Legal Issues and Email – Do You Really Need an Email Policy?

According to Joseph Johnson with Statista, more than 310 billion emails were sent and received each day in 2021. Email is the fastest and least expensive means of communication, often marketing goods and services. A recent Hubspot blog reports email marketing generates $42 for every $1 spent (a 4,200% return on investment). But haphazard email practices can present a broad range of legal liabilities that can cost your business dearly. From legal fees to regulatory fines to damaged reputations, the smart move is an effective Email Policy that incorporates best practices as well as encryption and archiving.

Email policy best practices

Experts agree the first step of best practices in managing a company email system is to create a strong, effective email policy. Such policies differ for each corporate entity, but effective policies include a few critical components:

1. Email policy in written form, clearly explained to employees, and employees sign document indicating acknowledgement.
2. Policy states the email system is the property of the employer and is to be used for the purpose of furthering the employer’s business. A company may determine whether personal emails are allowed (either through company email or personal email address) but should state limitations on personal use of the system.
3. Email policy states the rules governing the email system. For example, employees should be informed that email use should comply with all applicable laws and regulations and system should not be used to:
   • Transmit or receive confidential or sensitive information in unencrypted form;
   • Transmit or receive discriminatory, harassing, sexually oriented, offensive or other illegal or improper messages;
   • Download unauthorized software onto the employer system.
4. Employers have the right to examine what employees are doing on company time and with equipment and ensure that employees are most productive. An effective email policy should state whether or not its email system is monitored, the business reasons for doing so (i.e., protection of company’s confidential or proprietary information and customer privacy), and the circumstances under which it would take place.
5. Establish that employees should have no expectation of privacy when using the company email system.
6. Policy should incorporate consequences for violating the policy ranging from reprimand in an employee’s personnel file to termination, commensurate with the infraction.

Additional components of an effective email policy is prohibiting employees from signing up for illegal, unreliable, disreputable or suspect websites and services while using the company’s email system. Such practices expose the entire network to ever-increasing cyberattacks like phishing, malware and ransomware.

A Usecure blog recommends that your company email policy should suggest using strong passwords that are never written down or shared, prohibit opening attachments or links in unsolicited mail or from unknown sender, and require employees to report suspicious looking email to the appropriate staff (i.e. IT department or other responsible party).

Email misuse is usually not intentional. Employees often do not understand that email transmissions are not private documents and inappropriate use of the system opens both the company and the individual to legal exposure.

Some scenarios in which email messages were used in legal proceedings relate to sexual discrimination and racism in the workplace. Frequently, the court has ruled that certain email messages are admissible as evidence. Even though the email messages in question were not business related, they were transmitted using a company email system or computer. Hence, the need for limitations on personal use of email systems and clear prohibitions against transmitting confidential or sensitive information or discriminatory, harassing, offensive or sexually oriented messages.

Effective Email Systems Incorporate Encryption and Archiving Solutions

As the global workplace undergoes a massive transformation toward telecommuting, remote, co-workspace, and hybrid arrangements, more and more commerce is conducted digitally, especially via email. Remember the Statista report of more than 310 BILLION emails sent and received each day? Your company needs to protect its valuable assets – data. It is crucial for companies to secure data transmitted electronically with email encryption capability.

Loss of confidential information can lead to heavy fines, loss of trust, and negative publicity for businesses. Email encryption protects email content by encoding it such that it is only readable by the intended recipient. When this solution identifies sensitive information within the contents of an email, it automatically encrypts before sending. Additionally, your users can conveniently trigger encryption by including a pre-defined tag in the subject line. Encrypted emails are removed from the system after 15 days to ensure that sensitive data is not retained any longer than necessary.

Archiving data, particularly transmitted via email systems, is a key component of your cyber security. Your company’s electronic communication data, including email, can be used as evidence in workplace disputes as well as regulatory investigations, open data, FOIA requests and more. Retaining this data in a central and manageable storage has become the standard for business operations and a legal hold feature is one of the most important functionalities in archiving solutions.

Some industries, due to state or federal regulations, require the retention of records for a specified number of years. If a company fails to secure and preserve such business records, including emails, a regulatory or investigatory body could make claims of spoliation of evidence. A legal hold ignores the existing retention rules and keeps messages and other data in the archive indefinitely, ensuring that no data is lost.

Archiving solutions can also reduce storage costs and system requirements. Some users will keep email in their mailboxes forever, never deleting a single message. Over time, the space required to keep those messages grows and when the mailbox becomes completely full, the user cannot send or receive emails until he deletes some messages.

With an archiving solution in place, you can set rules for your email server to cleanup messages after a specified period (e.g., anything in the deleted items older than 10 days, in the Inbox older than 90 days, and anything in any folder over 18 months). This solution strikes a balance between having relevant emails on hand and keeping mailbox sizes reasonable. And, as with a legal hold, since users can search the archive for any message they have ever sent or received, the archiving solution retains everything.

Ramsey Consulting Services recognizes the challenges of conducting business in this increasingly global economy and wants to partner with you to ensure a high level of security and success for your business. Contact us today to learn more about securing your data and positioning your organization for success.