Every company needs to establish a policy regarding use of and access to company email systems -- and then tell all employees what it's policy is.

This set of materials is designed to help in the formulation of such policies.

Background

Various laws may limit your options in establishing a company email policy. And you need to consider the implications of any policy for other types of activities and for employee morale.

Your policies regarding email should be consistent with company policy regarding other issues relating to privacy, use of company property, and access to employee workspaces. But there are some special features of electronic communications that you might want to take into account in formulating your policies on this new medium.

Dip into the materials below, as you feel necessary, to review the factors that bear generally on your selection of a combination of policy options.

Electronic Communications Privacy Act

In the United States, the Electronic Communications Privacy Act governs unauthorized access to and disclosure of electronic mail messages. See 18 U.S.Code Sections 2501 et. seq. and 2701 et. seq.

While it is important to be familiar with ECPA, this law does not generally apply to limit the policies that an employer may adopt with regard to use of company email systems by employees and access to or disclosure of employee email, for several reasons.

• The wiretap statute allows the real time interception of messages by a company using equipment and procedures used in the ordinary course of its business. (This provision doesn't apply to access to stored email. And it may be qualified by other laws applicable to workplace monitoring.)
• Access to private email is permitted with the consent of the sender or recipient, and employers can often require that consent as a condition of employment.
• Access to private email is also permitted under specified circumstances that include protection of the security of the system and the rights of the system provider (which would often be the employer).
• The statute prohibits "unauthorized" access, but the employer is often in a position to grant authority to access, by defining the terms under which email and other electronic services are provided.
• Insofar as the employee sends messages as an agent of the employer, the employer, as the principal on whose behalf the message was sent, would have the authority to consent to access or disclosure.
• The special limitations on disclosure of private email, in ECPA, expressly apply only to those who provide electronic communications services to the public -- and an internal system provided by an employer to employees would not be so characterized.

Collective Bargaining

If an employer requires employee consent to access to electronic messages, this could be a term and condition of employment that is subject to mandatory collective bargaining.

Duties to Third Parties

Companies may be required by contracts, or by discovery demands in litigation, or by lawful demands from law enforcement authorities, to search and turn over company records, including email sent or received by company employees.

Companies need to be careful not to make promises to their employees that are inconsistent with the company's obligations to other parties. And employees should be warned that the electronic messages they send and store may one day be required to be disclosed to other parties.

Special Features of Electronic Messaging

Consider the following aspects of electronic messages when you are formulating your policies:

• Email and files may be protected by passwords, encryption and similar means.
• Electronic messages and files tend to be more persistent than oral communications. Copies Proliferate.
• It may or may not be easy to tell who sent a particular message. Alteration of particular messages is feasible. But use of a company email system may also create detailed electronic records that disclose more information than was previously available concerning an employee's activities.
• An email address may belong to a group.
• Email is cheap and easy -- use of it for incidental personal purposes isn't likely to strain company resources.
• Because of the absence of the restraint provided by face to face confrontations, electronic messages can convey intense emotions. On the other hand, asynchronous messaging allows reflection and research before a message is sent.
• It may be easy or hard to give an employee an ability to "retract" an email message once it is sent.
• Use of company email systems from remote locations may create records of company activities that are not stored on equipment owned by the company.
• Computer viruses can spread through electronic messaging systems.
• The use of IDs and passwords creates an expectation of privacy.
• System administration personnel with high security clearances generally need, and generally have, access to private electronic communications. This may not be true if encryption is in use -- but non-escrowed encryption can pose issues concerning the ability of the company to get access to a company record in the absense of the employee who knows the key.
• Most email and other electronic communications systems now link to other systems outside the company. Some companies provide access to and use of their email systems to customers and suppliers who are not employees of the company. This may pose special security risks or trigger special duties under laws governing those who provide electronic communications services to the public.
• Email systems may be used to infringe copyright, perpetrate fraud, distribute defamatory statements, and otherwise inflict harm on third parties. Because of the scope of this new medium, the harm caused by a wrongful message may occur more rapidly, or be greater in scope, than that caused by paper documents.
• It is generally easy to search large sets of electronic messages with automated search engines.

Blurring Boundaries

Some companies instinctively conclude that they can and should reserve the right to access employee email whenever they want, because they provide the hardware and software used by company employees. But the boundaries between company property and the property of others, between employees and independent contractors, and even between the company's computer systems and those of others, are blurring.

Before adopting too simplistic a company policy, consider the following:

• Many of those who use the company systems may be independent contractors, rather than employees. They may even be entirely independent suppliers or customers.
• Your company may or may not own the system used to provide email for employees. Many companies now contract with third party networks for this service.
• Email originating on your company's system may be sent over private links, or the public internet, to third parties. Some messages in employee mailboxes may have come in through such routes -- and the senders of such messages may have no notice of, and may not have consented to, any company policies regarding access or disclosure.
• Your company also owns and provides to employees many other types of property -- such as pencils and telephones-- that are regularly used by employees to send personal and private messages.
• Your company probably considers some of the spaces inside its buildings, such as desk drawers in an employee's desk, to be entitled to special privacy protections.
• Employees work at home and use equipment not owned by the company.
• Company owned databases, bulletin boards and web pages may contain links to materials at remote location that are not owned or authored by the company.

