Monitoring Employee E-mail

A recent survey finds that some U.S. companies employ workers to personally monitor employee e-mail and that more than one-quarter of surveyed companies have terminated employees for e-mail policy violations.

By Barbara Worthington
Outbound e-mail and other electronic communication protocols continue to pose significant risks for U.S. companies, according to a recent survey by Cupertino, Calif.-based Proofpoint. The survey of 308 e-mail decision-makers at large companies showed increasing concern regarding leaks of sensitive information via outbound e-mail and other electronic communications devices.
Among companies with 1,000 or more employees, more than three in 10 (32 percent) indicated they hire staff to read or analyze contents of outbound e-mail. Of companies with more than 20,000 employees, almost four in 10 (39 percent) employ staff for the same purpose.
The average among all companies surveyed was 17 percent.
The impact of e-mail misuse on companies is significant, according to the survey. More than one-quarter (26 percent) reported that business was affected by the exposure of sensitive or embarrassing information in the last year. More than one-third (34 percent) investigated a suspected e-mail leak of confidential or proprietary information.
Among the largest organizations, with 20,000 or more employees, nearly three in 10 (29 percent) reported that employee e-mail was subpoenaed in the last 12 months.
"Generally, companies should have a good reason to monitor broadly in that fashion, such as a serious internal or client confidentiality risk," says labor and employment attorney Gregg Lemley, a partner at Bryan Cave LLP in St. Louis.
Lemley says the need to monitor employees' e-mails "depends upon the type of company. If you are housing protected health information, consumer-credit information or the formula of the next big inventions, then 'yes' [companies should consider such a process]."
It's essential, however, he says, for companies to "communicate clearly with employees what kind of monitoring you will or may be doing and make absolutely clear that they have no right of privacy in their e-mail systems, or anything else you intend to monitor."
Employees should also be warned of potential consequences related to policy infractions, he says.
Modern technologies, such as instant messaging and camera phones, make it even more difficult for companies to track data leaks and purloined information. "Extensive background checks for security-sensitive positions can help," Lemley says.
However, e-mail remains a primary source of information leakage, according to the survey. Respondents estimated that nearly 20 percent of all outbound e-mail poses a legal, regulatory or financial risk. More than one-third of companies surveyed admitted to having investigated a suspected e-mail leak of confidential or proprietary information in the past 12 months.
Nearly half (46 percent) of companies surveyed have disciplined an employee for violating e-mail policies in the past year. And more than one-quarter (27 percent) have terminated an employee for a violation in the past 12 months.
Companies need to protect against lawsuits brought by employees when termination follows monitoring of employee e-mails, according to Lemley. "Privacy invasion torts are the most likely vehicle" for employee recourse against a company, he says, adding that's the reason "it's so important to have a good policy."
Newer communications vehicles, such as YouTube, MySpace and FaceBook, pose problems to companies as well. Such Web sites provide increased opportunities for information dispersal.
Among those surveyed, 14 percent of companies have disciplined an employee for violating social-networking policies during the past year and nearly 5 percent terminated an employee for such a violation. About one in 10 (11 percent) companies have disciplined an employee for violating media-sharing policies, with 7 percent terminating an employee for such a violation.
Other communications channels of growing concern among respondents include blogs and peer-to-peer networks, which Wikipedia describes as a network between participants instead of a conventional centralized server resource. One of the earliest peer-to-peer networks was the Usenet news-server system. Survey respondents said peer-to-peer networks were their No. 1 source of concern for information leakage via non-e-mail channels.
In the past 12 months, 21 percent of respondents said they had investigated the exposure of sensitive information via blog or message-board postings. Such infractions resulted in termination at 9 percent of companies surveyed.
Lemley emphasizes the importance of incorporating policies designed to address each aspect of employee communications use and activity.
"If you haven't made clear your propensity to monitor, or the consequences, or if you single people out without legitimate reason, you open yourself up to discrimination or retaliation claims," he says.