates how long a record must be kept and may offer a legal justification for a record’s retention. A typical retention schedule might contain the following: 1. Business function code and name for groups of records (records series). For example, a business function code could be ‘‘accounting and finance,’’ or ‘‘tax.’’ 2. Records series codes and names combine records related to the same topic or having the same function, so they can be managed as a group. ‘‘Accounts Payable and Accounts Receivable’’ is an example of a records series that could be grouped and managed with ‘‘Accounting and Finance’’ records. (Specific business records that make up a records series would, for example, be ‘‘ABC Plumbing Co. Invoice.’’) 3. The type of media on which an identified records series will be retained. 76
Slide 94: Developing Retention Rules 77 4. The length of time the official copy of a record will be retained. 5. An indication of whether or not a records series contains vital, historical, or permanent records. 6. The law, regulation, or policy that justifies retaining the record. 7. Additional notes and information to help readers understand the classification categories and records series. Records Series Lifespan The lifespan of a records series is determined by business and legal considerations. On the business side, it may be important that your salespeople have the ability to call up an original purchase order three years after a purchase. On the legal side, federal, state, and local laws and regulations often mandate specific retention periods. Other legal considerations, such as the Statutes of Limitations, can help you determine proper retention periods, too. While laws and regulations may not specifically address email (although they increasingly do), it is in your organization’s best interests to ensure that e-mail records are retained for the same length of time as paper records relating to the same topic. For example, if you retain paper purchase orders for three years, then retain e-mail purchase orders for 36 months as well. Consistency is key. Beware Catch-All Retention Periods For ease of management, some organizations employ a catch-all strategy that treats e-mail messages as a group and retains the entire group for the same amount of time. A typical policy might read: ‘‘All e-mail on the server will be erased after 60 days.’’ While the desire to streamline e-mail management and eliminate excess messages in a timely fashion is commendable, the catch-all approach ignores individual e-mail content and con-
Slide 95: 78 E-Mail Rules text, undercutting the recommended value-based approach to records management. Each E-Mail Message May Be Unique E-mail is a fairly unstructured form of communication. It’s possible for people to write whatever they like, regardless of message type (response to a customer’s inquiry, memo to staff, etc.). Furthermore, the ability to forward and attach information to messages enables e-mail to gather information over time. Consequently, every message contains unique information that may be available nowhere else. Organizations that assume every entry in a database can be discarded after a year, for example, may encounter trouble with e-mail. Content and messages containing unique business information can be lost easily. On the other hand, there are certain types of e-mail, such as automatically generated responses that go out when visitors complete Web site forms, that can more easily be managed this way, as the content is fixed and changes only periodically. Remember, retention is driven by content, not medium. Recap and E-Action Plan E-Mail Rule ords 14: Apply Retention Principles to E-Mail Rec1. Your organization has a need to retain e-mail, just like other business records. 2. Catch-all deletion may have made sense before e-mail was a critical business tool used to execute contracts, hire employees, and interact with customers, partners, and regulators. But it certainly makes less sense today. 3. Treating all e-mail messages as a single group with a single retention period, while applying different retention periods to paper records based on their content, is a fundamentally inconsistent approach that could cause problems if a judge questioned why your organization took time to manage paper records based on content but destroyed e-mail messages with no regard to content.
Slide 96: CHAPTER 15 SEC and NASD Regulations E-Mail Rule 15: E-Mail Retention Periods May Be Determined by Regulatory Bodies Within the securities industry, the Securities and Exchange Commission (SEC) and National Association of Securities Dealers (NASD) regulate the retention of business-related e-mail. For example, NASD Conduct Rule 3110, ‘‘Books and Records,’’ requires brokerage firms, among others, to retain ‘‘books, accounts, records, memoranda, and correspondence in conformity with all applicable laws, rules, regulations, and statements of policy.’’ Some brokerage firms interpret the SEC language to apply to e-mail and Instant Messages: ‘‘originals of all communications received and copies of all communications sent . . . (including interoffice memoranda and communications)’’ are retained ‘‘for a period of not less than three years, the first two years in an accessible place.’’1 Other firms adopt different retention periods, based on their interpretation of the regulatory directives and requirements. Among other requirements designed to promote accuracy, longevity, and easy access to trustworthy electronic records, the SEC provides specific requirements for the media and process used for archiving electronic records generally: 79
Slide 97: 80 E-Mail Rules 1. Electronic records must be stored on nonrewritable and nonerasable media. 2. The system must ‘‘verify automatically the quality and accuracy of the storage media recording process.’’ 3. The organization using electronic records must provide regulators with ‘‘facilities for immediate, easy readable projection or production of . . . electronic storage media images and for producing easily readable images.’’ 4. The system must ‘‘store separately from the original, a duplicate copy of the record.’’2 Recap and E-Action Plan E-Mail Rule 15: E-Mail Retention Periods May Be Determined by Regulatory Bodies 1. The SEC takes e-mail retention seriously. Need proof? The commission recently fined several brokerage firms millions of dollars for allegedly failing to retain and/or produce email according to SEC 17a-4. 2. Don’t wait for e-disaster to strike. Draft your e-mail rules and policies to adhere to applicable laws and regulations. And educate employees to comply with organizational and regulatory guidelines.
Slide 98: CHAPTER 16 Record Retention Versus Backup Tapes or Stored E-Mail E-Mail Rule 16: Don’t Be Set Up by Backup Is your organization really retaining e-mail and other electronic records, or are you merely relying on backup systems for retention? If you’re simply relying on backup, you’re asking for trouble. Backup systems are not designed for record retention. They exist solely for the mass recovery of critical data in the event of a natural or man-made disaster. Information is stored en masse in a format designed to reduce storage volumes and speed wholesale recovery. Records management, on the other hand, involves more than storing critical information in a known location. Unlike backup systems, which make no provision for the review of individual e-mail records, records management ensures that you have ready access to any given record, whenever you need it. The Difference Between Retained Records and Retained Backup Tapes Organizations commonly and mistakenly assume they are engaged in records management when in fact they simply are de81
Slide 99: 82 E-Mail Rules termining retention periods for backup tapes. Based on the assumption that original data exists, backup retention is neither a legal nor a records management issue. It is nothing more than a business and technological concern. Backup tapes should be kept only as long as they are needed to ensure that operations can be restored in a timely fashion following a disastrous data loss. IT departments usually adhere to a schedule that creates a backup tape on a daily, weekly, monthly, or quarterly basis. Because there is no reason to keep backup longer, tapes are rotated and recycled routinely. Good idea. Holding on to backups would expose your organization to potentially costly unmanaged risk if a court forced you to search, reformat, and hand over this potential goldmine of information in the course of litigation. Real-Life E-Disaster Story: Backup Can Be Costly When a pharmaceutical company was sued, the company provided multiple backup tapes containing electronic records. Later, the company found itself fighting another legal claim. While litigation was in process, the company, as part of the normal course of business, disposed of the backup tapes from the first case, which concluded shortly after the second lawsuit commenced. Opposing counsel argued the company was wrong to dispose of the tapes without first examining them to ensure that they did not contain information relevant to the current litigation. The court agreed and severely penalized the pharmaceutical company.1 Retention Location E-mail messages identified and retained as business records should be periodically moved from live or active systems into a designated records management application, server, or network location. The benefits of transferring records include: 1. Giving authorized persons access to records required for operational and legal purposes. This could be as simple as one e-mail needed to help build a customer service database
Slide 100: Record Retention Versus Backup Tapes 83 or as complex as a series of messages and attachments required for a lawsuit. 2. Ensuring that the organization’s retention and management policies are uniformly applied. 3. Bolstering the trustworthiness of e-mail records by taking them out of the control of the individual most likely to alter or destroy them—their creator. 4. Easing e-mail record searches for business or legal (discovery) purposes via centralized storage and management. 5. Enabling administrators to focus on one system from a management and maintenance perspective. 6. Helping to ensure that e-mail records are disposed of in a uniform manner consistent with organizational policies. Paper or Plastic: Two Approaches to E-Mail Retention Proper e-mail retention is no easy task, a fact illustrated by the many strategies and software applications available today. At the most basic level, however, all organizations must answer the same question: Are we going to keep e-mail in its original digital form or print messages to paper and delete electronic versions? Before deciding on paper or e-mail, weigh the features and benefits, pros and cons of each approach. E-Mail Pros E-mail messages contain a wealth of information you may want or need to retain for business and legal purposes: 1. Header information: e-mail addresses, e-mail server names and routing information, dates, and sender and recipient names 2. Body content: text, graphics, sound, hypertext, links, markup, and other types of code that depend on related e-mail messages, software, and Web sites for their meaning and function to be clear
Slide 101: 84 E-Mail Rules 3. Attachments: any type of digital information imaginable, including documents, video files, music, images, executable code, software applications, driver files, and, of course, viruses and Trojan horses 4. Signatures: found in the text or, in the case of a cryptographic digital signature, embedded in or wrapped around the e-mail message Digital Details If you opt to manage e-mail digitally in a central location, instruct system administrators and architects to ensure that the following information is retained and available for searching and retrieval: Creator identification Creation or transmission date and time Receipt date and time Recipient identification Routing information Benefits of the Digital Approach Easy search and retrieval Searchable in multiple ways depending upon structure Ability to access metadata and audit trails to show the integrity of the record Can be structured to capture one of each message, making employees responsible for determining what to retain Allows for compliance with record production in litigation May be the only retention approach to satisfy certain regulators Downsides of the Digital Approach Per-seat cost may be high May need to build or buy technology to manage content (E-mail management software is currently available. E-mail
Slide 102: Record Retention Versus Backup Tapes 85 Xtender from Legato Systems, Inc., provides good records management functionality.) Requires technology management resources at the outset and throughout its use Enhanced searchability for discovery may produce e-mail that creates liability or embarrassment Requires training for technology staff and other employees Real-Life E-Disaster Story: Paper Versus E-Mail In a 2002 case, the court was asked to compel the production of e-mail messages from backup tapes, at an estimated cost of $395,944 for eight storage tapes and $9.75 million for all the backup tapes. Confronted with the possibility and enormous cost of searching huge volumes of e-mail messages, the defendant argued that the company printed out the important e-mail communications, eliminating the need to produce e-mail backup tapes. In rejecting that contention, the court noted, ‘‘The defendants did not show any policy that defined what e-mail should be reduced to hard copy because of its importance.’’2 We’re left to wonder: Would the court have rejected the opposition’s request for e-mail if the defendant had produced a policy instructing employees how, when, where, and why to retain e-mail in paper form? The Paper Approach If your organization decides that printing e-mail on paper is the only feasible way to properly retain it, then develop rules that clearly state when e-mail is to be printed, what should be printed, and where and how printed files should be stored. Consider instructing employees to: 1. Print messages with transmission data and routing information. E-mail without this type of metadata has questionable evidentiary value.
