• United States



E-mail everywhere

Apr 27, 20072 mins
Data and Information Security

The Radicati Group recently released a study that found the average business user in the United States sends and receives, on average, 171 e-mails each day.  Even that significant volume of e-mail is expected to double in just the next few years.  Each e-mail, of course, presents risk.

  Will the employee say something to create liability for the company?  Engage in harassment, send sexually explicit jokes, open an attachment with a virus, send confidential information outside the company without authorization, etc.

The study found nearly a third of companies don’t adequately publish their e-mail policies to their employees.  More than two thirds of businesses either do not filter outgoing e-mail at all or simply don’t know whether they are using filtering or not.  Notwithstanding the foregoing, the overwhelming majority of business identify their top concerns regarding e-mail as either protecting (i) personally identifiable healthcare and financial information or (ii) protecting the business’ own confidential/proprietary information.

Businesses continue to need a wake-up call on these issues.  I have always advocated a three prong approach to mitigate e-mail risks:  policies, technology, and policing. 

         Policies:  Policies need to be better written, updated on a periodic basis, and clearly communicated to employees.  See my earlier posts on best practices for policies. 

        Technologies:  A number of vendors make available affordable, well-thought-out technological aids to assist businesses in filtering and monitoring e-mail in the workplace.  While no technology is perfect, these tools can greatly reduce the risk presented by e-mail use by employees.

 Of course, every business, should be using appropriate anti-spam/virus/spyware software in connection with their e-mail systems.

        Policing:  I have touched on this topic in my earlier posts, but the issue remains the same.  Businesses must enforce their policies when an infraction occurs.  An initial, minor infraction may only warrant remedial education and a warning.  Substantial or repeated infractions may mean disciplinary action, up to and including termination.  Employees should also understand breaches may subject them to personal civil and criminal liability.  The point is not to threaten employees, but to make it clear infractions will result in very real consequences, including the loss of their job.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author