Why do you need an e-mail policy?

Opinion
Oct 6, 20053 mins

* E-mail policies are crucial

In a study that we conducted in June, we asked organizations about the existence of various types of policies in their organizations. We found, for example, that only about one-half of organizations have policies that specify how long to keep e-mail and only about one-third have policies on when to delete e-mail. Only one-third of organizations have put in place policies that are dictated by government regulations, although most organizations have limits on the amount of e-mail storage per user. Also, although we did not ask specifically in this survey, most organizations have acceptable e-mail-use policies in place.

So just how important are policies in managing e-mail and other messaging systems? I believe that they’re critical – they’re clearly a best practice and they’re a missing first step toward proper e-mail management in many organizations. 

For example, it’s a given that most organizations of any size will be involved in litigation at some point, whether it’s a wrongful termination case, product liability litigation or some other legal action. Because courts are increasingly including e-mail as part of the legal discovery process, it’s critical that organizations retain the e-mails that they will need for this process. Even if your company’s policy is to destroy all e-mail after 30 or 60 or 90 days, there are two things to consider: 1) someone, somewhere will have a copy of the e-mail you destroyed, either on a USB keychain, on a laptop, in the message stores of the e-mail recipients, or on an employee’s home PC; and 2) even if you destroy all e-mail regularly, once a court issues a discovery order, you must begin keeping all relevant e-mail immediately – therefore you need to have a system in place that will allow you to do this at a moment’s notice.

More generally, e-mail policies need to cover a wide variety of areas, including personal use of corporate e-mail, use of personal Webmail accounts using corporate resources, use of consumer instant messaging services, who has access to which features of IM if its use is controlled, and what types of e-mail must be retained and which should be discarded regularly. The policies should also cover what types of information can be sent internally and what types can be sent externally, plus a variety of other issues.

Organizations that don’t cover all the bases in their e-mail policies, or that don’t require employees to understand and agree with these policies, or don’t have a mechanism in place to ensure compliance will likely pay dearly at some point.

I’d like to hear about the issues you face in designing and enforcing policies – please drop me a line.