Slide 103: 86 2. Store messages with similar records. E-Mail Rules 3. Properly organize, label, and store e-mail records in a universal file plan or indexing regime. 4. Secure confidential and privileged material. Benefits of the Paper Approach Easy to implement the program and train employees Eliminates masses of electronically stored e-mail Limited storage costs Taps few human or technology resources Reduces the need to migrate or refresh data Limits stored e-mail’s discovery exposure Reduces the need to apply retention to electronic media and e-records Inexpensive to implement Retention rules easily implemented Downside of the Paper Approach Evidentiary value of e-mail may be limited in paper form Evidentiary value of e-mail printed on paper is marginalized without printed metadata for each e-mail record No electronic searching Requires compliance and involvement from all employees May not be acceptable to regulators or courts Potential for losing embedded information within messages What’s Lost When Originals Are Deleted? When e-mail is printed to paper with the original deleted, important information can be lost, including:
Slide 104: Record Retention Versus Backup Tapes 87 1. Embedded information and linked documents. Their loss changes the content, context, and overall meaning of the message. 2. Transmission information and other metadata that could be used to audit the course and chain of custody of the email message. 3. Signatures and other information used to demonstrate the message’s integrity, particularly digital signatures, which cannot be reduced to paper in any meaningful way. Legal Considerations ‘‘The Law is clear that data in computerized form is discoverable even if paper ‘hard copies’ of the information [have] been produced.’’3 Clearly, while retaining e-mail in paper form may be an attractive means of retention, there are legal considerations worth noting: 1. E-mail without metadata is weak evidence. After all, anyone can type a message on a piece of paper. 2. E-mail in electronic form may be easier to search in response to discovery or regulators’ requests. 3. Courts can compel access to electronic versions of printed e-records, and you may face consequences if the electronic version is not available. 4. Much can be learned from seeing an electronic record in electronic form, without which the evidentiary value may be diminished. To date, only one case has addressed the acceptability of the print to paper approach to e-mail retention. That case, Public Citizen v. John Carlin, in his Official Capacity as the Archivist of the United States of America, involved a federal agency. While the case was overturned on appeal for other reasons, the lower court made clear that it considered e-mail printed to paper an unacceptable method of retention. The case itself may have no legal bearing on your company, but it is worth considering the court’s position as you develop policy.4
Slide 105: 88 E-Mail Rules Note also that regulators may take issue with electronic records retained in paper form. For example, in IRS Revenue Procedure 98-25, which deals with automated data processing systems (not e-mail systems), the Internal Revenue Service specifies that certain e-records may be audited in electronic form. Therefore, it is at least worth considering the ramifications, if any, of failing to retain e-mail messages in electronic form. European Retention Law In an apparent response to increased terrorism and the use of e-mail communications among terrorists, the European nations are considering a law to require providers of communications services like e-mail, phone, and fax to retain records for one year. What impact that ruling will have on U.S. businesses is unclear, but ISPs conducting business in Europe may be faced with major new storage headaches. Recap and E-Action Plan E-Mail Rule 16: Don’t Be Set Up by Backup 1. Don’t confuse backup system retention with business record retention. 2. Holding on to backups longer than necessary potentially creates liability concerns. 3. E-mail business records should periodically be moved from live systems to a records management application. 4. Carefully weigh the pros and cons, business and legal, of digital retention versus paper retention.
Slide 106: CHAPTER 17 Software Solutions E-Mail Rule 17: E-Mail Rules Apply to Automation, Too Many employers opt for an e-mail records retention program requiring employee involvement. Other organizations, however, rely on software to read e-mail messages and automatically assign them to an existing category or records series in the retention schedule, or to develop self-defined categories based on content. This process is generally referred to as automatic classification, categorization, or filtering. Autoclassification The last few years have seen an explosion of software tools and applications aimed at helping organizations manage and classify the deluge of e-mail. Some of these tools automatically classify, route, delete, or otherwise act based on e-mail content. Products range from simple (scanning e-mail subject lines for target words) to complex (employing a form of artificial intelligence to determine the meaning of an e-mail’s text). Less complex tools are useful for filtering inappropriate content, reducing spam, and preventing the spread of viruses, etc. Tools at the higher end of the scale can automatically apply retention rules at the central e-mail server, with little or no reliance on employees at the desktop level. Here’s how autoclassification of text works: E-mail text is processed into a series of words or phrases. Extraneous filler or stop words such as ‘‘a’’ and ‘‘the’’ are eliminated to speed the 89
Slide 107: 90 E-Mail Rules process. The words and phrases that remain are compared against known words or phrases, and the e-mail message is categorized based on predetermined rules. Consider this e-mail, for example: To: PeterandBenny@FictitiousCompany.com From: Katie@FictitiousCustomer.com Subject: Information on New Widget? Hi, I saw an advertisement for your latest Widget on television, and was wondering if you could e-mail me more information, as I really like the looks of it. Thanks Katie Both the sender and recipient could form the basis of classification, as the e-mail sender’s address is external, which could indicate a customer or potential customer. The phrases ‘‘latest Widget’’ and ‘‘television’’ could be used to indicate a response to the company’s current advertising campaign. A combination of factors could be used to classify this e-mail as a ‘‘customer request’’ record, kicking off a series of sales responses. The value of autoclassification stems not only from the ability to categorize and manage e-mail according to a retention schedule or other rules, but also from the fact that management occurs centrally, and e-mail records are automatically captured and moved to a designated records management system. Autoclassification systems often are configured to work hand-inhand with records management or document management applications. This can help resolve the problem of employees failing to categorize and move e-mail records off their active systems, and it can add to the overall perceived trustworthiness of record e-mail. Is Autoclassification Right for You? Autoclassification is not a panacea. It is only as good as the rules and policies that have been developed to control it. There is still work to accomplish, in terms of building a classification system to reflect your business and legal interests. Ensuring that
Slide 108: Software Solutions 91 the software is doing a satisfactory and consistent job often requires constant administration and maintenance. You should also consider what to retain via autoclassification. The system could be used to capture one copy of every e-mail, even if the captured messages do not meet the definition of a business record, or it could capture any other identifiable category you wish to retain. Some software develops self-defining categories based on the content of messages that are not easily classifiable. This, however, can result in a pile of messages that ultimately needs to be reviewed by a human being. If you opt not to retain one of everything, you empower the software to dispose of e-mail that (in the software’s opinion) meets your description of disposable e-mail. Given the business and legal issues that can arise from inadvertently or purposefully destroying necessary e-mail, this approach would require confidence in the system. It’s important to note that autoclassification will likely make mistakes, regardless of configuration. These systems also can be configured to use a hybrid of automatic and human classification. The system makes preliminary classification decisions, which are confirmed or changed by a member of the staff. This approach can result in a high degree of accuracy. Some systems can even learn this way, being taught where they are making classification mistakes. Other Software Functions There are many other software applications available to assist your organization in managing e-mail. Some of the functionality available with software includes: Develop and enforce e-mail policies Archive e-mail messages Retain messages according to defined retention rules Develop and apply retention periods, and enable easy disposition Allow for easy search and retrieval, through full text searching and other techniques
Slide 109: 92 E-Mail Rules Provide auditing mechanisms to track access and changes to stored messages Conduct monitoring and reporting Access controls for providing authorized parties access to the whole or parts of the system for administration, searching, and conducting of discovery and audits Benefits of E-Mail Management Software Moves messages off servers and active e-mail systems to increase functionality and speed Allows users ready access to needed messages Allows users to make record-keeping decisions based on content Facilitates records policies and retention rules Protects company business and legal interests by retaining only what is needed Allows users to classify and code individual messages Allows messages to be retained for a requisite period of time Protects confidential and privileged information Recap and E-Action Plan E-Mail Rule 17: E-Mail Rules Apply to Automation, Too 1. Software exists to automatically classify, route, delete, or otherwise act on e-mail content. 2. High-end software will automatically apply your retention schedule at the central server, with little (or no) employee involvement. 3. Autoclassification is only as good as the rules and policies that tell it what to do, and it will likely never be 100 percent.
