Posted by: David Scott
acceptable use policy, acceptable use training, content liability, content management policy, content security, e-mail, e-mail administration, e-mail breach, e-mail management, e-mail policy, e-mail security
It was revealed that the Health and Human Services Secretary Kathleen Sebelius has several e-mail addresses besides her official one, at least one of which has been characterized as “secret.” There are at present several other political appointees using secret e-mail accounts in their conduct of official business. This is a practice that complicates any agency’s responsibilities and fulfillment of legal obligations upon public records requests and congressional inquiries.
I don’t know if Ms. Sebelius has a nefarious reason for multiple accounts, outside of her official government one, but I do harbor some sympathy: she said she receives 27-28,000 e-mails to a public account, and 400 to the private account. It seems reasonable to have a discretionary address for Government business and another for Public communication.
However, in another case, the EPA Administrator, Lisa Jackson, had an undisclosed account for official communications with an alias – “Richard Windsor” – thus discretionizing that account from Freedom of Information (FOI) survey. That’s a problem.
It also begs the question for organizations: What are your employees potentially doing outside the official sanction and channel of your organization’s e-mail system (with org data and org-specific communications)?
When speaking about a weave of business and technology, the weave doesn’t get much tighter than the conduct of daily business communications and e-mail. There are other things that are just as tight, and even more timely (Tweets, chat windows, etc.), but e-mail’s capacity for both communication and transfer of large attachments (whether docs, presentations, videos, etc.), e-mail and business conduct go hand-in-hand.
Large enterprises are wise in having very lucid policies concerning use of e-mail. First and foremost (if you have a fairly conventional and comprehensive policy) is the understanding that anything created, residing, and transported into and by your e-mail system is owned by the organization. Thus, policy is that the organization can look at anything within the system at any time. Human Resources can utilize, and disciplinary activity can be based upon, e-mails in the disposition of cases involving inappropriate behavior and communications, for example.
It is very important to make this part of your e-mail policy (which is part of your overall content and acceptable use policies), known to the organization: New hires should be apprised during New Employee Orientation, and regular staff get reminded/updated during periodic refreshers, which can be annual, semi-annual, ad hoc, or any schedule the organization deems necessary. A very important feature of comprehensive Content Management/Acceptable Use policies is that the organization’s information, data, business intelligence, is truly contained by the organization (hence “content”). Now, this doesn’t mean it has to reside inside the four walls of a building, or various collateral buildings at whatever locations the organization inhabits; rather, this means the organization has some kind of system of management and reporting for electronic data, wherever it resides (same for hardcopy).
Increasingly, however, employees are creating gmail, Facebook, and other accounts at work, on work time, and with work resources (devices, systems, bandwidth, time). These accounts are not only being used for personal “business,” there are cases where work-related correspondence and content is being shared through, and residing on, these personal means.
I’m aware of a very large, sophisticated, organization that discovered a romantic relationship between one of their employees, and an employee at a client. The relationship blended romance, official company-client communications, share of content, and quite a bit of inappropriate gossip about colleagues. This org is now conducting meetings and surveys to discover just how widespread a problem it may be, and is re-working all of their HR, business, and IT policies.
Beyond specific “secret” accounts for conducting business communications, there is of course the inappropriate exposure of all kinds of things to inappropriate forums, such as disclosure of corporate secrets to Facebook accounts and audiences, for example. Once anything is put in any forum, it is harbored and dispersed as content – and is outside the control of the organization for dissemination, disposition and destruction.
Be absolutely certain you prohibit the concept of secret e-mail addresses, or if you prefer, “outside” or “alternate” e-mail addresses and the loosening of content to various forums – unless your organization sanctions it for some reason. I can think of orgs that may want various personnel to have addresses that are specific to various outside domains for marketing purposes – but tightly control that, and document that use in policies.
But put everything into policy.