The Security and Privacy Risks of Blogs, IMs, and Email

I’m reading the "2006 Workplace E-Mail, Instant Messaging & Blog Survey" performed and issued July 11 jointly by the American Management Association (AMA) and The ePolicy Institute.  It is an interesting read and has some good, and sometimes surprising, statistics and findings. 

Here are a few of the tidbits for you:

  • "Last year, the inability to produce subpoenaed e-mail resulted in million dollar‚Äîeven billion dollar‚Äîlawsuits against U.S. companies. In fact, 24% of organizations have had employee e-mail subpoenaed, and 15% of companies have gone to court to battle lawsuits triggered by employee e-mail."

What are your records retention policies and practices for not only email, but also instant messaging, voice mail, and other types of files?  Be sure you clearly address the issues of email content (typically what is focused upon within policies) and also email retention.  This is a very important issue that is often not covered.

  • "Fully 26% of employers have terminated employees for e-mail misuse. Another 2% have dismissed workers for inappropriate instant messenger (IM) chat. And nearly 2% have fired workers for offensive blog content‚Äîincluding posts on employees‚Äô personal home-based blogs."

I know there are some really amazing stories about the types of email, IM and blog content personnel write and post while at work and/or using their employers’ systems…what are these people thinking?  Probably not thinking…

Again, having a good, clearly written policy will help to support your organization’s decision if you need to make a termination or a disciplinary action that is subsequently challenged in court.  I know of many instances where the cases were thrown out before going to trial because the organizations had policies explicitly stating personnel could not use electronic communications in certain ways, and also had documented and visible proof and procedures verifying communications of the policies, when personnel brought suit, particularly for claiming ignorance about a policy.

  • "With the blogosphere growing at the rate of one new blog per second, industry experts expect the ranks of dooced [fired] employee bloggers to swell."

Wow…a new blog every *SECOND*?  That amazed me.  Can that be true?  I wonder how quickly blogs disappear?  One every hour?  Every 30 minutes?  What is the ratio of blogs to websites?  How many blogs are being set up by personnel under their employers’ domains without the knowledge of the employers?

I also learned a new word…or at least a new meaning for a word…"dooced." 

  • "4% of companies have written e-mail retention/deletion policies in place, in spite of the fact that 34% of employees don‚Äôt know the difference between business-critical e-mail that must be saved and insignificant messages that may be purged."

No surprises here…it is a scary fact that a huge amount of confidential and mission critical data is contained within or attached to email messages, and that no one really has responsibility for these email security and privacy issues, and most users have no idea of the risks involved.

Organizations need to implement classification policies and procedures to support the save and purge activities.

  • "While 35% of employees use IM at work, only 31% of organizations have IM policy in place, and 13% retain IM business records."

I know a large majority of the organizations I speak with indicate they use IM internally.  IM communications, even at work, are typically mush less restrained…in content, opinions, accusations, gossip…than email.  All of which could get not only the employee but also the employer in hot water legalwise.

  • "Among the blog risks…are copyright infringement, invasion of privacy, defamation, sexual harassment and other legal claims; trade secret theft, financial disclosures, and other security breaches; blog mob attacks and other PR nightmares; productivity drains; and mismanagement of electronic business records."

Since a growing segment of business professionals rely upon these communication methods so heavily it is important to have policies governing the appropriate and reasonable use of email, IMs, and blogs. 

How many of you have such policies and supporting procedures?  I have seen many organizations with email policies and procedures, but very few companies, almost nil, with instant messaging or blog policies.

Technorati Tags









This entry was posted on Monday, July 24th, 2006 at 6:22 pm and is filed under Privacy and Compliance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply