The e-Policy Handbook: Rules and Best Practices to Safely Manage Your Company's E-mail, Blogs, Social Networking, and Other Electronic Communication Tools

C H A P T E R 1\ Why Every Organization Needs Electronic Rules and\ Policies Based on Best Practices\ Since the initial publication of The e-Policy Handbook in 2001, electronic\ business communication tools and technologies have taken the workplace\ by storm. Consequently, many employers find themselves drowning\ in risk as they struggle to manage the use—and curtail the abuse\ —of what were originally conceived as time-saving, productivity-enhancing\ technology tools.\ Without question, e-mail has become the business world’s communication\ tool of choice, forever altering the ways in which we exchange\ information and conduct professional and personal relationships.\ Meanwhile, new tools and technologies—instant messenger (IM), blogs,\ social networking and video sites, cell phones and camera phones, text\ messaging, ‘‘confidential’’ electronic messaging, and the BlackBerry\ Smartphone, to name a few—have joined the electronic business communication\ mix at a breakneck pace.\ The good news: The ever-expanding universe of high-tech tools facilitates\ users’ ability to quickly and conveniently transmit business-critical\ data and stay connected with colleagues and customers around the\ globe. The bad news: Emerging technologies dramatically increase employers’\ exposure to potentially costly and protracted risks including\ workplace lawsuits, regulatory fines, security breaches, and productivity\ drains, among others.\ Fortunately, for savvy employers determined to manage technology\ use and minimize risks, there is a solution. Through the strategic\ implementation of a comprehensive e-policy program that combines\ written electronic rules with formal employee training supported by policy-\ based monitoring, management, and archiving tools, organizations\ can effectively minimize (and in some cases prevent) electronic risks\ while maximizing compliance with legal, regulatory, and organizational\ guidelines.\ e-Policy Rule 1: Through the implementation of a comprehensive\ e-policy program that combines written rules with employee\ education supported by discipline and technology tools, organizations\ can effectively minimize electronic risks and maximize\ compliance.\ In the Electronic Office, Risks Abound\ Even if your organization does not currently use IM, operate a business\ blog, or provide executives with BlackBerry Smartphones, you cannot\ afford to ignore new and emerging technology. If you fail to provide\ the hot, must-have technologies of the day, chances are your tech-savvy\ employees (particularly younger employees whose social lives revolve\ around IMing, texting, and social networking) will bring them in\ through the back door and load them onto your system without management\ approval or IT oversight. Left undetected and unmanaged, that’s\ a recipe for disaster!\ Manage Powerful, Popular Electronic Business\ Communication Tools Proactively\ Considering that the average personal computer can hold 1 million\ pages of information, it’s no surprise that 90 percent of the business\ documents we create and acquire are electronic, according to the Association\ of Records Managers and Administrators (ARMA) as reported by\ Baseline Magazine.1\ Employers who are concerned about managing all that electronic\ information—and related risks—should act now to put written policies\ in place governing the use of established tools and new technologies at\ work during business hours and at home on employees’ own time.\ Old and new alike, all electronic business communication tools must\ be addressed by comprehensive, best-practices-based rules and policies\ as detailed in this book. Failure to establish and enforce written rules\ and e-policies puts the organization at risk of electronic disasters including,\ but not limited to: regulatory audits, security breaches, lost productivity,\ shattered stock valuation, negative publicity, lost credibility, and\ workplace lawsuits, which employers and legal professionals alike consistently\ identify as their number-one e-mail and Internet-related concern.\ 2\ e-Policy Rule 2: You cannot afford to ignore new and\ emerging technology. If you fail to provide the hot, must-have\ technologies of the day, chances are your tech-savvy\ employees will bring them in through the back door. Left undetected\ and unmanaged, that’s a recipe for disaster!\ Employers Face Ever-Increasing Legal Liability\ As early as 2001, when the first edition of The e-Policy Handbook was\ published, employers cited legal liability as their primary reason for\ monitoring employee e-mail and Internet use.3 Since then, we have witnessed\ the expanding role of e-mail and other forms of electronically\ stored information (ESI) as evidence in civil lawsuits and criminal trials.\ In 2006, 24 percent of organizations had employee e-mail subpoenaed,\ compared to just 9 percent in 2001. Another 15 percent of companies\ went to court to battle lawsuits specifically triggered by employee\ e-mail in 2006, according to the Workplace E-Mail, Instant Messaging,\ and Blog Survey from American Management Association and ePolicy\ Institute.4\ Electronically Stored Information Plays an\ Ever-Expanding Evidentiary Role\ There is no doubt that the evidentiary role of workplace e-mail and other\ electronically stored information will continue to expand. The United\ States Federal Court made clear this fact in December 2006, when the\ much-anticipated amendments to the Federal Rules of Civil Procedure\ (FRCP) were announced, affirming the fact that all electronically stored\ information is subject to discovery (which means it may be subpoenaed\ and used as evidence) in federal litigation.