Slide 110: CHAPTER 18 Outsourcing E-Mail Storage and Retention E-Mail Rule 18: Assess the Legal and Business Ramifications Before Moving E-Mail Off Site In addition to enterprise-focused tools for managing e-mail, recent years have brought about third-party, or outsourced, e-mail management and storage services. These popular Application Service Providers (ASPs) and Storage Service Providers (SSPs) deliver storage and management services minus the large outlay of capital required to buy or build similar solutions inhouse. What Is an ASP? Application Service Provider is a new name for an old concept: outsourcing. The contemporary twist: The speed and availability of global network connectivity via the Internet enables sophisticated applications and features to reside in one central location (the ASP) and be delivered to your company over the Internet and accessed through a Web browser. Storage Service Providers (SSPs) are ASPs that offer remote storage and data management. Quickly becoming the biggest expense in large employers’ IT budgets, data storage gobbles up 93
Slide 111: 94 E-Mail Rules as much as 30 percent of capital expenditures. Outsourcing data storage may cut 10 to 30 percent of your IT budget.1 ASP Advantages and Disadvantages Cost makes the ASP model appealing. Using an ASP is like leasing office equipment rather than buying it outright. You pay a monthly ASP fee, freeing capital that otherwise would be tied up in licensed software. Service is another ASP advantage. The ASP provides up-todate software, technical support, maintenance, and other administrative tasks that can be the most expensive part of owning and operating licensed software. The downside to ASPs also revolves around cost and service. Over the long term, your subscription fee could dwarf a onetime software purchase. Network interruptions, security breaches, and administrative errors result in downtime, which you would not experience (in the same way) were software kept in-house. Legal Concerns There is cause for concern when applications or information residing at the ASP data center have business and legal significance, particularly in relation to e-mail context. With data stored off-site, issues of record control may be a problem, particularly for regulators. Regulators and the courts expect the timely delivery of e-mail records. Response time could be hampered by poor service or system outages on the ASP’s end. In that regard, care should be taken when selecting an ASP. Select a provider that’s likely to be in business over the long haul. Given the stringent e-mail retention requirements imposed by the SEC, brokerage firms and others are increasingly utilizing the services of e-mail outsourcers like Iron Mountain Digital Archives and others for e-mail retention and management. Outsourcing Rules One of the keys to a successful relationship with a third-party e-mail management and storage provider is a Service Level
Slide 112: Outsourcing E-Mail Storage and Retention 95 Agreement (SLA) that protects your organization’s interests. An effective SLA should address these issues: 1. System uptime. For critical systems such as e-mail, expect minimal unscheduled downtime. Be sure your SLA guarantees system uptime and provides fee reimbursements and other remedies when downtime occurs. 2. Security. You want a complete list of software, hardware, and practices used to ensure physical, network, and content security. The level of security offered needs to be at least as good as the security you could cost-effectively implement on your own. Security is particularly important when valuable information is moving around the country or the globe. Look for encryption, Virtual Private Networks, and private leased lines, among other features. 3. Redundancy. Look for a provider who can quickly respond to a data center disaster with a duplicate set of hardware, software, and Internet access points. If you are using a provider to store critical data, be sure precautions are taken to prevent data from being lost or damaged. Critical data should be backed up and moved off site to another secure facility. 4. Throughput/capacity. Because e-mail storage volumes can be large and unpredictable, it’s in your best interests to negotiate guarantees regarding the amount of network bandwidth required to store and retrieve data and the costs associated with your storage volume requirements. 5. Access. Business, compliance, and legal needs often mandate fast access to stored data. Ensure that data is easily and quickly accessible from your ASP or SSP. To increase the efficiency of their operations, ASPs often will move full storage devices offline as soon as possible—a strategy that may not serve your interests if an offline tape or optical disk needs to be located in a warehouse across the country and loaded into an active device to be searched. 6. Business continuance. Avoid ASPs/SSPs that don’t have a written plan to transfer data assets to you or a related ser-
Slide 113: 96 E-Mail Rules vice in the event the ASP/SSP goes out of business or is purchased. Also make sure the ASP will be able to assist you if you need to produce e-mail for litigation. Agree on the fees associated with ‘‘litigation support’’ services before signing the contract. Ensure that technical specifications for hardware and software are available and agreed on. Your organization must be able to access and read data returned by the ASP. Outsourced Services Available Internet access and e-mail. Just as home users pay monthly fees to Internet Service Providers (ISPs), many small and midsize companies outsource Internet access and e-mail functions. Server space. Small and mid-size organizations often rent servers or space on servers from third-party data centers, which offer fast Internet connections and management services that could not be provided in-house for the same cost. Complete e-mail system. Billing on a per-user or per-mailbox basis, the ASP operates required e-mail server hardware and software, security systems, and other features configured to the client’s needs. The client’s own IT administrators access administrative controls over the Internet, allowing them to add and remove users and perform other tasks. Archiving. E-mail messages the client company wants to retain are sent over a network to the service provider, which receives and files e-mail according to the client’s criteria. Using a Web browser, the client can access, search, and dispose of the retained e-mail over the network. Physical storage. Storage drives, tapes, and other devices are moved off site to a storage provider that offers an environmentally controlled and secure facility designed to promote media longevity. Employee Storage Volumes Create a Slippery Slope Scenario: Wishing to reduce the overall volume of stored e-mail, an organization enacts a policy that limits the amount of server
Slide 114: Outsourcing E-Mail Storage and Retention 97 storage space granted each employee for e-mail. In spite of the written policy, however, management allows certain employees extra storage space. Management also knows some employees are sidestepping policy by moving e-mail to their desktop hard drives and other storage locations. The problem: Policy is effective only when it is consistently enforced. Allowing employees to maintain personal e-mail treasure troves can lead to big problems should a lawsuit be filed and e-mail required. The solution: Management sees its biggest problem as employee mailbox size, but it is being short-sighted. The organization should consider a broad range of e-mail management goals: Maximizing system performance Enabling employees to perform their jobs Ensuring ready access to needed messages for as long as required Eliminating junk e-mail and nonrecords Recap and E-Action Plan E-Mail Rule 18: Assess the Legal and Business Ramifications Before Moving E-Mail Off Site 1. Third-party ASPs and SSPs provide outsourced e-mail storage and management services at a fraction of the initial cost of in-house solutions. 2. Cost and service are ASP advantages—and disadvantages. 3. If third-party services are used, be sure you have access to e-mail records when you need them. 4. Protect your organization’s interests with a comprehensive Service Level Agreement.
