Click here to skip to main content.
scenic picture from Washington state
SUBJECTSIS › Elements of a Successful E-Mail Policy, Part III by Gerard Panaro
Elements of a Successful E-Mail Policy, Part III

Elements of a Successful E-Mail Policy, Part III

by Gerard Panaro

This is the third in a three-part series on implementing an e-mail policy. The first installment took a look at the basic legal standards, the second examined applicable laws, and this one will offer the components of a legally sufficient, defensible workplace policy on e-mail.

Components of a legally sufficient, defensible workplace policy on e-mail.

  1. Written policy. First, of course, any policy should be in writing. It should make clear to employees that the security of their e-mail is not guaranteed and that e-mail may not be protected by privacy law. The policy should state that employees should have no expectation of privacy in the workplace. Office equipment is the property of the company and for office use; employees' use of equipment is subject to monitoring, may be accessed with or without notice, disclosed to others, and used to evaluate, reward and/or discipline employees. The policy should state that messages on the system are considered to be company records.

    It may be a good idea to explain to employees how e-mail works, so they understand better why it may not be as private or confidential as they assume. Any explanations should be accurate, however. Suppose, for example, that the IT department tells employees if they delete a message on the same day it is sent or received, before it is backed up overnight, it is gone forever and irretrievable; or suppose, in response to an employee's query, who wants to recover a message s/he has inadvertently deleted, IT says it cannot be recovered. Such statements could be evidence of an expectation of privacy: an employee says s/he thought it was OK to send and receive pornographic, racial or sexual jokes so long as they were immediately deleted.

    It is also recommended that if the employer uses software that enables managers to know which employees may be using the internet, and which sites they may be visiting, that this information be disclosed up front to affected employees, and they be warned to make sure their internet use is for legitimate business only.
  2. Passwords don't guarantee privacy. Second, a written e-mail policy will also warn that giving employees passwords, varying levels of message protection and other security measures does not necessarily create any right to privacy or guarantee no access. Make sure employees aren't misled. In fact, consideration should be given to insisting that employees give all codes, passwords and other security information to someone in the company, in case of emergency.
  3. Reasons justifying access. Third, it is important that the policy set forth the legitimate business reasons why e-mail may be monitored and accessed. Every possible justification listed below may not apply to every employer, but legitimate business reasons typically include the following:
    • Assess performance
    • Reduce personal communications
    • Improve the work product
    • Protect against theft, fraud, computer crime
    • Remain competitive
    • Search for violations in disclosing trade secrets
    • Obtain information in a business emergency or the absence of the employee
    • Retrieve lost messages
    • Help employees effectively use the e-mail system
    • Determine whether employee gossip hurts workplace morale
    • Promote efficiency
    • Provide a workplace that is free of unlawful discrimination (e.g., sexual, racial, other forms of illegal harassment)
    • Insure that system is being used properly (e.g., no illegal gambling, no receipt, transmission or trafficking in obscenity, pornography, pedophilia)
    • Investigate complaints of improper use (customers, other employees)
  4. Employee usage guidelines. Fourth, the policy should establish employee usage guidelines, such as whether or not the system may be used for nonbusiness (personal) exchanges, and if so, when and to what extent. For example, the company may be willing to allow its employees to use e-mail for personal reasons outside of normal working hours; or if the employee is willing to pay for his or her usage. It is recommended that at least some personal use of e-mail almost has to be allowed, for at least three very practical reasons: employees can't completely control e-mail sent to them from other sources; employees are going to make personal use of the system anyway; policing and disciplining employees for personal use will be almost impossible, will divert the company from its primary business, and could backfire in the sense that it becomes so intrusive it triggers legal challenge.
  5. Violators subject to discipline. Fifth, state in the policy that employees who violate it will be subject to discipline. There are a couple of guidelines to keep in mind here: if the company has an employment at will policy, then make sure this component of the e-mail policy is consistent with that policy; if the company follows a progressive discipline policy or dismisses only for cause, then the e-mail discipline policy should likewise be consistent. The level of discipline will obviously be proportionate to the circumstances, such as nature of the violation, frequency, prior violations, etc.
  6. Dispute resolution procedure. Sixth, consider providing in the policy a mechanism for addressing complaints. The company has be careful here, however, to strike the right balance: on the one hand, it will want to afford employees "basic due process"; but on the other, it does not want such an elaborate system of complaints, hearings, appeals, reviews, etc. as to make the process interminable.
  7. Managerial discretion. Seventh, spell out when managers can search for or interfere with e-mail. This will be a crucial element of the policy, because if the company limits the circumstances under which it can access employees' e-mail, then it risks liability if it should ever exceed its own self-imposed limits. A long list of such occasions has already been given. Certainly, the company will want to reserve the right to go into e-mail in case of emergency, and emergency does not only refer to physical threats, such as fire or bomb scares. An emergency can be a customer or client screaming for something right away, and the person who would normally deal with the situation is out.

