Your firm has probably written and implemented HR policies governing sexual harassment, employee violence, theft and other unprofessional or illegal conduct. But, have you also written policies outlining authorized and unauthorized use of software, computers, e-mail and the Internet? A growing number of lawsuits resulting from employee abuse of corporate e-mail and Internet systems are making the development and enforcement of e-policies a necessity.

Developing a corporate e-policy is a process that will identify your firm’s electronic risks, establish security procedures; and address employee Internet, systems and software usage. It is also one of the best ways to minimize your e-risks and prevent cyber-crises before they happen.

Getting Started
It takes a motivated team to develop a comprehensive e-policy. Management and employee involvement are essential in gaining insight into your firm’s e-risks and e-policy needs. E-policies created with employee input and job security in mind are also more likely to gain greater support and compliance. A confidential questionnaire or internal e-audit can reveal how computer resources are currently being used—or abused—helping you to identify your firm’s e-risks. The results will enable you to develop customized e-policies, security procedures and insurance coverages to specifically address these risks.

Content
Security: Address password protection. Restrict remote access to computers and physical access to your computer room. Clearly state what             is and is not allowed to be communicated via your organization’s e-mail messages and computer systems.

Software: Define software piracy and adopt a strict policy against it.

E-Writing: Incorporate comprehensive writing, language and netiquette guidelines for employees and managers. Back up your policy with monitoring and filtering software. According to Nancy Flynn, executive director of the ePolicy Institute, the easiest way to control your e-risk is to control content written and sent from your office. She says, “Employers should absolutely take advantage of monitoring and filtering software so that they can keep track of what their employees are up to online.”

Documents: Establish a formal electronic document retention policy that addresses creation, content, retention and deletion of electronic files. Spell out how to categorize files, where to store them and when to delete them.

Privacy: Address employee privacy and the circumstances under which their e-mail and Internet usage will be monitored. Utilize your written e-policies to educate employees about their electronic rights and responsibilities.

Penalties: Make it clear that policy violations will result in disciplinary actions or termination.

E-Crises: Incorporate an e-crisis communication plan into your overall e-policy. Be prepared with a plan to respond to media questions that may result from a hacker attack, an offensive employee e-mail, or a visit by the software police.

Keep your policies simple and accessible. Once you have written them, conduct a formal legal review and obtain management approval of the document. All finalized e-policies should be incorporated into your firm’s printed employee handbook.

Training
E-policies cannot succeed without complete management education and support, so you should begin with a briefing session for partners and managers before training employees. Start by reviewing the e-risks faced by your firm and your reasons for implementing the new e-policies. Thoroughly explain what is and what is not allowed, what you expect from everyone, and the penalties for violations. If your policies cover e-messaging and Internet monitoring, say so. Include time for questions, and conclude with having your employees sign and date a statement indicating they have read and agree to abide by all e-policies. Finally, make sure your e-policies become part of your firm’s employee orientation for all new hires.

Enforcement
Penalties for e-policy violation must be defined, explained and consistently enforced. Your training and orientation sessions are critical, as employees who understand your firm’s e-risks, e-policy content and penalties for violation are more likely to comply.

Emphasis
A successful e-policy requires an ongoing commitment to employee education. Emphasize the importance of e-policy compliance by updating employees about e-risk issues and proper netiquette at staff meetings and in employee newsletters. Insert e-policy reminders or FAQs about writing effective e-mail messages in employee paycheck envelopes. Circulate a weekly Do and Don’t e-tip to employees.

Updates
Give one individual the responsibility of staying current with the ever-changing worlds of technology and Internet communication. Conduct periodic security audits. Once purchased, cyber-insurance, virus/intrusion detection, monitoring and security products must be updated regularly to be effective. Even your newly developed e-policies must be reviewed annually and revised as necessary, with changes documented and communicated to all employees.

Timing
How long will it take to develop an e-policy? If your firm has a clear understanding of all electronic liabilities and in-house technical expertise, and if your management team is focused on reducing e-risks, you should be able to develop and implement an e-policy in four to six months. However, if you must rely on outside consultants to guide you through the process, the process may take somewhat longer.

Begin now. No firm, large or small, can afford the potential risks and costs of a cyber-crisis or an e-disaster. While no business can ever be 100 percent protected from electronic risks, a well-written and enforced e-policy is one of the best ways to protect your firm.

About our author...

Patrick Rohde is President of Dataliant Inc., an Atlanta-based IT consulting firm. Dataliant connects systems, offices and people. using innovative services such as e-mail message filtering and network monitoring. For a list of resources for netiquette and policy development, send a message with the subject line: “e-Policy Resources” to prohde@dataliant.com or call him at (888) 292-7490.