ePolicy Institute

2009 Electronic Business Communication Policies & Procedures Survey


Executive Summary: Confidentiality Risks on the Rise


Employers increasingly are putting rules and policies in place to govern employee use of e-mail, Twitter, texting, and other electronic business communication tools. The reasons for doing so range from litigation and regulatory risks, to netiquette and productivity concerns, to legal and regulatory rules mandating the retention of electronic business records. Topping the list of employer concerns, however, are fears about security breaches and the loss of confidential company information, including internal e-mail, trade secrets, and other proprietary information and intellectual property.

Employers' security and privacy concerns aren't surprising, considering that 14% of employees admit to e-mailing confidential/proprietary information about the company, its people, products, and services to outside parties. Another 14% admit to sending third-parties potentially embarrassing/"eyes-only" company e-mail that is intended strictly for internal readers/employees, not outsiders.

An additional 6% of employees have used e-mail to transmit customers' confidential data (credit card numbers and social security numbers included) to outsiders. Another 6% have transmitted patients' protected health information (health status, medical care, payment issues, etc.) to third-parties. Employers are required by federal laws, state laws, and government and industry regulations to keep customer and patient data safe and secure, so data thieves and other malicious third-parties cannot access it. The accidental or intentional transmission, posting, or accessing of personal customer and patient data puts employers at risk of potentially costly lawsuits and regulatory fines, not to mention negative publicity and lost reputations.

Social Media Policies Help Protect Confidential Data


To help protect internal data, company secrets, and customers' financial, medical, and otherwise private data, 61% of businesses have in place a policy governing the exposure of company secrets/confidential information, company and customer financial data, or business-related rumors/gossip on business-related or personal social networking or video-sharing sites.

Another 41% have instituted policies governing discussions about the company on business-related social networking sites. And 40% have formal rules governing the uploading of business-related photos or videos to personal social networking or video sharing sites.

Other social media policies include: Viewing, downloading, or uploading videos to video sharing sites during working hours (54%); use of personal social networking sites during working hours (46%); use of words, photos, signage, uniforms, logos, or any other means to identify yourself as an employee of the company on personal social networking or video sharing sites (43%); and use of business-related networking sites during working hours (32%).

Workplace Twitter Use and Policy Taking Off


Twitter is the fastest growing social networking service, with some 8 million current users. It's therefore no surprise that 10% of organizations now are using Twitter as a marketing/communications tool, posting business-related Tweets for customers and prospects. To help manage the risks Twitter poses to employee productivity and confidential company information, 6% of employers have established formal rules to control personal Tweeting during business hours. Another 5% have instituted Twitter policies governing the posting of business-related Tweets.

Blog Policies Experience Tremendous Growth


Since 2006, there has been a huge surge in the number of companies operating business blogs: 19% in 2009 vs. 8% three years ago. Consequently, there has been a significant increase in the number of organizations that have implemented formal blog policies. There has been a 60% increase in the number of employers who have a policy governing employees' business blog use and content (67% in 2009, vs. 7% in 2006). In 2009, 30% reported having policies governing the operation of personal blogs on company time, versus 9% in 2006. Twenty-nine percent now have policies governing personal postings on corporate blogs, vs. 6% three years ago. Twenty-seven percent today have policies governing the content employees may post on their personal, home-based blogs, up from 7% in 2006. Anti-blog policies banning all blog use on company time (25%) have increased 20% in the past three years, up from 5% in 2006.

SmartPhones, Cell Phones & Texting Risks & Rules


Mindful that employees can easily use BlackBerries, iPhones, and SmartPhones to take business-related photos or videos, and then upload them to social networking sites, video sharing sites, or blogs, employers are applying policies to help manage mobile risks. Fully 51% have policies governing cell phone use and language. Another 30% have implemented text messaging rules.

While only 1% of organizations have battled lawsuits resulting from employees talking or texting while driving, 27% ban cell phone use while driving, and an additional 26% outlaw text messaging while driving.

Half of all employers surveyed have implemented policies governing the use of company-provided cell phones to take, transmit, download, or upload personal videos or photos that are not related to business.