    The company will also want the right to access employees' e-mail when it is investigating unlawful discrimination or harassment, based on sex, race, disability or any other protected category. In fact, in view of the recent Supreme Court decisions heightening employers' liability for harassment in the workplace, and cases that have been decided in light of the Court's opinions, this business justification becomes all the more compelling.1

    A third obvious time when the employer may want the right to monitor is when the employee's performance, evaluation and/or appraisal are in issue. Whatever the criteria decided upon, the important point is to spell them out and be sure the company adheres to them.
  8. Access by third parties. Eighth, the policy should address the issue of third-party access. For example, a company may want to have a policy of being able to regulate the sources of e-mail and to delete or block transmissions to employees from sources not approved. It may also wish to forbid employees from accessing or subscribing to certain sites, even if the employee is willing to pay the cost.
  9. Signed acknowledgement of having received policy. Ninth, it is probably a good idea to have employees sign an acknowledgement or receipt form for the e-mail policy. If the policy is incorporated in an employee handbook, a receipt for the handbook is enough; if the policy is free-standing, it may have its own receipt form.

    Practical advice for implementing the policy. Writing a policy on e-mail in the workplace is only the beginning. An indispensable element to its success will be how the policy is implemented. In this respect, the following steps are recommended.

    Perhaps the single most practical advice to give on implementing an e-mail policy is this: when monitoring does become necessary, use the least intrusive means possible. The simplest rule to follow may be that ordinarily, the company will not monitor employees' e-mail traffic unless and until a complaint is received or there is a rational basis or articulable suspicion that the system is being misused. An employee, for example, may complain that s/he is receiving annoying or harassing e-mail from another; an employee may complain that s/he is receiving objectionable e-mail from an anonymous source; an enforcement agency (whether the EEOC investigating a charge, a litigant or law enforcement) may request the company's cooperation in accessing employees' e-mail. A manager may notice that one of his or her subordinates seems to be spending an inordinate amount of time on e-mail, a customer may call to complain that its e-mails have not been answered, or a manager may notice a fall-off in productivity. But whatever the source or reason, the basic rule will be: We will not monitor any employee's e-mail unless a complaint has arisen or we have a reasonable suspicion that something is amiss.

    A second way to make monitoring as unintrusive as possible, of course, is to limit those who have authority to monitor (or order monitoring), those to whom information is disseminated, and/or the nature, quantity and detail of information that is monitored or disclosed. For example, the company may give the right to monitor only to the IT department, only to HR, to security or to corporate counsel. The company might even contract out the job to an independent security or investigative firm.

    A third technique is to avoid any intrusion into, or dissemination of, the actual contents of e-mail, but to monitor simply "transactional" or frequency information. To determine that an employee is abusing e-mail, as an illustration, it may only be necessary to document that whereas the average employee sends or receives only a dozen e-mails a day, this employee is sending or receiving more than a hundred. It would not even be necessary to go into contents; the numbers alone would raise suspicions or prove the point.

    In implementing a policy on e-mail, especially if the policy is new, take multiple steps to make sure employees are aware of the policy and have received a copy. Some suggestions are to make the policy a part of the application process, include it with a letter offering a job, print free-standing copies of the policy and hand these out separately, even if the policy is already contained in the employee handbook; make employees sign a paper acknowledging receipt. Periodically review the policy, in light of experience, new developments, new cases, changes in technology or the business.

    Summary and conclusion. The law clearly recognizes and protects an employer's right to monitor employees' e-mail (and other office communications). Indeed, the authors of law review articles and op-ed pieces in newspapers and magazines decry the lack of protection for employees' privacy interests in the workplace. Employees have no automatic privacy rights in the workplace. The key to protecting itself is for the company to have a written policy on electronic communications in the workplace, make sure employees are aware of it, and to be judicious in its implementation of the policy in terms of making monitoring as little intrusive as possible.

1In 1998, the U.S. Supreme Court decided two cases that significantly raised the stakes for employers in sexual harassment suits (and, indeed, for claims of harassment under any other protected category, such as race, age, disability, religion, etc.), Burlington Industries, Inc. v. Ellerth, 118 S.Ct. 2257, and Faragher v. City of Boca Raton, 118 S.Ct. 2275. These are the major holdings of the two decisions on when an employer is liable for sexual harassment:

  • As a threshold matter, to state a claim for unlawful sexual harassment under Title VII, the federal anti-discrimination statute, a victim must be able to show that the conduct complained of was sufficiently severe and pervasive (this will be discussed further below).
  • Title VII is not a "general civility code." Discourtesy, rudeness, insensitivity, simple teasing, offhand comments, isolated incidents (unless extremely serious) will not amount to unlawful sexual harassment.
  • In the case of sexual harassment by a co-employee, the employer is going to be liable only if it was negligent: that is, it knew or should have known the sexual harassment was going on, and did nothing to stop it.
  • In the case of sexual harassment by a supervisor that results in an actual adverse job action against the victim, the employer will always be liable, regardless of how careful it was. An employer has no defense to such "quid pro quo" harassment by a supervisor.
  • In the case of sexual harassment by a supervisor that does not result in an adverse job action against the victim ("hostile environment" sexual harassment), the employer will still be subject to suit. However, it may have a defense to the claim.
  • The defense consists of two elements:
    • The employer acted promptly to prevent and correct sexual harassment and
    • The employee failed to take advantage of any preventive or corrective opportunities provided by the employer (e.g., failed to complain or use the sexual harassment policy)

Gerard P. Panaro, Artabane & Belden, P.C., 2021 L Street, NW, Washington, DC 20036. Tele (main): 202-861-0070; tele (direct; voice mail): 202-861-1314; fax: 202-861-2939; e-mail (firm (preferred:)) gpanaro@artabane-belden.com; (personal:) gpanaro@mindspring.com

First published on bankinfo.com on 5/19/99