It is virtually impossible to avoid the use of email and the Internet in today's cyber climate. Failing to use these technologies in the workplace can result in competitive disadvantage; so many employers have installed email, the Internet, and related technologies into their organizations. While most would agree that the use of these technologies is beneficial, it is important for employers to be aware of, and take steps to minimize, the exposures these innovations create.

Employee misuse of the company email system and/or Internet can create liability exposures for an employer, and the potential for exposure varies widely. For example, the potential for liability exposure may be as straightforward as an employee using the email or instant messaging (IM) system to harass another co-worker or where a confidential email is accidentally (or intentionally) sent to the wrong party, resulting in a breach of confidentiality. Or the liability exposure can be something unexpected by a company, such as a claim for negligent transmission of a virus. According to the 2004 Workplace E-Mail and Instant Messaging Survey, 13% of the employers surveyed have been sued as a result of an email related incident.

Additionally, an employee's improper use of the email system exposes an employer to the risk of receiving viruses, worms or other cyber threats, which can attach themselves to emails and other electronic transmissions. According to the 2004 Workplace survey, approximately 24% of employees download free instant messaging software from the Internet, subjecting companies without computer security systems not only to security, legal, compliance, and productivity risks, but to downtime associated with a corrupted system caused by a downloaded threat.

Loss of Productivity. The improper use of these technologies can result in financial losses such as loss of employee productivity or congestion of the company network from personal use. In the Clearswift Limited survey, published in February 2005, it was reported that almost 40% of employees spend one hour or more, each day, using company email for personal business. The 2004 Workplace survey revealed that employees surveyed spent up to 90 minutes each day between email and instant messaging. In terms of company productivity, Clearswift established that approximately 1,700 working days are lost every year as a result of employees using company email systems for personal business.

Retrieving Emails During Litigation. There is also the very real risk that an opposing party, in the course of litigation, will seek documents saved on the company's computer system. According to the 2004 Workplace survey, over 21% of employers surveyed had an employee email subpoenaed during a lawsuit or during a regulatory investigation. Locating and producing retained email, or the reconstruction of such email, is extremely expensive and time-consuming.

Whatever the potential risk, employers must take company-wide action to ensure employees operate within Internet and email usage guidelines. When an employer is sued for the actions of its employees, courts will look at whether the employer acted in accordance with the law, company policy, industry standards, and may even look to whether the employer acted in accordance with what they told their customers they would be doing.

Taking Action: The first step in minimizing a company's liability exposure is to create and implement an email and Internet usage policy. Simply having a policy is not enough. Employees must be trained on the policy and the company must enforce it, otherwise, the policy is near useless. Adopting, implementing and enforcing an effective email policy can minimize misconduct, and, in the event of a lawsuit, can go a long way in helping a company assert the defense that it has taken reasonable steps to prevent inappropriate use of its emails, the Internet, and related technologies such as IM systems.

In creating the policy, the following steps are suggested:

• Notify employees of the company policy that the company email and Internet systems are not to be used for personal use and that they should not tie up the company's network with non-business usage;
• Advise employees of the potential threats the company faces due to employee misuse of the technologies, which violates the policy;
• Notify employees their emails may be monitored although the company is not obligated to monitor all emails, and that they should have no expectation of privacy in anything that is created, stored, sent or received on the company computer. This policy should be detailed;
• Prohibit use of any messages that could be viewed as discriminatory, harassing, obscene, offensive, or otherwise unlawful;
• Set up an etiquette policy and a uniform method of writing and signing emails in order to maintain quality control and uphold the company's reputation;
• Certain businesses are required to maintain email messages as a matter of law (such as government, health care and financial institutions). However, all businesses should establish an email retention policy that details what types of emails should be retained and what type may be deleted. Set up folders for retaining emails to make sure they are not deleted in error;
• Set up a policy and advise employees on how to protect confidential information;
• Adopt and implement procedures for the reporting of offenses, investigating misconduct, and advise employees that violation of the company's email, IM and Internet usage policies can be the basis for disciplinary action, up to and including termination;
• Consider the use of filtering systems to limit what web sites employees may access; and
• Have employees sign a document acknowledging they are aware of the email and Internet policy and that they understand they are obligated to adhere to it, and that violation may result in disciplinary action, up to and including termination.

Make sure training is provided periodically to employees on sending effective and compliant emails and take timely, corrective action when the company's policy is violated.

Insurance Coverage for the Wary Employer. Many losses resulting from Internet use are not covered under traditional insurance policies. Businesses, large and small, are just now coming to realize that network security coverage is necessary to protect against network liability, hackers and cyber-risk. Coverage can be purchased for losses caused by a third party, or first-party coverage can be purchased to protect a company against internal loss and business interruption, to recover profits lost during downtime.

All of the recommendations made in this article are based on the real risks employers face in today's cyber climate. With ever-increasing litigation and regulatory oversight, the best way to minimize the potential for loss associated with your company's computer network and electronic data transmissions is to apply solid risk management principles: put in place a policy to prevent the potential for loss, train employees on that policy, and enforce the policy each time it is violated.