E-Mail Continues to be a Source of Liability for Employers


In spite of the fact that 80% of organizations have written e-mail policies in place to govern use and content, e-mail continues to pose potentially costly litigation risks to business. Nearly a quarter (24%) of employers report that a court or regulatory body has subpoenaed employee e-mail. An additional 9% have gone to court to battle lawsuits that were specifically triggered by employee e-mail.

Part of the problem is a lack of employee education. Only 47% of employers train employees about e-mail risks, policies, and usage. Inappropriate content that can trigger lawsuits or serve as smoking gun evidence in litigation poses an additional challenge. Fully 89% of users admit to using the office system to send jokes, gossip, rumors, or disparaging remarks to outsiders. Another 9% report using company e-mail to transmit sexual, romantic, or pornographic text or images.

IM Is Turbocharged E-Mail-Complete with the Same Risks & Rules


Workplace IM use has grown to 42% in 2009, up from 35% in 2006. Like e-mail, IM poses potentially costly litigation risks. This year, 2% of employers were ordered by courts or regulators to produce employee IM-twice the number reported in 2006.

To help manage risks and protect electronic business records, 28% of employers have implemented IM policies and 72% have installed enterprise IM systems, vs. 50% three years ago. Unfortunately, 25% of employers are totally unaware of the fact that 34% of employees have downloaded free IM software from the Internet, putting company and customer data at tremendous risk as it travels across the public Internet, outside the organization's firewall and security system.

Personal Use & Productivity Concerns


Most (52%) employees spend up to two hours a day on e-mail, and another 20% devote four or more hours (half the workday) to e-mail, twice the figure (10%) reported in 2004. To help keep a grip on productivity, employers use policy to govern personal use of both the company's electronic business communication tools and accounts, and employees' own personal tools and accounts including e-mail, cell phones, texting, and social media during the workday.

Fully 83% of organizations have policy governing personal use of company-provided e-mail. Half (50%) of employers allow employees to use personal e-mail accounts during business hours. In addition, 36% provide policies governing personal use of company-provided IM.

Sixty-two percent have policy governing personal use of company-provided cell phones. Half of the organizations surveyed have policy governing use of company-provided cell phones to take, transmit, download, or upload personal photos or videos that are unrelated to business. Another 43% have set rules for personal cell phone use during business hours. On a related note, 35% have policy governing personal use of company-provided text messaging, and 33% offer rules to control the use of personal text messaging tools during business hours.

Netiquette Rules Encourage Civil Business Behavior


Concern for civil business behavior has motivated 40% of organizations to establish written e-mail etiquette (netiquette) policies. An additional 30% use netiquette rules to help guide employees' cell phone use and language.

Firing Employees for Electronic Misuse

Thanks to concerns over litigation, security breaches, lost productivity, and other risks, employers increasingly are putting teeth in their written electronic business communication policies. This year, 26% of organizations report firing employees for e-mail policy violations, vs. 14% in 2001. Another 26% terminated workers for Internet misuse in 2009. IM-related terminations (4%) have doubled since the 2% figure reported in 2006.

Misuse of social media and blogs also leads to terminations, with 2% dismissing workers for content posted on personal social networking sites (Facebook, MySpace, etc.); 1% for videos posted on video sharing sites (YouTube); 1% for content posted on employees' personal blogs; and another 1% for misuse of the corporate blog. In addition, 13% of companies review job applicants' social networking sites or personal blogs as part of the interview process, and 3% report that they have rejected job applicants on the basis of content posted on personal social networking sites or personal blogs.

When it comes to talking and texting, 6% of employers have fired workers for inappropriate cell phone use; 3% for text messaging policy violations; and another 2% have dismissed workers for talking on a cell phone or texting while driving.

Electronic Business Records & Legal Discovery


E-mail and other forms of electronically stored information (ESI) create the electronic equivalent of DNA evidence. As noted previously, 24% of organizations have had e-mail subpoenaed by a court or regulatory body, and 9% have battled lawsuits triggered by employee e-mail.

