|
What Is in a Policy? Tips for Creating One |
Email, instant messaging and blogs are like pens or telephones; employees can use them to say or do just about anything, from the heroic to the criminal. How can a company possibly write a policy to protect itself from misuse of these tools?
Remember that an e-communications policy isn't a general code of conduct. Your company should already have policies against sexual harassment, discrimination, leaking corporate secrets, insider trading, and other illegal or unethical behavior. You don't need to rewrite them; just refer to them.
So first, build a team. Besides the top IT executive, include the CEO, human resources and lawyers. Plan to develop the policy in consultation with an outside expert in electronic communications, recommends Nancy Flynn, executive director of the ePolicy Institute.
To get started, consider using a template from a research firm, or study other companies' policies online. And if you do decide to start from scratch, don't go it alone. Get your lawyer to explain your industry's laws and regulations. Solicit input from the troops. When IBM developed its blogging policy, it posted an internal wiki so everyone could contribute ideas before a draft was finalized.
Issues to cover include the following:
- Productivity. Can employees use corporate tools like email for personal use, and if so, when, where and how often? What about network-hogging activities like forwarding videos?
- Appropriate use on the job. Is there anything you don't want employees to say on corporate email, IM or blogs? Do they know they shouldn't plagiarize, libel or download pirated music or software? Is porn banned, and what constitutes porn, exactly? Is it OK to swear in interoffice email? Here's your chance to refer to your company's code of conduct.
- Appropriate use off the job. Employees are individuals with free-speech rights. But you may not want your customers to know that your head of marketing publishes a popular blog on her sexual escapades with all your top clients. (It's been done: Think about former Capitol Hill staffer Jessica Cutler.) So you're better off listing the behavior you don't want associated with your corporate name so your company can defend itself if a fired blogger claims discrimination. This is a legal minefield, so don't proceed without a lawyer.
- Document retention. If you can't quickly hand over email correspondence that gets subpoenaed during litigation, you could be slapped with a massive judgment, like the $1.45 billion that Morgan Stanley & Co. was ordered to pay to investor Ronald Perelman last year. Which emails do you want employees to keep, and for how long? How often should they purge?
- Privacy and security. Given the laws and regulations that govern your industry, what types of communications should be made with what types of tools? Are your brokers allowed to transmit client account numbers over email? What should be encrypted? Is it OK to copy corporate data onto disks and take them home? Should you have allowed your head of HR to store every employee's Social Security number and salary on her laptop, which got stolen last week?
- Enforcement. How will you enforce the policy? Courts have found that employees have almost no privacy at work. Will it be someone's job to monitor employees' email and voicemail? Secretly videotape? Read employees' personal blogs? If so, will you warn employees in advance? Courts have been more willing to accept such monitoring when employees are forewarned.
Finally, if they don't know about it, they can't follow it. Companies can make employees aware of the policy by making it a condition of employment or having them sign it once a year.
--J.I.R.
|
Email and Surfing
To prevent time wasting or risky use of corporate email and Web connections, many companies warn employees that they reserve the right to snoop on their online activities. And in more regulated industries like banking, firms really do. (Many others don't have time and instead wait for a manager to report suspicious activity; then they audit the worker's online activities.)
GMP Securities, for one, analyzes email messages after they are sent. The idea is to make sure that employees of the Toronto-based investment bank haven't broken laws by disclosing confidential client information or guaranteeing certain returns on investments, for example.
GMP doesn't monitor email messages before they are sent because that would require a continuous stream of alerts that would make it difficult for employees to do their jobs. "We felt that was going to be far, far too intrusive," says Steve Kruspe, senior vice president and CIO of the $223-million company.
GMP's email profiling software, made by Fortiva Inc. (a privately owned vendor based in Toronto), places copies of questionable emails in a queue for review by the company's compliance department. The department contacts anyone who appears to have broken a law or company policy. Kruspe says this after-the-fact analysis is an effective deterrent. "For most people, if they know we're going to be made aware of communications they shouldn't be sending and they know we're going to find [out] about it and they know we're going to come and see them about it, [that's] typically enough to cause them to think twice" about the information they send out, he says.
GMP isn't alone. According to the ePolicy Institute survey, 55% of employers store and review employee email.
At the other end of the spectrum is a division of commercial real estate brokerage Colliers International. Compared with banking, the real estate industry is not heavily regulated; and at many firms, including Colliers, brokers are independent contractors. So Colliers is more like a federation of independent businesses than an employer with a traditional hierarchy.
|
 |
|
|