Topics and Alternative Clauses

You may assemble a company policy -- or a list of proposed policies for further analysis and discussion -- by selecting from among the following alternatives. But you should first browse through the alternatives and evaluate them in light of the background considerations and your specific circumstances.

Purposes for which Company Email May be Used

• Email may be used only for Company Business
  It is a violation of company policy to use the company email system for any personal purposes.
• Email may be used for incidental personal purposes
  It is permissible to use the company email system for incidental personal purposes. This does not include uses requiring substantial expenditures of time, uses for profit or uses that would otherwise violate company policy with regard to employee time commitments or company equipment.
• Email may be used for personal purposes without restriction
  It is permissible to use the company email system for personal purposes.

Encryption and Labeling

• Encryption of any kind is permitted
  Employees may encrypt their email and files with the use of any software they may choose.
• Only specified forms of encryption are permitted
  Employees may encrypt their email and files only with the use of software approved by the company. This software may provide for retention by the company of any key necessary to access encrypted messages, or may otherwise limit the degree of protection provided by such encryption.
• Personal Email must be labeled as such
  Employees must specially label any personal email as such, or must send personal messages only by means that clearly identify the messages as personal in nature. Any messages sent without such labeling or identification may be assumed by the company to have been sent on behalf of the company.
• Signature files or message text must disclose limitations of employee's authority
  Employees must use signature files, in messages sent to third parties, that make clear any limitations on the extent to which the messages from the employee may be understood to have been sent on behalf of the company.

Systematic Monitoring

• No Systematic Monitoring
  The company will not engage in the systematic monitoring of electronic mail messages, the electronic records created by use of email systems, or other electronic files created by employees.
• Monitoring Allowed for any business purpose
  The company may engage in monitoring of electronic mail messages or other electronic files created by employees for valid business purposes, including employee supervision. All employees will be informed of such monitoring and will be required to consent to such monitoring as a condition of employment.
• Monitoring only with good cause or legal obligation
  The company may engage in monitoring of electronic mail messages or other electronic files created by employees only in specific instances in which there is good cause for such monitoring or some legal obligation to do so. In such cases, the company shall follow procedures reasonably designed to establish the existence of such cause or obligation and to assure that any monitoring is limited to actions reasonably required under the circumstances.

Access and Disclosure without Consent in Specific Cases

• No Access without consent unless required by law or other duty
  The company will not access or disclose private electronic messages or files of an employee without the consent of that employee, unless required to do so by law or a duty to a third party.
• Access or disclosure with good cause and appropriate procedures
  The company may access or disclose private electronic messages or files of an employee with good cause, provided that it follows appropriate procedures designed to assure compliance with company policies. Good cause shall include the need to protect system security, fulfill company obligations, detect employee wrongdoing, comply with legal process, or protect the rights or property of the company. Applicable procedures shall include reviews by senior company managers to assure that employee privacy is not infringed without good cause.
• Access or disclosure for any business purpose by those with authority
  Authorized managers and supervisors may access or disclose private electronic messages or files of an employee for any valid business purpose. Employees will be so informed and required to consent to such access as a condition of employment.
• Notification after the fact of any access or disclosure without consent
  In the event that company personnel access or disclose private electronic messages or files of an employee without the consent of such employee, the company will give notice of such access to the employee, provided that such notice may be delayed in order to protect the interests for which the access was undertaking.

Substantive Rules

• Company Email may not be used for illegal or wrongful purposes
  Employees may not use company email or electronic messaging systems to infringe the copyright or other intellectual property rights of third parties, to distribute defamatory, fraudulent or harassing messages, or otherwise to engage in any illegal or wrongful conduct.
• Company Email may not be used to download software without checking for viruses
  Employees may not use company email or electronic messaging systems to download software unless they comply with established policies to check all such software for computer viruses.
• Electronic Snooping prohibited
  The unauthorized use of electronic messaging systems for purposes of "snooping" is a violation of company policy and will be grounds for dismissal.

Procedural Considerations

Your company should have a policy regarding access to and use of company email and it should tell all employees what that policy is.

The most sustainable and productive policies are those that give appropriate respect to employees' desire for and expectations of privacy, and that also provide for responsible and thoughtful procedures when legal obligations or business needs suggest that some invasion of those privacy interests is warranted. Indeed, the very existence of a policy and of an appropriate procedure for balancing the interests of the many parties involved in this issue may itself be the most valuable tool to defend against after the fact attacks on any particular company practices.

You should include employees (as well as technical experts, lawyers, and management) in the process of formatting your company policies on these issues. Employee users of the system will help spot issues and their involvement will help you develop sound policies that achieve widespread acceptance and respect. Don't adopt policies or procedures that you would be embarrassed to describe fully to your employees -- or to see described in the morning newspaper.

While you are formulating your company policy, you should gather some key information regarding the nature and extent of your company's electronic messaging systems, who has access to what types of data, what provisions have been made for backups and security, who is charged with responding to requests for access by third parties, and who has done what to assess and minimize foreseeable risks.

Make sure your policy is consistent with and incorporated into whatever process you use to establish and disseminate other company policies.

Related Articles

• More firms monitor outbound email
• Global trends will drive employee email monitoring to Middle East
• Is email monitoring legal?
• Company Email Policy.