Slide 115: CHAPTER 19 Educating Employees About E-Mail Retention E-Mail Rule 19: Make E-Mail Retention Simple for Employees Obviously, it’s difficult to manage e-mail business records long term without a method for consistently and reliably identifying electronic business records. Employee training is key. Unless employees clearly understand which e-mail messages (created and received) should be retained, important e-mails are likely to be inaccessible or disappear. Because retention schedules generally are large and cumbersome, with up to hundreds of different categories, employees find marking or coding e-mail for retention purposes challenging. The solution: Seek input from the in-house legal team, records management, IT, HR, and other members of your e-risk management team. Ask how retention and retention coding decisions could be simplified to ensure employee understanding and compliance. A few tips: 1. Assign your team the responsibility of developing a workable process. 2. Get employees involved in the process, as employees are best situated to determine if a particular e-mail is a record. 98
Slide 116: Educating Employees About E-Mail Retention 99 3. Develop simple coding lists for employees. Coding may be different for different business units. It’s unlikely, for example, that the sales and marketing team would have any IRS filing records. Coding e-mail messages according to a classification scheme not only is useful for ensuring that e-mail records are retained for a correct period of time, but also can help protect confidential or privileged information. 4. Make sure proper coding will take employees only a few seconds to make the right selection. Using more time to search for the right code will frustrate employees and may decrease coding accuracy. 5. If employees have difficulty finding the right code, it’s likely that e-mail will be put in a catch-all bucket, which defeats coding. Must We Keep Every E-Mail Forever? No. Use carefully drafted retention rules to separate the wheat from the chaff. Getting rid of all unnecessary messages, nonrecords, and other business content will greatly reduce the amount of e-mail you are managing over the long haul. Doing so frees hardware, network, and human resources, while reducing the risk of inappropriate or irrelevant e-mail messages returning to hurt or embarrass your organization. Formal retention rules also can help protect you against legal claims stemming from the indiscriminate destruction of e-mail business records, specifically, those you suspect could be requested in the context of future litigation. The courts agree that not everything a company generates needs to be retained. As one court noted, ‘‘We see no evidence of fraud or bad faith in a corporation destroying records it is no longer required by law to keep and which are destroyed in accord with its regular practices. As we have previously observed, storage of records for big or small businesses is a costly item and destruction of records no longer required is not in and of itself evidence of spoliation.’’1 But We Want to Keep Everything Forever Does your organization retain all your e-mail forever? Congratulations. You’re a disaster waiting to happen.
Slide 117: 100 E-Mail Rules You may not want to focus on classification, copies, drafts, and other retention schedule details. But the fact is that you must. Don’t be misled into believing that the relatively low cost of storage devices and media warrants saving all e-mail forever. It is, in fact, easy to underestimate the amount of ‘‘free’’ disk space required to store the huge volume of e-mail that a 10,000person organization, for example, would generate over time. In reality, by saving all e-mail forever, you incur numerous costs, including: Media Hardware Software Increased time to access Migration IT time spent managing additional e-mail Employee time spent finding needed e-mail IT costs related to refreshing or migrating data to new media New media costs incurred at the end of the current media’s useful life Cost of producing e-mail in litigation Costs triggered by e-mail’s negative impact on litigation Costs associated with dormant e-mail risks As with any business record, your organization needs rules that direct employees on their approach to retaining e-mail. Email retention rules at a minimum should include directives to clearly limit retention to what you define as a business record. This is somewhat challenging in the e-mail world, as it means you need to address a variety of issues, such as retention of ‘‘nonrecords,’’ drafts, attachments, and duplicates.
Slide 118: Educating Employees About E-Mail Retention 101 Rules for Disposing of E-Mail Just as you must provide employees with e-mail retention rules, so too must you instruct employees how to effectively and appropriately dispose of e-mail. 1. Instruct employees to dispose of nonrecord e-mail messages immediately after they are no longer needed. 2. Be sure employees consider the organization’s retention rules before determining if a message can be disposed of. 3. Never dispose of, alter, or make unavailable any message (including drafts, duplicates, transitory messages, etc.) relevant to an imminent, threatened, or pending lawsuit, investigation, or audit. 4. If you think your organization is about to be sued, do not rush to destroy any related e-mail, including nonrecords and drafts. 5. Protect your employees and organization by insisting that e-mail records disposition adhere to a written policy or retention schedule. 6. If e-mail content is confidential, privileged, or otherwise needs to be kept from others, make sure it is permanently and securely purged from all the media on which it is stored. 7. Eliminate all paper and electronic copies when the retention period is complete. Training Employees to Spot Nonrecords It is essential that your employees clearly understand your definition of a business record. Without that awareness, you cannot ensure that the organization’s valuable e-mail is being retained and nonrecords are being discarded properly. To that end, implement an education program that combines written e-mail rules with periodic reminders and training seminars. An employee, if asked, should be able to determine whether
Slide 119: 102 E-Mail Rules to retain an e-mail message from a client thanking the employee for an invitation to the organization’s annual party. Is this e-mail a record or a nonrecord? Can it be disposed of? A welltrained employee would know this e-mail has little ongoing business value and need not be retained, unless there was a compelling reason to do so. Without training, employees cannot be expected to know how to assess the value of e-mail. You, the employer, are obligated to teach employees that an e-mail’s value is based on content and context—what it says and why it exists. Rules for Drafts Unless there are compelling legal or business reasons, there generally is no reason to hold onto the preliminary draft of an e-mail message, provided the final version is properly retained and may be relied on as the official record. The same holds true for e-mail that contains successive drafts of documents. Retaining multiple drafts and attachments is likely to confuse and complicate matters when you need to find and produce a record. One organization recently learned that lesson the hard way when, in the course of federal litigation, it entered into a battle to determine which version of a contract was the final one. After two weeks of wrangling, the company conceded it was wrong. The court made known its displeasure with the organization for wasting valuable court time attempting to distinguish a draft from the final version of a contract, a dispute that wasn’t even germane to the real issues in the case. Avoid similar disasters by establishing e-mail rules that clearly define final versions versus drafts. Be sure employees know that drafts can be discarded under normal circumstances. Rules for Duplicates Duplicates are an unfortunate byproduct of e-mail technology. Every time an e-mail lands on a server or a computer, it makes a copy, propagating the same message multiple times. Unlike the original, these copies deliver little real benefit. Scenario: An employee drafts an e-mail, complete with attachment, and copies it to all fifty members of a business unit. What should the fifty employees do with their copies?
Slide 120: Educating Employees About E-Mail Retention 103 If you had comprehensive written rules in place, your employees would not have to waste productive time deciding whether to retain or delete electronic copies. Well-trained employees would know that only the ‘‘official’’ copy of the e-mail record, retained by another employee in another location, is needed. Another way to control the flow of duplicates is to inform employees that only the sender need retain internal e-mail sent to colleagues. If someone other than the sender must take action pursuant to the message, that person also should retain a copy. All other e-mail messages and attachments should be purged from the system when no longer needed. Instructing employees that recipients are required to dispose of unnecessary duplicates will enhance their comfort level. They will know they are neither violating company policy nor breaking the law when deleting duplicate e-mail. Don’t Leave Employee Compliance to Chance Teach employees how to deal with unnecessary duplicates from a retention perspective. Instruct the IT staff to configure the system to limit the number of duplicate e-mail messages that are automatically parked on computers. Train employees to send e-mail messages only to those with a need to know. Set rules regarding who is responsible for retention of official e-mail. Explain that printing unnecessary e-mail copies wastes paper and creates one more item that must be searched when the organization is trying to locate needed information. You may never achieve 100 percent compliance. But you certainly can reduce the number and cost of unnecessary duplicates retained and help your organization get a grip on e-mail overload. All it takes are a few e-mail rules and a comprehensive employee training program. Manage Multiple Attachment Copies with an Attachment Warehouse To manage multiple copies of the same attachment, some organizations use an ‘‘attachment warehouse,’’ in which only one
Slide 121: 104 E-Mail Rules copy of the attachment is retained. Intended recipients visit the organization’s Intranet or other designated location to access and download the attachment. Recap and E-Action Plan E-Mail Rule ployees 19: Make E-Mail Retention Simple for Em- 1. Employees determine if an e-mail is a record or nonrecord. 2. Nonrecords stay in their current storage locations. 3. Records are moved to a different physical location for retention. 4. Retention should take place off the active e-mail environment in a place that promotes access, retrieval, and system functionality. 5. Employees code e-mail for retention according to a simplified records retention template. 6. The law department, IT, and records management should work together to make the template user friendly and consistent with current records policies. 7. What remains on the active e-mail system would be transitory or convenience copies of e-mail and nonrecords that the company should not retain, and that could be purged every 30, 60, or 90 days. Remember, your organization does not have to keep everything. First, retain e-mail records that are needed, then purge the system of what remains. 8. Technology department issues are addressed by reducing the quantity of stored e-mail. Maximize system performance by removing retained e-mail from the system.