\ When it comes to electronic evidence, it is the content that counts,\ not the tool or technology used. Whether created, transmitted, acquired,\ posted, downloaded, or uploaded via e-mail, IM, the Internet, a cell\ phone, or any other tool, ESI creates the electronic equivalent of DNA\ evidence. ESI can—and will—be subpoenaed and used as evidence for\ or against your company should it one day become embroiled in a workplace\ lawsuit. Will you be prepared?\ e-Policy Rule 3: Electronically stored information (ESI) creates\ the electronic equivalent of DNA evidence. ESI can—and will—be\ subpoenaed and used as evidence for or against your organization\ should it one day become embroiled in a workplace lawsuit.\ Regulators Grow Increasingly Watchful\ Over the years, government and industry regulators have turned an increasingly\ watchful eye to the content created and the business records\ generated by e-mail and other electronic business communication tools.\ For example, failure to comply with Security and Exchange Commission\ (SEC) rules governing written e-mail and IM content and record retention\ policies has cost brokerage firms hundreds of millions of dollars in\ fines.\ The Health Insurance Portability and Accountability Act (HIPAA),\ Gramm-Leach-Bliley Act (GLBA), and Sarbanes-Oxley Act (SOX) are\ just three of the tens of thousands of regulatory rules with which workplace\ computer users must comply—or face consequences including\ monetary fines and possible jail time.\ In spite of potentially costly penalties, regulated firms have been\ slow to adopt the type of business record–related rules and policies detailed\ in Chapter 3. Only 34 percent of organizations have e-mail record\ retention policies and schedules in place, and merely 13 percent of companies\ retain and archive business record IM, according to American\ Management Association/ePolicy Institute research.5\ Among regulated employees, 43 percent either don’t adhere to regulatory\ rules governing e-mail retention or they simply do not know if\ they are in compliance.6 Overall, 43 percent of workers can’t distinguish\ business-critical e-mail and IM that must be retained from insignificant\ messages that may be purged.7\ It’s no surprise that employees are confused and employers ill-prepared\ when it comes to the management of all-important ESI. Only 21\ percent of companies provide employees with a formal definition of\ ‘‘electronic business record.’’8\ This book is designed to educate employers and users about the\ importance of establishing and complying with rules and policies governing\ electronic business record retention, deletion, and archiving, as well\ as overall electronic risk management. Strategic business record retention\ and deletion rules and policies are essential for all employers, regardless\ of industry, size, or status as public or private entities.\ Employ Tougher Rules to Combat Growing Risks\ Along with increased risk, there has been growing awareness among\ employers of the devastating impact that inappropriate electronic content\ and unprofessional behavior—accidental or intentional—can have\ on users’ careers and the corporate bottom line. Consequently, employers\ are increasingly putting teeth in their electronic policies.\ In 2007, more than a quarter of employers (28 percent) fired employees\ for e-mail misuse. That’s double the 14 percent reported just\ six years earlier in 2001. An additional 30 percent of bosses terminated\ workers for Internet violations in 2007, according to the 2007 Electronic\ Monitoring and Surveillance Survey from American Management Association\ and ePolicy Institute.9

Part 1 Electronic Business Communication Rules1 Why Every Organization Needs Electronic Rules and Policies Based on Best Practices 3Part 2 E-Mail Rules2 Legal Risks and Rules: E-Mail Creates Discoverable Evidence 133 Record Retention Risks and Rules: Courts and Regulators Take Seriously the Production-and Destruction-of Electronic Evidence 204 Regulatory Risks and Rules: Government and Industry Watchdogs Guard Content and Records 285 Archiving Rules, Tools, and Best Practices 34Part 3 Privacy, Confidentiality, and Data Security Rules6 Online Privacy Risks, Rights, and Rules 497 Confidential Messaging Rules and Tools 568 Data Security Risks and Rules 71Part 4 Content, Personal Use, and Netiquette Rules9 Content and Personal Use Risks and Rules 7910 Netiquette Rules 85Part 5 Instant Messaging Rules11 IM Is Turbocharged E-Mail: All the Risks, Rules, and Regulations Apply 9312 IM Management Rules and Tools 100Part 6 Internet Rules: Web, Blog, Social Networking, and Video Site Risks, Rules, Policies, and Best Practices13 Internet Risks and Rules 10914 Blog Rules 11415 Blog Risks 11816 Blog Policies and Best Practices 12417 Social Networking and Video Site Risks and Rules 133Part 7 Software Rules18 Software Risks, Rules, Policies, and Best Practices 143Part 8 Cell Phone and Texting Rules19 Cell Phone and Text Messaging Risks, Rules, Policies, and Best Practices 155Part 9 Monitoring and Compliance Rules: Minimize Risks-and Maximize Compliance-with Training, Discipline, and Monitoring20 Employee Education Policies and Best Practices 17321 Disciplinary Rules, Policies, and Best Practices18122 Monitoring Rules and Tools 184Part 10 User Rules23 How to Communicate Online Without Getting Fired: Ten Tips for Employees Who Want to Protect Their Privacy-and Keep Their Jobs 19524 Q&A: Answers to Employees' Most Commonly Asked e-Policy and Privacy Questions 205Part 11 Electronic Writing Rules25 e-Policy 101: How to Draft Effective e-Policies for Your Organization 21726 Establishing Electronic Writing Style Policies for Employees 222AppendicesA Fifty-Seven e-Policy Rules to Help Keep Your Organization in Business ... and Out of Court 233B e-Policy Dos and Don'ts: Best Practices to Help Minimize Risks and Maximize Compliance 240C Sample Electronic Business Communication Policies 247D Glossary of Electronic Business Communication, Legal, and Technology Terms 273E Resources and Expert Sources 284Notes 287Index 311About the Author 323