Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback


© 1995-2007 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
A Privacy Policy Checklist

Imagine that your business has a make-or-break presentation scheduled today with a prospective client. But after arriving at work this morning, you discovered that key files needed for the meeting are corrupt. The culprit: a virus-infected email message that one of your employees forwarded from the Web last night to everyone in the company.

It may sound like every business' worst nightmare. But as the use of communications tools such as email and instant messaging (IM) proliferates, it's a scenario that all businesses must wake up to sooner rather than later. If you're serious about protecting your business' intellectual property and other sensitive information, then you need a comprehensive privacy policy that addresses employee use of email and IM. This article will acquaint you with some privacy policy "best practices."

Assess your risks
Few people would doubt that email has revolutionized communications in today's business world. According to the American Management Association's 2003 "Email Rules, Policies and Practices" survey, 86 percent of respondents said that email has made them more efficient, while 51 percent said they are much more efficient. Gartner Group, meanwhile, forecasts that 70 percent of all corporations will use IM this year, and that by 2005 IM will represent 50 percent of all business-to-client communications.

But employee use of such tools can open businesses to some costly liabilities, including workplace lawsuits, sexual harassment claims, trademark and patent infringement suits, internal security breaches, hacker attacks, and lost productivity. As a result, companies are increasingly adopting strict privacy policies -- often including monitoring -- to govern their employees' email and IM activity. Consider these additional findings from the American Management Association's survey:

  • Three-fourths of all organizations have written policies concerning email, but fewer than half train their employees on them.
  • More than half of U.S. companies engage in some form of email monitoring of employees and enforce email policies with discipline or other methods.
  • 22 percent of companies have terminated an employee for email infractions.
  • The average survey respondent spends a quarter of the workday on email.

Be explicit
So how do you balance an employee's privacy and the need to maintain security? With lots of care, experts agree. After all, no company wants to find itself in the position of playing "Big Brother." And not all businesses will deem it necessary to monitor their employees' email and IM use. But if sensitive business information regularly passes through your mail systems, it's imperative that you have a clear, unambiguous privacy policy in place and the means to back it up.

What to include
The following steps are essential if you are to have an effective privacy policy:

1. Let all employees know in writing that email and IM are to be used strictly as business communications tools. Provide clear guidance about what is and isn't appropriate business communication.

2. If you monitor and read employee email, say so right up front. Let employees know that the contents of the email system belong to the company, and that their email may be read occasionally without notice.

3. Stress that downloading software or opening executable files from an outside source without permission is unacceptable.

4. You may want to allow some personal use of your company's email system for the purpose of maintaining good employee morale. Let employees know where you stand on this issue, and how much personal use is acceptable.

5. Make sure that the policy applies equally to everyone in the company -- supervisors as well as staff.

6. Include a risk-management plan that outlines policies on email retention and deletion, passwords, and (if applicable) monitoring.

7. Provide an overview of your company's discrimination and sexual harassment policies in your privacy policy.

8. Review the written policy with all employees, and have them sign and date a copy of the policy. Include the policy in any employee handbook and new-hire orientation materials.

Enforce it
The American Management Association survey found that nearly half of all organizations use education and training to back up their privacy policies. Slightly more than 50 percent of organizations employ software to control email content, while 23 percent use a combination of education and software. How you back up your privacy policy is up to you; matters to consider include company size, culture, and the amount of email and IM traffic generated. Experts agree, however, that hands-on training is the most effective means of enforcing any policy.

Be forthright
Finally, while putting a privacy policy in writing and following up with training are essential, being forthright with your employees is just as important. An employee who understands that a privacy policy is tied directly to critical business issues, such as protecting intellectual property or confidential materials, is more likely to abide by it. Being forthright is one of the best ways to promote employee "buy-in." That goes too for any changes you might make to the policy down the road: communicate them to all employees as quickly as possible.

Creating an effective privacy policy is no small undertaking. It takes time, patience and a willingness to grapple with sensitive subjects. But doing so conveys the message that, with email and IM, you mean business.

home find a solution library tech resources