Slide 122: PART FOUR E-Mail Business Records as Legal Evidence
Slide 123: This Page Intentionally Left Blank
Slide 124: CHAPTER 20 E-Mail Business Records as Legal Evidence E-Mail Rule 20: Prepare to Produce E-Mail for Audits, Investigations, or Lawsuits Our ever-increasing reliance on e-mail for business activities makes it likely your organization will one day need to access and deliver e-mail messages in the course of an audit, investigation, litigation, or other formal proceeding. In fact, computers have become so commonplace that most court battles now involve discovery of computer-stored information.1 Business Records Exception to the Hearsay Rule When hearing evidence in a case, the court normally requires direct testimony from an individual who witnessed, or has firsthand knowledge of, an event. The court normally will not admit hearsay evidence, such as testimony that simply recounts what another person said. On their own, business records are a form of hearsay. Unless those who created or otherwise knew about a business record 107
Slide 125: 108 E-Mail Rules during its lifecycle are called to testify, no first-hand testimony about the record would be offered, and it might be excluded as hearsay. However, recognizing that business records are an important source of evidence, the courts have created an exception to the hearsay prohibition. The Business Records Exception to the Hearsay Rule allows e-mail messages and other business records created and kept in the ordinary course of business to be admitted into court. This exception addresses the reality that corporations and government agencies typically exist for generations, long past the time the creator of a specific record would be available to testify and be cross-examined about its origins. It also acknowledges that it would be both expensive and difficult for litigants to provide firsthand testimony for every document used in a trial, especially when trials can involve thousands of pages of evidence. Broad Scope The courts have required employers to search through and produce huge volumes of e-mail messages in the course of litigation. In one case, an organization was ordered to search 30 million pages of e-mail. Nearly any e-mail could be required as evidence in court, even those that do not meet the definition of a business record. Seemingly innocuous administrative e-mail notices about a company softball game could be used as evidence if, for example, an employee injured during the game attempted to make a workers’ compensation claim. Laws and Regulations The legal system today is working to apply existing legal principles and develop new laws to address the business community’s widespread reliance on e-mail. That’s appropriate, given how prevalent e-mail is within the legal and regulatory worlds themselves. Some jurisdictions allow parties to file court documents via e-mail, while others allow attorneys to communicate with and advise clients via e-mail. Some government agencies allow
Slide 126: E-Mail Business Records as Legal Evidence 109 the submission of official filings via e-mail. They also rely on e-mail to notify the public of government activities. E-SIGN and UETA Two of the most important legal e-developments in recent years involve the passage in 2000 of the federal Electronic Signatures in Global and National Commerce Act (E-SIGN),2 and the 1999 Uniform Electronic Commerce Act (UETA), which most states have now adopted. E-SIGN and UETA, which ensure that e-records, including e-mail records, have the same legal effect as paper records for most purposes in most jurisdictions, remove much of the uncertainty surrounding the use of e-mail for business purposes. They also have spurred regulators and policy makers to draft other laws and regulations establishing requirements and standards for electronic records. Together, E-SIGN and UETA establish the equivalence between digital and paper-based evidence and signatures on the federal and state levels. Thanks to these two laws, documents and records cannot be discriminated against in legal proceedings merely because they are created in digital form. However, as will be explained in the coming sections, just because e-records are legally acceptable generally does not mean they are sufficient in a particular case. E-SIGN on Retention of Contracts and Records If a statute, regulation, or other rule of law requires that a contract or other record relating to a transaction in or affecting interstate or foreign commerce be retained, that requirement is met by retaining an electronic record of the information in the contract or other record that: (A) accurately reflects the information set forth in the contract or other record; and (B) remains accessible to all persons who are entitled to access by statute, regulation, or rule of law, for the period required by such statute, regulation, or rule of law, in a form that is capable of being accurately reproduced for later reference, whether by transmission, printing, or otherwise.3
Slide 127: 110 E-Mail Rules UETA on Retention of Electronic Records (a) If a law requires that a record be retained, the requirement is satisfied by retaining an electronic record of the information in the record which: (1) accurately reflects the information set forth in the record after it was first generated in its final form as an electronic record or otherwise; and (2) remains accessible for later reference.4 Laws addressing e-mail as a business record come from a variety of other sources, including federal, state, and local statutes and regulations. The policies and practices mandated by industry associations, boards, and standards groups (such as ISO) are another source of regulation that must be considered. What Makes Good Evidence and Business Records? Whether business records take paper, electronic, or other tangible form, there are qualities that separate good records—those that can be relied on for business and legal purposes—from bad. The qualities of good business evidence are: 1. Authenticity. It is important to be able to demonstrate the origin of a business record, including the identity of the drafter and those who added to or altered it. It also is important to know whether or not an e-mail message is the original or a copy that was altered and forwarded by someone other than the drafter. As detailed in Part 5, security and access controls are valuable for demonstrating the authenticity of an e-mail business record. 2. Integrity. A good business record has integrity. Its material content and meaning have not changed since it was originally created. Put controls in place to ensure that business records cannot be altered once they are identified as records. 3. Accuracy. While e-mail business records represent facts about business events and transactions, in order to be le-
Slide 128: E-Mail Business Records as Legal Evidence 111 gally acceptable, an e-mail must be accurate about the facts documented originally, and it must maintain accuracy throughout its life. Failure to show that an e-mail is accurate may limit or prohibit its use for legal purposes. 4. Completeness. Unlike paper and other fixed records, there is no inherent quality to ensure that an e-mail record is self-contained and immutable. In fact, e-mail messages are composed of multiple parts—the body, header, attachments, and log files relating to its transmission and receipt—that are all part of a complete record. To make it even more challenging, e-mail records often contain links to related documents that are integral to the meaning of the message. For example, a purchase made via e-mail with a link to product specifications that are subject to change without notice can dramatically change the meaning of the e-mail contract or original deal down the road. 5. Repudiation. When e-mail is used in the context of business transactions that have contractual significance, there is a risk of repudiation. In other words, a party may refuse to act as promised via e-mail, claiming a different agreement was struck, or, even worse, claiming not to be the individual who entered into the agreement. The greater the value or risk of the transactions, the more significant the consequences of repudiation. Protecting against repudiation is a function of good records or evidence. For example, holding someone to a promise or statement depends on your ability to prove that the promise actually was made. That’s largely a function of the record’s authenticity. Protection against repudiation depends on the trustworthiness of the overall process used to ensure the authenticity, integrity, accuracy, and completeness of e-mail. Build Evidence Based on Need In a perfect world, all of your organization’s e-mail transmissions would be authentic, accurate, and complete. You could sleep soundly, knowing you were protected against repudiation.
Slide 129: 112 E-Mail Rules In reality, however, ensuring these qualities requires time, talent, and technology. That investment should be commensurate with the value and potential risk of the transaction. What Kind of Records Satisfy Regulators? Generally, regulators are looking for e-records that embody the qualities of good evidence. Some regulators provide guidance to help you architect your e-mail system properly. Four Steps to Getting E-Mail Records Evidence Right 1. Be sure to involve your lawyers and your tax, audit, and IT staff in the process of walking through the language of relevant rules. 2. Translate legal language into the business and technological reality that reflects your business. 3. Determine how you can build reasonable controls to ensure integrity, accuracy, and completeness for the application. 4. In addition to building a sound system and good evidence, the collaborative process demonstrates the company’s eagerness to get it right, a fact that won’t be lost on the regulator. Sample: The Internal Revenue Service IRS Procedure 97-22 provides guidance to taxpayers who maintain books and records via electronic storage. It offers useful insights into what may be required by regulators. SECTION 4. ELECTRONIC STORAGE SYSTEM REQUIREMENTS .01 General Requirements. (1) An electronic storage system must ensure an accurate and complete transfer of the hard copy or computerized books and records to an electronic storage media. The electronic storage system must also index, store, preserve, retrieve, and reproduce the electronically stored books and records.
