Committing sexual harassment. Engaging in insider trading. Divulging corporate secrets. The list of malicious acts that employees can commit via electronic communication is staggering, and companies are scrambling, or at least on the lookout, for solutions. But once companies begin looking for security holes, the ensuing paranoia and fear can be just as crippling as the chaos is overwhelming.
Because the confusion of archiving and compliance is enough to defeat the most determined of executives, a group has come together to offer best practices and resources for companies struggling with email and IM compliance: the Electronic Communications Compliance Council, or TE3C. While the name may not roll off the tongue, it suggests the council's approach to compliance action—take it slow.
Charter members of the industry-supported TE3C are Priscilla Emery, council chair, president, and founder of e-Nterprise Advisors; Paul Chen, president and CEO of Fortiva Inc.; Nancy Flynn, founder and executive director of the ePolicy Institute (and the go-to member for alarming statistics on why electronic communications policies are so important); Peter Mafteiu, director of operations for BKD Wealth Advisors, LLC; and Richard D. Marshall, a partner at Kirkpatrick & Lockhart and formerly with the Securities and Exchange Commission (SEC).
The council advocates a very straightforward three-step (three E) approach: Establish a written policy, Educate your workforce, and Enforce the policy. Companies need to begin at the beginning and get the policy in place before anything else, according to Emery. Ideally, she says, "an Accounts Payable email is filed in an Accounts Payable area, like any other filing system, but most companies aren't there yet." Once in place, executives must explain the policy to employees. "Education is where employers really fall short," says Flynn. "You can't expect an untrained workforce to comply with a policy."
The importance of establishing a working policy immediately is underscored further as IM becomes commonplace in businesses across the country; "those employers who have a problem with email retention are facing a disaster when it comes to IM," warns Flynn. A part of the solution is to include employees when crafting a policy, particularly because "there often seems to be a technology disconnect between executives and employees," says Flynn. "What senior executives think is ‘emerging,' employees have been using since middle school."
The best course of action is to have a central policy, but the user has to be a part of the process, explains Chen, both in terms of educating them and getting input from them about what will work best and how things really work. The council strongly encourages including a variety of people in the policy-crafting process. Flynn recommends that a senior executive be involved as something of a champion, so that "employees know this is coming down from the top and is not optional." Marshall believes that a lawyer should be included, as well as someone who understands the technology and someone who controls the purse strings. Since the cost of implementing and enforcing electronic communications policies can be astronomical, it is important that companies have a reasonable way to comply without breaking the bank, Marshall cautions, or electronic communications could become prohibitively expensive for use by many.
Marshall also voices concern over a lack of clear guidance from the powers that be. "Can we get sensible guidance from regulators to separate ‘Does anyone know a good plumber?' from ‘Your fees are X'?" Most record-keeping requirements were drafted years ago, long before IM and other electronic communications were used for business, and Marshall stresses the importance of crafting guidelines that clearly explicate what must be kept and what can be purged. He also warns that whomever sends or receives a communication shouldn't be the only one determining what is important because, out of ignorance or malicious intent, they can cause irreparable harm. Chen echoes Marshall's concerns, adding that "many companies are not able to move forward as quickly as they would like because of a lack of industry guidelines."
Because such guidance is virtually non-existent, Mafteiu says that he and others in his position, "are forced to build our policies and procedures in something of a vacuum." He cites safety in numbers and a somewhat overprotective mentality as keys to success. During an SEC examination last year, Mafteiu's company was surprised and pleased to discover the process was easier than expected. He, too, welcomes more structure, as BKD Wealth Advisors handles compliance in-house by monitoring email, running surveillance on where employees go online, and prohibiting IM and blog participation.
There are still holes, of course, such as text messages, camera phones, and BlackBerry communications, as well as company equipment that employees use for travel (what happens if someone loses a company laptop? Is it a $1,500 loss or a loss of classified information?). Hopefully, new members who join the council will bring fresh perspectives, ideas, and war stories that others can learn from, and eventually, they will make it easier for companies to draft an electronic communications policy without thinking twice. "This is the formative stage of the group, but we are looking to add voices," says Emery. "We see this as a growing community." In the mean time, TE3C will be coordinating resources on their Web site including white papers, surveys, and industry events in addition to free access to a Policy Builder template solution.