Email policy / guidance documents

Question

We have been using e-mail within the organisation for a number of years without an end-user policy (data retention, and backup polices are in place for UK FoI and DP requirements), up until now we have used the "if you wouldn't write it down and put it in the post, it dosn't belong in an e-mail".

A working group has been formed to discuss the use of e-mail within the organisation, and the policies, procedures, rules and best practices surrounding e-mail.

What documents are typically published in relation to use of e-mail? are they separate documents of part of your AUP, ToU or contracts of employment? what typical rules and polices are contained within these documents?

Answer 1

I would keep it as small as possible, but several things do need to be spelled out. I use the phrase communication systems to include all forms of communication .. email, IM, telephone, intranet, blog, collaboration spaces, etc.

1- The corporate communication systems are not private. Any communication through a company network or service, whether personal or work-related, is the property of the company. The company can monitor, review, search, and re-publish any communication made using it's network or service, at it's sole discretion.

2- Disrespect, abuse, or poor treatment of other people, whether they are company associates or outsiders, is unacceptable and not allowed. This includes, but is not limited to, personal insults, abusive language, profanity, explicit or implicit sexual references, and reference to any "protected" class or status. This policy applies whether the target of said treatment is a party to the communication or not.

3- Copyright and authorship are to be respected. Any material written by another that is used in any form of ecomm must be referenced as such. If authorship is not known, that must be indicated.

4- Extreme care must be taken when dealing with confidential or proprietary information.

5- Written communication should follow the company style guide and other published guidelines.

6- All employees are expected to exercise sound judgment when using company communication systems.

Answer 2

mfx posted a great list, I'd just like to add one thing.

Whatever you do don't add a disclaimer. Especially if you have a large tech staff it just makes them look like idiots.

http://goldmark.org/jeff/stupid-disclaimers/

Answer 3

I am not a big fan of such policies and I would recommend that the above common-sense approach is best. Is there a particular reason why you need to introduce such policy now?

Anyway - in my organisation there is an official "Email Policy and Guidance" - a 7 page long document. I doubt anyone has ever read it, but it states things like:

• Legal requirements (including liability)
• Restricting spread of viruses
• Personal use allowance
• Confidentiality
• Monitoring
• Format, language and style guidelines
• Rules on attachements
• Forwarding and CC-ing
• Managing email tips
• Use of distribution lists
• a list of do's and dont's

I would do a Google search for 'netiquette' or 'email etiquette'. It should give you plenty of ideas.

Answer 4

The basic approach that you've taken makes sense. Here are some considerations on how to move forward:

• See this Server Fault question for some considerations about archiving.
• The amount of work that you put into this sort of policy directly correlates with the sensitivity of the data that you handle and the frequency that you get sued and/or audited.
• If you get sued a lot, you want to de-emphasize Email as a medium for communicating about organization strategy, customer data or sensitive information. Move that communication or information to more manageable systems.
• If you get sued a lot, your mail retention period will be all about complying to the letter of your governing law, regulation or contractual requirements.
• If you don't get sued a lot, your mail retention period will be all about storage costs.
• I believe that incidental personal use is OK. (Others disagree.) But make it clear that everything is archived and discoverable. Personal communication should be more like "let's meet for dinner at 5" and not "let me tell you about my very personal medical condition".
• Style guides are good if you have employees that are less than professional and you need a tool to help supervisors correct bad email etiquette. Nobody else cares.
• Train and inform your staff! If your management/attorneys come up with very specific rules that are non-obvious, make sure those rules are expressed clearly and in multiple venues.
• Silence the stupids on the email working group as soon as possible. The command and control types will want to implement things like email subject line policies, standard fonts, etc.

Answer 5

I had to write a usage policy years ago. At the time I thought they were pretty stupid, but now I am starting to see some of the benefit. It's important to communicate as directly as possible the limits of acceptable use for your users. They will test them, despite all of the "common sense" remarks in this thread. It's also important, in fact even more important to communicate to employees / users that they do not have any implied or explicit right to privacy on the corporate network. You will have to read somebody's email some day, and in all likelihood you'll be asked to provide email and other records to lawyers. In this case you want to make sure that employees know that while things like email are "private" in the general sense, they are absolutely not "private" to the company.

In our policy we make clear the following (these are not quotes from the document, just the general gist of it):

• Who can read an employee's email, under what circumstances (any!), and who must authorize that sort of thing.
• That deleted email is not necessarily "deleted".
• What email can be used for, and what is specifically against the rules. (covering personal email, sending of unsolicited email (CAN-SPAM), etc)
• How the employee is expected to protect the "privacy" of his email, and how he is to respect shared mailboxes.
• The role of the system administrator to monitor, set limits, and remove threats. Also the limits of the administrator to do anything else without authorization.
• The behavior we expect out of an employee when sending a message.
• That the company is not responsible for any messages a user may receive (porn!), nor is the company responsible for messages a user may send. Yeah...right...well, we gotta say it.

Once you have your policy drafted, you might want to have it reviewed by a lawyer. After all, the policy just sort of sits there twiddling its thumbs until something bad happens, and something bad often means the potential for legal action...so it might be good to have some feedback about your particular verbiage. Being either too vague or too specific can land you in trouble.

My opinion is that you can be a bit more vague on the stuff that's less likely to cost a lot of money, and extremely explicit on the stuff that is. For example, if you try to define a rigid set of rules about when and why and how an employee can send an email message, then there will constantly be exceptions to these rules, thus weakening your entire policy. An employee forwarding a stupid chain letter or using a "non standard" signature or something along those lines is not the end of the world, and is something you can deal with on a case by case basis when necessary. On the other hand, if you have to pull a terminated employee's retained email and hand it over to the lawyers to prove that they were sending out company secrets, you don't want them to be able to say "hey, you can't do that, it's private!" and have a leg to stand on. You want to be able to reply "yes I can, here's where I told you this, and here's your signature".