Slide 130: E-Mail Business Records as Legal Evidence 113 (2) An electronic storage system must include: (a) reasonable controls to ensure the integrity, accuracy, and reliability of the electronic storage system; (b) reasonable controls to prevent and detect the unauthorized creation of, addition to, alteration of, deletion of, or deterioration of electronically stored books and records; (c) an inspection and quality assurance program evidenced by regular evaluations of the electronic storage system including periodic checks of electronically stored books and records; (d) a retrieval system that includes an indexing system (within the meaning of section 4.02 of this revenue procedure); and (e) the ability to reproduce legible and readable hardcopies (within the meaning of section 4.01(3) of this revenue procedure) of electronically stored books and records. (3) All books and records reproduced by the electronic storage system must exhibit a high degree of legibility and readability when displayed on a video display terminal and when reproduced in hardcopy. The term ‘‘legibility’’ means the observer must be able to identify all letters and numerals positively and quickly to the exclusion of all other letters or numerals. The term ‘‘readability’’ means that the observer must be able to recognize a group of letters or numerals as words or complete numbers. The taxpayer must ensure that the reproduction process maintains the legibility and readability of the electronically stored document. (4) The information maintained in an electronic storage system must provide support for the taxpayer’s books and records (including
Slide 131: 114 E-Mail Rules books and records in an automated data processing system). For example, the information maintained in an electronic storage system and the taxpayer’s books and records must be cross-referenced in a manner that provides an audit trail between the general ledger and the source documents(s). For each electronic storage system, the taxpayer must maintain, and make available to the Service upon request, complete description of: (a) the electronic storage system, including all procedures related to its use; and (b) the indexing system (see section 4.02 of this revenue procedure). At the time of an examination, or for the tests described in section 5 of this revenue procedure, the taxpayer must: (a) retrieve and reproduce (including hardcopies if requested) electronically stored books and records; and (b) provide the Service with the resources (e.g., appropriate hardware and software, personnel, documentation, etc.) necessary to locate, retrieve, read, and reproduce (including hardcopies) any electronically stored books and records. An electronic storage system must not be subject, in whole or in part, to any agreement (such as a contract or license) that would limit or restrict the Service’s access to and use of the electronic storage system on the taxpayer’s premises (or any other place where the electronic storage system is maintained), including personnel, hardware, software, files, indexes, and software documentation. The taxpayer must retain electronically stored books and records so long as their contents may become material in the admin- (5) (6) (7) (8)
Slide 132: E-Mail Business Records as Legal Evidence 115 istration of the Internal Revenue laws under § 1.6001-1(e). (9) The taxpayer may use more than one electronic storage system. In that event, each electronic storage system must meet the requirements of this revenue procedure. Electronically stored books and records that are contained in an electronic storage system with respect to which the taxpayer ceases to maintain the hardware and the software necessary to satisfy the conditions of this revenue procedure will be deemed destroyed by the taxpayer, unless the electronically stored books and records remain available to the Service in conformity with this revenue procedure. (10) Taxpayers may use reasonable data compression or formatting technologies as part of their electronic storage system so long as the requirements of this revenue procedure are satisfied. .02 Requirements of an Indexing System. (1) For purposes of this revenue procedure, an ‘‘indexing system’’ is a system that permits the identification and retrieval for viewing or reproducing of relevant books and records maintained in an electronic storage system. For example, an indexing system might consist of assigning each electronically stored document a unique identification number and maintaining a separate database that contains descriptions of all electronically stored books and records along with their identification numbers. In addition, any system used to maintain, organize, or coordinate multiple electronic storage systems is treated as an indexing system under this revenue procedure. The requirement to maintain an indexing system will be satisfied if the indexing system is functionally comparable to
Slide 133: 116 E-Mail Rules a reasonable hardcopy filing system. The requirement to maintain an indexing system does not require that a separate electronically stored books and records description database be maintained if comparable results can be achieved without a separate description database. (2) Reasonable controls must be undertaken to protect the indexing system against the unauthorized creation of, addition to, alteration of, deletion of, or deterioration of any entries.5 Recap and E-Action Plan E-Mail Rule 20: Prepare to Produce E-Mail for Audits, Investigations, or Lawsuits 1. Many court battles today involve discovery of e-mail and other electronic evidence. 2. Nearly any e-mail could be required as evidence in court, even those that fail to meet the definition of a business record. 3. E-SIGN and UETA ensure that e-mail records generally have the same legal effect as paper records. 4. Good business evidence shares the qualities of authenticity, integrity, accuracy, and completeness. 5. Regulators and courts look for e-records that embody the qualities of good evidence.
Slide 134: CHAPTER 21 Records Management E-Mail Rule 21: Manage E-Mail Business Records to Ensure Accuracy and Trustworthiness Not all business records are created equal.1 Courts, regulators, customers, partners, and employees expect records to be complete, accurate, and trustworthy. Ensuring that your e-mail business records serve your business and legal needs requires good management controls and policies. Legal Versus Reliable Just because e-mail is generally legal does not necessarily make it trustworthy, complete, and admissible as evidence for litigation. Nor is it necessarily compliant with regulatory requirements. An e-mail business record’s admissibility and ability to influence the outcome of a case depend on several factors, with overall integrity topping the list. While the law is clear on the general acceptability of e-mail business records, it is not specific about how authenticity and trustworthiness should be delivered and demonstrated consistently. Yet to use e-mail as evidence in a dispute, you may need to demonstrate the reliability of your e-mail system and messages. The way in which an e-mail message is managed, from its creation to the moment it is offered as evidence, is open to at117
Slide 135: 118 E-Mail Rules tack. Failure to control access to a stored e-mail message may allow someone to suggest that the content was or could have been altered. Failure to retain and provide all e-mail header information may bring a message’s authenticity into question. Every decision related to the implementation and control of the e-mail system, its configuration and storage procedures, can impact e-mail’s role as a convincing business record. Following a successful attack, e-mail may be excluded from evidence. A message’s impact on proceedings may be severely diminished. Or the authenticity of every e-mail stored within an organization’s system may be cast into doubt. Real-Life E-Disaster Story: Poor Records Set Criminal Free In overturning a criminal conviction, a court excluded computer evidence (though not e-mail) because it did not believe there was an adequate foundation for allowing bank e-records into evidence. The court was not convinced the records were made in the ordinary course of business, at or near the time the event was recorded, or that the information, method, and time of preparation were trustworthy.2 The Ordinary Course of Business Thanks to an exception to the hearsay rule, business records normally may be used as evidence in court, provided that the records were created in the ordinary course of business. The courts’ rationale: A record that is routinely and consistently created as the byproduct of a business activity is more likely to be trustworthy than a one-time record created for a specific purpose (in anticipation of litigation, for example). Scenario: Imagine that your manufacturing company is sued by a customer claiming a shipment of parts was eight weeks late. The lawsuit alleges that the parts arrived at the customer’s door twelve weeks after purchase, not four weeks as promised. Litigation unearths an e-mail to the customer from one of your salespeople, promising delivery in twelve weeks. If you can
Slide 136: Records Management 119 demonstrate that your sales team always e-mails order confirmations, as was done in this case, the court is more likely to view this e-mail as trustworthy. On the other hand, if your salespeople have never before sent e-mails confirming purchases and delivery dates, this e-mail may be viewed as suspicious. Perhaps a company employee created the e-mail after the fact to fraudulently influence the case. Avoid similar scenarios by creating written policies, practices, and evidence of employee compliance related to e-mail use as a real business tool. What Makes Good E-Mail Business Records? While e-mail often is admitted into evidence, there have been numerous court cases in which e-mail has been attacked for not satisfying the business records definition. In one case, the court excluded an e-mail central to one party’s legal position. The court noted, ‘‘E-mail is far less of a systematic business activity than a monthly inventory printout or other computer-generated printout . . . e-mail is an on-going electronic message and retrieval system, whereas an electronic inventory recording system is a regular, systematic function of a bookkeeper prepared in the course of business.’’3 Exclusion of the e-mail greatly diminished the party’s chances of prevailing. In another case, however, e-mail messages in which a supervisor made sexual advances were allowed into evidence to prove a sexual harassment claim.4 In the context of a lawsuit, an e-mail that is offered as evidence can be attacked for any number of reasons, including failure to satisfy the definition of a business record. If it lacks the trust inherent in a standard business record, it won’t be considered worthy of court acceptance without additional proof that it’s trustworthy. Defense of Business Records Is a TimeConsuming Task Ideally, all significant business content, regardless of form, should be available and usable for litigation or other reasons. A record with all the trappings of a business record may avoid
Slide 137: 120 E-Mail Rules attack and enjoy business record status. Once a record is challenged, however, its legitimacy needs to be defended. Defending the use of company records is a time-consuming exercise. Productivity is wasted, money is spent, and frustration is likely, as the original drafter may no longer be available to testify. Seven Ways to Bolster the Evidentiary Value of E-Mail Records 1. Develop rules for e-mail use. Let employees know what they may and may not say and do when it comes to business e-mail. 2. Advise employees that the organization’s e-mail system exists exclusively for conducting and memorializing company business. 3. Establish guidelines for the proper e-mail documentation of business activities. 4. Create consistent patterns. If you send an e-mail to confirm every order placed and each delivery date promised, your e-mail making such delivery promises may be deemed trustworthy by the courts. You have demonstrated the use of confirming e-mail in the ordinary course of business. 5. Provide a list of ‘‘must have’’ content regarding the who, what, where, why, and when of e-mail. For example, if you always use your mail code in the signature block, its absence may suggest someone else sent an e-mail from your desk. 6. Develop security rules for system administrators. 7. Configure technology to maximize e-mail integrity and authenticity. Self-Assessment: Business Evidence Risk Management Using a scale of 1 to 5 (1 being the lowest, 5 the highest), answer each of the following questions about your organization’s use of e-mail.
