Email is an integral tool for business communication. As such, it’s imperative that you have a solid email policy to govern how email is used in your organization and to detail the consequences of violation. Implementing an email use policy helps protect your business’ electronic assets, shield you from legal liability, and create usage expectations for employees.
With millions of business email addresses and other personal data recently stolen from large retailers and financial institutions and the ensuing phishing and spam attacks expected to result from the breach, now is a great opportunity to educate employees on email safety and reinforce or establish an email policy.
Begin your email policy by reviewing the legal and compliance requirements of your specific industry. An email policy for a bank may look a lot different from an ad agency’s policy. Most policies will cover at least these basic topics:
All email is considered company property. The Appropriate Use section should specify how the company expects employees to use the email system. Give user-specific style guidelines, required disclaimers, and email signature templates. Include a firm statement prohibiting distribution of offensive or disruptive messages (racist or sexist content, jokes, chain letters, pornography, and spam). Use this area to detail restrictions on certain files types or file sizes and clarify that users are not to engage in non-business activities that inappropriately consume network resources.
Retained emails are routinely requested by regulatory bodies and in legal disputes. Your industry may dictate certain email retention regulations. Use this section to let users know how long emails are saved and to support compliance activities. If only certain employees can access the email archive, include the process and turnaround time for retrieving archived messages.
An employer has the right to monitor any messages sent over the company’s email system. While it’s not necessary in most states to inform employees of monitoring, a formal email policy should explain that their messages, even if personal in nature, can be monitored without notice. Having this policy in place also reminds users to consider carefully what they send over the business email system because there is no expectation of privacy.
Legal and appropriate internal stakeholders should review the email policy before implementation. A review process should be defined to revisit and update the policy at scheduled intervals. All email users should sign or otherwise acknowledge receipt and understanding of the policy. Employee training sessions can help users better understand and adhere to the guidelines. Going forward, the policy should be included in employee handbooks, new hire paperwork, and published in an easily accessible place, like the company intranet or public folders.