Hard email lessons from 2003

16 Dec 2003

Employees’ personal email was collected as evidence during the Federal Energy Regulatory Commission (FERC) investigation of Enron’s alleged energy-market manipulation. Staff had been regularly using the company’s email system for personal communication and private messages were retained alongside Enron’s electronic business records.

When earlier this year FERC posted 1.6 million Enron emails online, employees’ private correspondence went on public display. Employee romances, affairs, and marriages were discussed – with senders’ and receivers’ names attached. Executive salary packages and employee performance reviews were transmitted – with senders’ and receivers’ names attached. Employees’ bank records and Social Security numbers were displayed – with senders’ and receivers’ names attached.

FERC eventually removed emails containing Social Security numbers and employee performance evaluations. But not before the Enron email disaster was covered by the national business media and millions of curious readers (including identity thieves and other malicious outsiders) jumped online to sort through the goldmine of Social Security numbers, personal dirt, and other “goodies.”

For employers, the Enron email disaster clearly illustrates why it is so important to distinguish business record email from inconsequential messages and to purge all email that need not be retained for business, legal, or regulatory purposes.

Much closer to home only last week three HP employees in Scotland, fired after sending or receiving emails of a sexual nature, won a claim of unfair dismissal.

The tribunal found that HP had not been consistent in its response to abuse of the company’s email system, according to the Metro, Daily Record and Evening Times coverage.

The employees were three of 100 people who had been caught under a company investigation into email misuse. They were dismissed, but colleagues who had sent emails with a similar or more explicit content, were not.

The employment tribunal ruled that HP’s inconsistent approach to enforcing its email abuse policy meant that the employees had been unfairly dismissed.

According to Irish HR consultant Fredericka Sheppard these cases illustrate that: “Having a policy in place is not enough on its own; it needs to be communicated and constantly re-enforced to all employees at all levels in the organisation. While many companies communicate the company policy on email and internet usage at induction stage, employees may already have access to their email or the internet before they are scheduled to attend their induction training. It is certainly good practice for email and internet access to be given to employees only when they have accepted the terms of the company’s policy on its usage.

“Other companies use a splash screen that pops up before the employee is prompted for their password to log onto the email and internet, and only by accepting the terms of usage outlined in that screen will access be given. Having a policy in place, communicating it to all employees and having a supporting procedure in place to deal with breach of policy, is the first step all employers should take in dealing constructively with this revolutionary communication tool called the world wide web.”

Information supplied by Clearswift & The ePolicy Institute

Please visit our sponsors: CheckPoint : Entropy