Slide 138: Records Management 121 1. On average how would you rank the importance of transactions completed via e-mail? 12345 2. How likely is it that an e-mail will be needed in the future for any business purpose? 12345 3. What’s the likelihood that you will need to use e-mail in a formal court proceeding? 4. What’s the likelihood that required e-mail will not be readily available when needed? 5. Does your company fail to take e-mail management seriously? 12345 12345 12345 What Your Responses Mean If your responses total 15 or more, your organization needs to take e-mail management more seriously, and your e-risk management program may need work. Protect your legal interests by putting into place a strategic e-risk management program, complete with rules, policies, and procedures. Recap and E-Action Plan: E-Mail Rule 21: Manage E-Mail Business Records to Ensure Accuracy and Trustworthiness 1. Courts and regulators expect e-mail records to be complete, accurate, and trustworthy. 2. To use e-mail as evidence in a dispute, you may need to demonstrate the reliability of your e-mail system and messages. 3. Take the steps to bolster the evidentiary value of e-mail records.
Slide 139: CHAPTER 22 E-Mail Discovery E-Mail Rule 22: Manage E-Mail in Anticipation of Litigation, Audits, and Investigations As part of your organization’s overall e-risk management strategy, it’s essential to prepare for the day when your e-mail is requested in connection with an audit, investigation, arbitration, litigation, or other formal proceeding. E-mail and other forms of electronic communications are regularly targeted by litigators and investigators. Your system may be a treasure trove of information, which your opponent can use to bolster a case, embarrass your organization, or damage your reputation. Conversely, the e-mail in your system may protect your organization by advancing your legal position. Why is e-mail so often used as a primary source of evidence in high-profile discrimination, sexual harassment, and antitrust litigation and claims? The casual nature of e-mail lulls even savvy users into a false sense of security. They mistakenly believe that they can use e-mail to say anything, without regard to context or reader interpretation. In addition, many users view e-mail as a private communication tool, regardless of written policy that clearly states that employees should not expect any privacy when using the organization’s e-mail system. Another problem stems from the fact that e-mail is so quick and easy to use. In seconds, messages can be written, transmitted, copied, printed, forwarded, pasted to other media, and cir122
Slide 140: E-Mail Discovery 123 culated inside and outside your organization. This makes it next to impossible to control all potential sources of damaging or embarrassing content, not to mention tracking down all copies. Assess Your Exposure to Litigation, Audits, and Investigations 1. Do employees retain e-mail on laptops, personal digital assistants, or desktop computers? (If yes, be aware that all these devices are potential discovery sources.) 2. Does e-mail exist on old backup tapes? (If yes, you may be required to duplicate and search through old backup tapes, even if you no longer own the software or hardware necessary to access the tapes.) 3. Do you allow employees to use alternative communication technology, such as voice mail, Instant Messaging, or discussion databases? (If yes, your electronic discovery challenge may not end with e-mail. Every form of electronic communication creates evidence that may be discoverable.) 4. Is the organization regularly involved in lawsuits or audits? (If yes, count on e-mail being used as evidence. Prepare today.) 5. Has your organization ever been party to a class-action lawsuit? (If yes, your e-mail system may be a primary target for litigators. You could be required to search thousands, even millions of potentially relevant e-mail messages.) Yes No Yes No Yes No Yes No Yes No
Slide 141: 124 6. In the past decade, has your organization faced a governmental audit or investigation? (If yes, expect future audits or investigations to call for the production of e-mail and other electronic records.) 7. Does the organization apply retention rules to e-mail? (If yes, your retention rules may come under scrutiny during a trial or audit. The court and auditors may inquire if e-mail records were kept for the right period of time, and they may question your decision to dispose of any e-mail records.) 8. Does the technology department determine how long e-mail is stored on the organization’s e-mail system? (If yes, you are exposing yourself to e-disaster. Litigators could attack this practice, claiming decisions are driven by technology, not the law. The assumption: Your organization does not care sufficiently about its obligation to retain records and evidence.) 9. Have employees been deposed during company-related litigation related to records, record keeping, company information management policy, or procedures? (If yes, expect your e-mail management practices to be questioned or attacked. Litigators and investigators will search for flaws and weaknesses in your approach.) 10. Does management control employees’ e-mail content through policies, auditing, and monitoring? (If no, could an opposing party use your E-Mail Rules Yes No Yes No Yes No Yes No
Slide 142: E-Mail Discovery e-mail against you? Could your adversary locate messages in which employees discuss the organization’s faulty products, incompetent employees, or inappropriate executive behavior?) 11. Have employees ever been disciplined or fired for improper e-mail use? (If yes, do you maintain complete and trustworthy records that reasonably prove that the dismissed employee was the perpetrator? Could someone else have sent the e-mail while the terminated employee’s computer was unattended? You may need these records to defend your position.) What Is Discovery? 125 Yes No Yes No Discovery is the part of the litigation process in which opposing parties exchange relevant documents, testimony, and other information. Litigants generally request and receive information necessary to build a case in preparation for the trial. Discovery helps each side understand the material facts and evidence in advance of the trial. It also prevents anyone from being ambushed at the trial. E-Mail’s Role in Discovery Increasingly, discovery is a battle itself, as litigants apply various discovery strategies to advance their cases. A belief among some litigators is that smoking gun e-mail should be pursued aggressively, as it likely will tip the legal scales in the discovering party’s favor. In fact, e-mail has ‘‘become so commonplace that most court battles now involve discovery of some type of computer-stored information.’’1 According to the federal and state rules of evidence and civil procedure, discovery includes the production of electronic information. If you are involved in litigation, audits, investiga-
Slide 143: 126 E-Mail Rules tions, and other formal proceedings, you must turn over all relevant information—e-mail and other forms—even if it hurts your legal position, embarrasses your organization, or devastates your case. Unfortunately, the business community often is poorly prepared and ill equipped to deal with electronic discovery. Adversaries gladly take advantage of the situation by targeting e-mail and other digital information for discovery. E-Mail Discovery Challenges 1. Finding the storage media on which relevant messages may be located 2. Having the ability to search message content as well as the routing information 3. Reviewing all locations where e-mail may be located 4. Searching for responsive messages among the huge volume of messages 5. Needing special software or hardware to access a required message 6. Accessing other messages to create a contextual string 7. Accessing metadata and audit information related to a particular message 8. Accessing imbedded or linked information in the e-mail What Organizations Are Required to Produce Just about any tangible evidence or information in your possession or in the possession of your ASPs, records vendors, or other contracted service providers is potentially discoverable. Company e-mail or records at the ISP that provides you with Internet access and e-mail services may be fair game. E-material at the off-site storage facility provided by your records management vendor may be discoverable as well. E-mail located in enterprise
Slide 144: E-Mail Discovery 127 servers across the country is discoverable. Old backup tapes, laptops, and handheld devices are all subject to discovery. Rules of evidence and civil procedure have supported the discovery of electronic information for years. For example, in 1970 the Federal Rules of Civil Procedure (F.R.Civ.P.) were changed to account for electronic records. The rules define a discoverable document as including ‘‘writings, drawings, graphs, charts, photographs, phonorecords, and other data compilations from which information can be obtained, translated, if necessary, by the respondent through detection devices into reasonably usable form.’’2 State rules relating to discovery contain similar language. Clearly, the broad definition of discoverable information applies not only to e-mail, but also to a wide range of electronic information. Yet it may not be enough to produce e-mail evidence alone. According to the Federal Rules of Civil Procedure, litigants may be required to provide ‘‘a copy of, or a description by category and location of, all documents, data compilations, and tangible things that are in the possession, custody, or control of the party and that the disclosing party may use to support its claims or defenses.’’3 Failure to Produce Information The courts have little patience with employers who claim they are unable to comply with broad e-mail discovery orders because of information system design flaws. After all, if a system is good enough to operate your business, it should be able to comply with the law. While courts consider time and cost when issuing discovery requests, genuine hardship can be difficult to prove. As one court put it, ‘‘If a party chooses to store information in a manner that tends to conceal rather than reveal, that party bears the burden of putting the information in a format useable by others.’’4 Because the courts have not taken a consistent approach in determining what is ‘‘unduly burdensome’’ or what efforts must be undertaken, predicting the outcome of a particular case is difficult. The bottom line is that e-mail discovery can burden organizations that have not implemented rules and invested in
Slide 145: 128 E-Mail Rules technology to retain and access required e-mail. It is in your organization’s interests to develop and enforce e-mail rules that support your business, legal, and discovery needs. Paper and Electronic Documents Must Be Produced Certain types of data contain hidden information visible only in electronic form. For example, some word processing documents contain metadata (data about data) that provides information about authorship, editing, and document versioning. Courts may not be willing to accept hard copy if they suspect more or different information is available in the native digital format. As one court put it, ‘‘the law is clear that data in computerized form is discoverable even if paper ‘hard copies’ of the information have been produced. . . .’’5 Spreadsheets include coded formulas that are intrinsic to the meaning of the data. E-mail is no different, in that the headers hold hidden information about authorship, origin, and routing, which may be integral to determining authenticity. Thus, courts in the past have required electronic versions of evidence be provided, even when printed copies were made available.6 If you are retaining e-mail by printing it to paper and then deleting the electronic version, it is in your best interests to ensure that comprehensive information about the e-mail and its attachments is printed, too. E-Discovery Is Not Just About Litigation The need to produce e-mail evidence is not limited to litigation. Increasingly organizations will be required to produce e-mail evidence for governmental investigations, compliance, and audits. In the regulatory world, executives have been penalized for their failure or lack of responsiveness, and companies have fallen for failing to protect important records. In 2002, we witnessed unprecedented investigations of senior executives for violating company record-keeping requirements, failing to apply and enforce policies, and destroying records and other information.