All organizations, regardless of industry, size, or status as a private or public company, are obligated to manage ESI in a strategic and compliant fashion. The 2009 Electronic Business Communication Policies & Procedures Survey reveals that employers are doing an increasingly better job of managing electronic business records.

In 2009, 34% of organizations report providing employees with a formal definition of "electronic business record," versus 21% in 2006. Today, 59% of users claim to know the difference between electronic business records and insignificant messages that don't rise to the level of a business record.

The number of organizations that have implemented e-mail retention policies and deletion schedules has risen to 51%, up from 34% just three years ago. In addition, 6% of companies are now retaining and archiving text messages transmitted via company-provided cell phones.

Of the 38% of survey respondents who perform a job function that is governed by government or industry regulators, 61% report adhering to regulatory requirements governing e-mail usage, content, and record retention.

FINDINGS


Workplace E-Mail


Q. Does your organization have a written e-mail policy governing use and content?
  • Yes - 80%
  • No - 16%
  • Don't Know - 4%
Q. If yes, what type of transmissions does your organization's e-mail policy cover? (Check all that apply.)
  • External e-mail (incoming and outgoing) - 88%
  • Internal e-mail (sent internally among employees) - 79%
  • Don't Know - 9%
Q. Does your organization have a written netiquette (e-mail etiquette) policy in place?
  • Yes - 40%
  • No - 49%
  • Don't Know - 10%
Q. Does your organization formally train employees about e-mail risks, policy, and usage?
  • Yes - 47%
  • No - 50%
  • Don't Know - 4%
Q. Has your organization ever been ordered by a court or regulatory body to produce employee e-mail? In other words, has employee e-mail ever been subpoenaed?
  • Yes - 24%
  • No - 38%
  • Don't Know - 38%
Q. Has your organization ever battled a workplace lawsuit triggered specifically by employee e-mail (sexual harassment/discrimination; racial harassment/discrimination; hostile work environment claim, etc.)?
  • Yes - 9%
  • No - 42%
  • Don't Know - 50%
Q. Have you ever sent an e-mail from work to an outside party containing any of the following content? (Check all that apply.)
  • Jokes, gossip, rumors, or disparaging remarks - 89%
  • Confidential/proprietary information about the company, its people, products, plans, etc. - 14%
  • Potentially embarrassing or "eyes only" company e-mail intended strictly for internal readers/employees, not outsiders - 14%
  • Sexual, romantic, or pornographic text or images - 9%
  • Customers' confidential financial data (credit card numbers, social security numbers, etc.) - 6%
  • Patients' protected health information (health status, medical care, payment issues, etc.) - 6%

Instant Messaging


Q. Do you use instant messaging (IM) at work?
  • Yes - 42%
  • No - 58%
Q. If the answer is yes, what type of IM tool do you use? (Check all that apply.)
  • Employer-provided IM system (enterprise IM) - 72%
  • Free IM software downloaded from the Internet - 34%
Q. If you are using a free IM tool that you downloaded, is your employer aware?
  • Yes - 52%
  • No - 25%
  • Don't Know - 23%
Q. Does your organization have a written IM policy governing use and content?
  • Yes - 28%
  • No - 48%
  • Don't Know - 24%
Q. Has your organization ever been ordered by a court or regulatory body to produce employee IM? (In other words, has employee IM ever been subpoenaed?)
  • Yes - 2%
  • No - 45%
  • Don't Know - 53%

Blogging


Q. Does your organization operate a corporate blog?
  • Yes - 19%
  • No - 69%
  • Don't Know - 12%
Q. Does your organization post comments from customers and other outsiders on its corporate blog?
  • Yes - 13%
  • No - 63%
  • Don't Know - 24%
Q. Does your organization assign a lawyer or other responsible party to review employee-bloggers' content pre-post?
  • Yes - 3%
  • No - 54%
  • Don't Know - 43%
Q. Does your organization assign a lawyer or other responsible party to review third-party comments prior to posting?
  • Yes - 4%
  • No - 50%
  • Don't Know - 46%
Q. Has your corporate blog triggered a legal claim (copyright infringement, invasion of privacy, sexual harassment, trade secret theft, hostile work environment, etc.)?
  • Yes - 1%
  • No - 54%
  • Don't Know - 45%
Q. What type of written blog rules and policies does your organization have in place? (Check all that apply.)
  • Policy governing employees' business blog use and content - 67%
  • Policy governing operation of personal blogs on company time - 30%
  • Policy governing personal postings on corporate blogs - 29%
  • Rules governing the content employees may post on their personal, home-based blogs - 27%
  • Anti-blog policy banning blog use on company time - 25%

