Emails are causing problems. Based on a survey of 220 large US companies in 2008, 43% reported that they had investigated an email-based leak of confidential information, and nearly a third had terminated the employment of an employee for violating company email policies. Over a third of the companies were so concerned about the loss of sensitive or embarrassing information that they had employed staff specifically to monitor the content of outbound emails.

Although Email continues to present the most serious threat to the security of company data, more companies are now aware of the dangers of internet-based data-sharing systems. In the past year, nearly a fifth of all US companies have investigated violations arising from the use of blogs, media sharing sites such as Youtube, and Social networking sites such as Twitter (Proofpoint/Osterman).

This isn’t just paranoia. In many cases, a company has a statutory obligation to monitor outgoing emails for compliance reasons. For example, HIPAA dictates strict rules for the security of emails containing personal data such as medical records. Also, more generally, an employer has an obligation to prevent employees being exposed to ‘inappropriate’ emails at work: this has to be done by enforcing ‘Acceptable Use Policies’.

In each case, it’s hard to see how these rules could be enforced without monitoring or filtering emails, but at the same time the right to privacy of the patient, or employee, must be protected. This makes the monitoring process a legal minefield. In the UK, for example, monitoring of workers has to be consistent with the Data Protection Act, the Human Rights Act 1998, and Article 8 of the European Convention on Human Rights, which creates a right to respect for private and family life and for correspondence. There is even a published government code for employers who need to monitor their employees.

This represents a dilemma for any employer, and explains why so many companies are relying on staff, rather than clever software, to monitor emails. A panacea software solution is unlikely to be legal. It is hard to devise a monitoring process that does not intrude into the private lives of employees, or interfere with the relationship of mutual trust and confidence that should exist between them and their employer.

How can one draw a distinction between work-place and private information? One cannot reasonably enforce a policy that bans any personal use of emails in the workplace, when an employee can legitimately expect to be able to correspond, at work and in privacy, with an occupational health advisor, medical advisor or trade union representative. All email monitoring runs the risk of handling information that is confidential to the employee.

The problem develops faster than the law, in which there are wide international variations. To play safe, it seems best to make sure that there is a clearly defined internet policy (or AUP) in place for emails, or any other electronic medium, that is agreed, read and understood by staff. It needs to spell out the disciplinary consequences of a breach of the policy.

All this is easier said than done, and represents yet another source of stress for the beleaguered corporate IT departments around the world.

Do you have a solution? It would be great to hear what you think.

Cheers,

Michael Francis