E-mail acceptable use policies are not new. Most enterprises use them to communicate expectations to end users and set service limits (such as storage limits for user mailboxes). Take this opportunity to revisit the policy to be sure it includes retention periods, states possible e-discovery uses, and accurately defines acceptable use.

Policy Building Blocks

An e-mail acceptable use policy must contain the following building blocks fleshed out with detail appropriate for the enterprise’s situation:

• Unacceptable Use. This is the most direct section of the policy. Unacceptable uses are practices which the enterprise bans and is prepared to penalize. While some limited personal use is often allowed for brief non-work-related social communication, the following activities should be marked as expressly forbidden:
  • Sending offensive, threatening, harassing, or discriminatory messages.
  • Sending unsolicited mass e-mailings (a.k.a. spam).
  • Using the system for political or commercial purposes.
  • Knowingly transmitting computer viruses or other malware.
  • Reading, deleting, or modifying someone else’s e-mail without explicit consent.
• Encouraged Use. E-mail messages sent by enterprise employees will reflect on the enterprise’s credibility and professionalism. Encourage basic standards of courtesy. Provide either the text or location of the text for official signatures and message templates.
• Enterprise Use. Explain retention policies, archiving practices, and backup procedures insomuch as these affect the length of time and location of message retention. Also explain enterprise policy with regard to searching, reading, and using e-mail contents. Be sure to inform users that e-mails will be held indefinitely during a litigation hold and that lawyers will read these e-mails during a litigation-required identification, review, and redaction process.
• Policies and Procedures. If the enterprise enforces mailbox storage quotas, this is the place to inform users as to the size of the quota and processes surrounding over-quota mailboxes. Include other procedures, such as those for reporting abuse of the e-mail system or requesting account changes.

Recommendations

1. Download and use the “E-mail Acceptable Use Policy” template. Build on this document to quick-start the policy creation process. Modify the document to fit the enterprise’s specific situations.
2. Complete the policy with inputs from management. Retention periods, for example, are often dictated by the business rather than IT.
3. Obtain employee sign-off. At a minimum the enterprise needs to obtain acknowledgment that each employee received, read, and understood the policy.

Bottom Line

Avoid misunderstandings, lawsuits, and penalties by clearly defining acceptable use of e-mail for both employees and the enterprise. State retention periods, set privacy expectations, and ban unacceptable practices.