Twittering


Q. Does your organization have a Twitter policy governing the posting of business-related Tweets?
  • Yes - 5%
  • No - 69%
  • Don't Know - 26%
Q. Does your organization have a Twitter policy governing the posting of personal Tweets during business hours?
  • Yes - 6%
  • No - 66%
  • Don't Know - 27%
Q. Does your organization use Twitter as a marketing/communications tool, posting business-related Tweets for customers and prospects?
  • Yes - 10%
  • No - 62%
  • Don't Know - 29%
Q. Do your company executives Twitter on ExecTweets.com?
  • Yes - 2%
  • No - 47%
  • Don't Know - 51%
Q. If the answer is yes, what are the company executives Twittering about? (Check all that apply.)
  • Business-focused topics - 90%
  • Personal, non-business-related topics - 50%

Social Networking & Video Sharing


Q. Does your organization have rules and policies in place that govern the use of social networking sites and video sharing?
  • Policy governing the exposure of company secrets/confidential information, company/ customer financial data, business-related rumors/gossip on a business-related or personal social networking or video sharing site - 61%
  • Policy governing viewing, uploading, and downloading videos to video sharing sites (YouTube) during working hours - 54%
  • Policy governing the use of personal social networking sites (Facebook, MySpace) during working hours - 46%
  • Policy governing the use of words, photos, signage, uniforms, logos, or any other means to identify yourself as an employee of the company on a personal social networking site or video sharing site - 43%
  • Policy governing discussions about the company on business-related networking sites - 41%
  • Policy governing the uploading of business-related photos or videos to personal social networking or video sharing sites - 40%
  • Policy governing the use of business-related networking sites (LinkedIn) during working hours - 32%
Q. Does your organization review job applicants' social networking (Facebook, MySpace) sites or personal blogs as part of the interview process?
  • Yes - 13%
  • No - 34%
  • Don't Know - 53%
Q. Has your company ever rejected a job applicant on the basis of the content posted on the applicant's social networking site or personal blog?
  • Yes - 3%
  • No - 31%
  • Don't Know - 66%

Cell Phones & Texting


Q. Does your organization have in place rules and policies that govern the use of cell phones and text messaging?
  • Policy governing cell phone use and language - 51%
  • Policy governing the use of company-provided cell phones to take, transmit, download, or upload personal videos or photos that are not related to business - 50%
  • Policy governing cell phone netiquette (electronic etiquette) - 30%
  • Policy governing text messaging use and content - 30%
  • Policy banning cell phone use while driving - 27%
  • Policy banning text messaging while driving - 26%
Q. Has your organization ever battled a lawsuit resulting from a car crash caused by an employee who was talking or texting while driving?
  • Yes - 1%
  • No - 49%
  • Don't Know - 51%

Personal Use of Electronic Tools


Q. Does your organization have rules and policies in place that govern the personal use of company equipment?
  • Policy governing personal use of company e-mail - 83%
  • Policy governing personal use of company-provided cell phones - 62%
  • Policy governing personal cell phone use during working hours - 43%
  • Policy banning visits to personal social networking sites or video sharing sites during working hours - 43%
  • Policy governing personal use of company-provided IM - 36%
  • Policy governing personal use of company-provided text messaging - 35%
  • Policy governing use of personal text messaging tools during working hours - 33%
Q. Does your organization allow the use of personal e-mail accounts (Gmail, Yahoo, etc.) during business hours?
  • Yes - 50%
  • No - 34%
  • Don't Know - 15%

