Research: Battling Risk with Policies for Blogging, Email and IM

July 14, 2006
New survey from American Management Association and ePolicy Institute illustrates how communications risks are handled today

NEW YORK - E-mail mismanagement continues to take a hefty toll on U.S. employers, with costly lawsuits--and employee terminations--topping the list of electronic risks. As recent court cases demonstrate, e-mail can sink businesses--legally and financially. Last year, the inability to produce subpoenaed e-mail resulted in million dollar--even billion dollar--lawsuits against U.S. companies. In fact, 24% of organizations have had employee e-mail subpoenaed, and 15% of companies have gone to court to battle lawsuits triggered by employee e-mail. That's according to the 2006 Workplace E-Mail, Instant Messaging & Blog Survey from American Management Association (AMA) and The ePolicy Institute.

Increasingly, employers are fighting back by firing workers who violate computer privileges. Fully 26% of employers have terminated employees for e-mail misuse. Another 2% have dismissed workers for inappropriate instant messenger (IM) chat. And nearly 2% have fired workers for offensive blog content--including posts on employees' personal home-based blogs.

Employee bloggers, who can be fired, or "dooced" in blog parlance, for blogging at work (and at home on their own computers) face increasing risk of termination by employers struggling to keep a lid on legal claims, regulatory fines, and security breaches. With the blogosphere growing at the rate of one new blog per second, industry experts expect the ranks of dooced employee bloggers to swell.

"Employee bloggers mistakenly believe the First Amendment gives them the right to say whatever they want on their personal blogs. Wrong! The First Amendment only restricts government control of speech; it does not protect jobs. Bloggers who work for private employers in employment-at-will states can be fired for just about any reason--including blogging at home on their own time or at the office during work hours," said Nancy Flynn, author of the newly released book Blog Rules (AMACOM, July 2006) and executive director of The ePolicy Institute. In spite of the confusion, fewer than 2% of organizations have educated employee bloggers about the First Amendment and privacy rights.

Employers eager to minimize electronic risks and maximize employee compliance should start with written rules and policies, said Flynn. Fully 76% of organizations have e-mail usage and content policies, with another 68% using policy to control personal e-mail. Unfortunately, employers do a less effective job of managing electronic business records, the evidence that can make (or break) a company's legal position. According to the survey, 34% of companies have written e-mail retention/deletion policies in place, in spite of the fact that 34% of employees don't know the difference between business-critical e-mail that must be saved and insignificant messages that may be purged.

While 35% of employees use IM at work, only 31% of organizations have IM policy in place, and 13% retain IM business records. With 50% of workplace users downloading free IM tools from the Internet--a dangerous practice that 26% of employers aren't even aware of--the lack of written IM rules opens organizations to tremendous risk. Employees' use of public IM tools coupled with ill-advised content including attachments (26%); jokes, gossip, rumors, and disparaging remarks (24%); confidential company, employee, and client information (12%); and sexual, romantic, and pornographic chat (10%)--make workplace IM a recipe for legal, regulatory and security disaster.

When it comes to potential risks, unmanaged blogging dwarfs e-mail and IM. Among the blog risks detailed in Flynn's new book Blog Rules are copyright infringement, invasion of privacy, defamation, sexual harassment and other legal claims; trade secret theft, financial disclosures, and other security breaches; blog mob attacks and other PR nightmares; productivity drains; and mismanagement of electronic business records.

According to the AMA/ePolicy Institute Survey, 8% of organizations operate business blogs. In spite of the risks, only 9% have policy governing the operation of personal blogs on company time; 7% have policy governing employees' business blog use and content; 7% have rules governing the content employees may post on their personal home-based blogs; 6% use policy to control personal postings on corporate blogs; 5% have strict anti-blog policies banning blog use on company time; and merely 3% have blog record retention policies in place.

"With 55% of business blogs 'facing out' for customers and other third parties to read, the lack of written blog rules is a potentially costly oversight," said Flynn. "Considering that less than 2% of organizations assign a lawyer or other responsible party to review employees' entries and third parties' comments prior to posting, the enforcement of written usage and content rules is a business-critical best practice for any organization engaged in blogging."

In addition to policy, employers are advised to take advantage of technology tools to help manage employees' blog use (and misuse). Seventeen percent of companies use technology to block employee access to external blog URLs, and another 12% regularly monitor the blogosphere to see what is being written about them. As revealed by the 2005 Electronic Monitoring & Surveillance Survey from American Management Association and The ePolicy Institute, blog monitoring and blocking lag behind Internet and e-mail surveillance. Fully 76% of employers monitor employees' Website connections; 65% use technology to block connections to banned Websites; and 55% monitor e-mail.

The 2006 Workplace E-Mail, Instant Messaging & Blog Survey is co-sponsored by American Management Association (www.amanet.org) and The ePolicy Institute (www.epolicyinstitute.com). A total of 416 companies participated: 35% represent companies employing 100 or fewer workers, 101-500 employees (19%), 501-1,000 (7%), 1,001-2,500 (11%), 2,501-5,000 (8%) and 5,001 or more (20%). In 2005, 526 U.S. businesses participated in the Electronic Monitoring & Surveillance Survey from American Management Association and The ePolicy Institute. In 2004, 840 U.S. businesses participated in the 2004 Workplace E-Mail and IM Survey from American Management Association and The ePolicy Institute. In 2001, 435 organizations participated in the 2001 Electronic Policies and Procedures Survey from American Management Association and The ePolicy Institute.