Slide 146: E-Mail Discovery 129 One prominent executive was publicly arrested and indicted for obstruction of justice because he allegedly ‘‘directed another individual to . . . delete certain computer files . . . containing phone messages he received,’’ even though he ‘‘well knew that at the time that he directed the destruction of documents . . . such documents were material to the SEC’s investigation’’ regarding insider trading.7 The Food and Drug Administration (FDA) and other regulators expect information systems to be developed with ready access to electronic records and evidence in mind. FDA regulation 21 CFR Part 11 not only makes clear that records can be audited by the agency, but Section 11.10 (e) of the regulation also states that even the audit records for computer systems ‘‘shall be available for agency review and copying.’’ Similarly, the Securities and Exchange Commission (SEC) and National Association of Securities Dealers (NASD) regulations require brokerage companies to review and retain e-mail and make it available for regulatory review on relatively short notice. Recently, the SEC has been investigating several alleged violations at brokerage firms related to e-mail retention. Sevenfigure fines potentially await the perpetrators. Discovery of e-mail is not just about litigation. The FDA, the SEC, state insurance regulators, the IRS, and other regulators regularly request copies of, and in-house access to, e-mail and other e-records for audit or review. In light of the renewed vigor of audit and investigatory activities triggered by the financial scandals and executive misdeeds of 2002, an ounce of information management planning is worth its weight in gold. Why Is E-Mail Such a Discovery Target? Savvy litigators seek smoking gun e-mail for a number of reasons, including: 1. Most organizations lack e-mail management. Organizations rarely manage e-mail as they do other information. Mismanagement in the creation, transmission, storage, retention, and disposition process creates opportunities that litigators and investigators exploit. This increases the chance that there is a damaging message somewhere in e-mail sys-
Slide 147: 130 E-Mail Rules tems, servers, networks, laptops, desktops, message pagers, PDAs, or backup tapes. Even if e-mail could or should have been disposed of long ago, there’s still a chance one copy exists somewhere. 2. This court said it best in reference to a case where e-discovery turned into a battleground: ‘‘Neither the plaintiffs nor defendants have full command over what documents they possessed,’’ even though the parties spent in excess of $1.5 million on discovery, an amount the court concluded was ‘‘nothing short of shocking’’ and ‘‘wholly disproportionate to what the evidence has disclosed.’’8 3. Producing unmanaged e-mail can be costly and inconvenient. E-discovery is used not only to gather information, but also to inconvenience opponents by making the process as time consuming and expensive as possible. Not that it takes much to inflict pain on organizations that fail to structure e-mail systems and develop policies to promote easy compliance with discovery orders. 4. Litigants have wasted millions of dollars and hundreds of hours searching for e-mail and other e-records, only to come up empty handed in some cases. Courts have held that searching e-mail messages is not ‘‘unduly burdensome’’ and sorting through employees’ e-mail is necessary. Sources of Discovery Cost 1. Finding the right e-mail evidence. Courts can and will burden organizations to search through vast amounts of e-mail for messages relevant to a case. One organization was required to search through 30 million pages of e-mail, at the company’s own expense, for the names of particular individuals. The court found the costs for searching, compiling, formatting, and eliminating duplicates was not ‘‘unduly burdensome’’ because the difficulty and cost stemmed from the organization’s own mismanagement and inadequate software.9 2. Software development and purchase. If your organization manages your e-mail in a proprietary, complex, or disorga-
Slide 148: E-Mail Discovery 131 nized format that would make it difficult to find and extract messages relevant to a case, you might be ‘‘required to design a computer program to extract the data from its computerized business records, subject to the Court’s discretion as to the allocation of the costs of designing such a computer program.’’10 In other words, you may need to develop or purchase software to enable your adversary to more easily access and read your e-mail. In one case, an organization was required to copy 210,000 pages of e-mail onto a hard drive in a format the adversary could read. The organization previously had provided the e-mail on four-inch backup tapes, which the adversary’s hardware and software could not access.11 3. Soft and hard costs. Even simple operations like searching through backup e-mail tapes can waste time and money. Litigants routinely spend tens of thousands of dollars complying with e-discovery requests. 4. Experts. Forensic computer experts may be called in to find and recover data from legacy systems and backup tapes or to provide expert testimony. Technology experts may be required to break codes and access proprietary systems or to provide custom applications to opposing parties for access and retrieval. Experts also may be hired to develop specialized programs for searching e-mail and other electronic information. 5. Computing resources. Your servers, desktop computers, networks, and other devices may be taken offline or made unavailable during e-discovery, requiring the purchase or rental of additional systems. If electronic evidence is found on media types your organization is no longer able to access, you could be required to purchase or rent legacy or specialized equipment and software. You may even need to employ technology experts if they are no longer employed in-house. 6. Lost productivity. E-discovery typically eats into employees’ productive time. This soft cost may be your greatest source of expense, as IT professionals and other staff are
Slide 149: 132 E-Mail Rules required to conduct searches and track down needed e-records in the context of discovery. Productivity is lost as: Technology employees track down the locations of systems on which responsive e-mail may be located. And computer systems, including mainframes, networks, backup, and legacy systems are searched. Employees search the computers in their individual workspaces, including desktops, laptops, and PDAs. Unmanaged E-Mail Is a Treasure Trove Often the content found in unmanaged e-mail systems is damaging or embarrassing enough to compel a litigant to settle or withdraw a case. Because casual conversations are commonly memorialized through e-mail, Instant Messaging, and other communication technologies, a funny or flippant comment can, and all too often does, become Exhibit A in a lawsuit. Smoking gun e-mail can be used to build a case, or it may simply be found in your system in the course of discovery. If you think you can protect yourself by selectively printing out and handing over e-mail messages in response to a discovery request, think again. The courts have required companies that try this tactic to allow adversaries to search e-mail in its native electronic format and on backup tapes to the extent that it exists. Rather than trying to dodge a bullet, the best defense is to apply the rules, policies, and practices discussed throughout this book to ensure that damaging messages aren’t written in the first place, and nonrecord e-mail is regularly disposed of in the ordinary course of business. The effect of following the rules is that needed business e-mail is readily available and easier to find because nonrecord e-mail has been deleted and is no longer cluttering the storage device. Contextual Concerns E-mail and Instant Messages provide a special management challenge because their contents are often contextual. Their meaning may be linked to related messages in the chain of con-
Slide 150: E-Mail Discovery 133 versation, the reasoning behind the conversation, or the relationships that exist among the parties. Regardless, litigators may succeed in bolstering their cases by isolating individual messages. Your organization’s inability to separate e-mail and produce only relevant messages during discovery may cause so much embarrassment that management would opt to forgo litigation rather than face public ridicule. Failure to filter discoverable e-mail may result in evidence of sexual affairs, internal squabbling, and other embarrassing behavior being entered into the public record. ‘‘The real flaw is that the computer lies: It lies when it says delete.’’12 Without special software and processes, a ‘‘deleted’’ e-mail or Instant Message often is not really deleted. The file can remain accessible until the hard drive is overwritten with new data, which may never happen. Savvy litigants use this fact to their advantage at trials, retaining consultants who specialize in recovering ‘‘deleted’’ information for use in trial. Compounding the deletion problem is the fact that it is extremely difficult to identify and manage all existing copies of messages and attachments. A single e-mail and its attachments may sit on the creator’s computer, multiple e-mail servers, and the desktop, laptop, and handhelds of all recipients and elsewhere. The best advice: Keep your content clean, your employees informed, and your rules up to date. Prevention, after all, is considerably less expensive than litigation. Recap and E-Action Plan E-Mail Rule 22: Manage E-Mail in Anticipation of Litigation, Audits, and Investigations 1. Locate and preserve all relevant e-mail and e-records as soon as you know they may be needed for litigation, audit, or investigation.

   
Time on Slide Time on Plick
Slides per Visit Slide Views Views by Location