Terminations & Policy Enforcement


Q. Has your organization ever fired an employee for any of the following reasons?
  • E-mail misuse/policy violation - 26%
  • Internet misuse/policy violation - 26%
  • Inappropriate cell phone use/policy violation - 6%
  • IM misuse/policy violation - 4%
  • Inappropriate text messaging/policy violation - 3%
  • Content posted on an employee's personal social networking site (Facebook, MySpace) - 2%
  • Talking or texting on a cell phone while driving - 2%
  • Content posted on an employee's personal blog - 1%
  • Misuse of the corporate blog - 1%
  • Videos posted by an employee on a video sharing site (YouTube) - 1%

Productivity


Q. On a typical workday, how much time do you spend on e-mail?
  • 0-59 minutes - 13%
  • 60-89 minutes - 17%
  • 90 minutes-2 hours - 22%
  • 2-3 hours - 18%
  • 3-4 hours - 10%
  • 4+ hours - 20%
Q. What percentage of the e-mail you send/receive is personal, not business related?
  • 0%: 15%
  • 1-10%: 79%
  • 11-25%: 5%
  • 26-50%: 1%
  • 50%+: 1%

Electronic Business Records & Discovery


Q. Has your organization provided employees with a formal definition of "electronic business record"?
  • Yes - 34%
  • No - 48%
  • Don't Know - 18%
Q. Do you know the difference between an electronic business record (business-critical e-mail, IM, other electronically stored information) and an insignificant message that is not a business record?
  • Yes - 59%
  • No - 30%
  • Don't Know - 11%
Q. Does your organization have a written e-mail retention policy and deletion schedule in place?
  • Yes - 51%
  • No - 33%
  • Don't Know - 16%
Q. Does your organization retain and archive text messages transmitted via company-provided cell phones?
  • Yes - 6%
  • No - 40%
  • Don't Know - 54%
Q. Do you perform a function that's governed by government or industry regulators?
  • Yes - 38%
  • No - 52%
  • Don't Know - 11%
Q. If yes, do you adhere to regulatory requirements governing e-mail usage, content and record retention?
  • Yes - 61%
  • No - 10%
  • Don't Know - 30%

Demographic Questions


Number of survey respondents - 586

Number of employees per company
  • 100 or fewer - 24%
  • 101-500 - 22%
  • 501-1,000 - 10%
  • 1,001-2,500 - 8%
  • 2,501-5,000 - 8%
  • More than 5,000 - 29%
Industry That Best Describes Your Organization
  • Business/Professional Services - 23%
  • Financial Services - 13%
  • General Services - 2%
  • Manufacturing - 17%
  • Public Administration - 5%
  • Wholesale/Retail - 5%
  • Other - 36%
The 2009 Electronic Business Communication Policies & Procedures Survey is co-sponsored by American Management Association (www.amanet.org) and The ePolicy Institute (www.epolicyinstitute.com). A total of 586 companies participated: 24% represent companies employing 100 or fewer workers, 101-500 employees (22%), 501-1,000 (10%), 1,001-2,500 (8%), 2,501-5,000 (8%) and 5,001 or more (29%).

The 2009 Electronic Business Communication Policies & Procedures Survey questionnaire was designed by American Management Association and The ePolicy Institute's Nancy Flynn, author of The e-Policy Handbook, 2nd Edition (AMACOM 2009), Blog Rules (AMACOM 2006), Instant Messaging Rules (AMACOM 2004), and E-Mail Rules (AMACOM 2003). Comparative numbers drawn from the 2006 Workplace E-Mail, Instant Messaging & Blog Survey; 2004 Workplace E-Mail and Instant Messaging Survey; and 2001 Electronic Policies and Practices Survey from American Management Association and The ePolicy Institute.

Media wishing to receive a review copy of Nancy Flynn's newest book, The e-Policy Handbook, 2nd Edition (AMACOM 2009), should contact AMACOM's Irene Majuk (212/903-8087 or imajuk@amanet.org). Contact American Management Association's Roger Kelleher (212/903-7976 or rkelleher@amanet.org) or the ePolicy Institute's Nancy Flynn (614/451-3200 or nancy@epolicyinstitute.com) for interviews.