Every company needs an email policy. This is to protect employees as well as the firm.
The purpose of an email policy is to set proper expectations with your employees. What are the rules and guidelines regarding email and what happens if you ignore the rules?
The email policy should be written and reviewed with the employee at the time of employment. You can add a place for an employee signature if required.
Implementing a comprehensive email policy is crucial for strengthening your cybersecurity defenses and safeguarding sensitive information. Learn more about the most common email security threats and how to mitigate them and Advance2000’s business email services.
DISCLAIMER: I am not a lawyer, any legal policy you implement at your company should be reviewed and signed off by your legal team. The following are merely guidelines and sample text to help you create your own email policy.
TYPICAL SECTIONS INCLUDED IN AN EMAIL POLICY
- Email Ownership and Privacy
- Email Usage Guidelines
- Email Misuse and Abuse
- Email Retention and Backup
- Personal Use of email / Opinions / Personal Views
- Security / Trade Secrets / Personal Information
- Questions / Who to ask
- Signature line and Date
The introduction should state the purpose and reason for having and enforcing an email policy. It should state the business purpose of email and explain the need for an email policy.
[COMPANY] Email Policy [version or date]
[COMPANY] provides email to all authorized employees. email is a business tool to help [COMPANY] employees serve our customers, communicate with vendors, streamline internal communications and reduce unnecessary paperwork. The email system is intended primarily for business purposes. This email policy outlines the acceptable use of business email for [COMPANY].
EMAIL OWNERSHIP AND PRIVACY
This section explains the Company owns the email and email systems. The company can access email for ANY reason and the employee has NO expectation of privacy. Email is a company owned tool (like your desk and PC) and the employer can access any email at any time for any reason.
Employees must realize email is not private. If required, email access can be cut off and all email sent and received may be restricted for any reason. This is very important in the case of harassment accusations or lawsuits.
All communications and information transmitted, received, or archived in [COMPANY]’s computer system belongs to the company. Management has the right to access and disclose all employee email messages transmitted or received via the organization’s computer system. [COMPANY] may exercise its legal right to monitor employees’ email activity. Regarding email, employees should have no expectation of privacy. Be aware management may access and monitor email at any time, for any reason, with or without prior notice.
EMAIL USAGE GUIDELINES
This section outlines the basic use and guidelines for company email. It discusses email etiquette and stresses the business use of email. It should remind employees to abide by all corporate standards including logos, signatures, and copyrights. You should warn about the use of CC and BCC and inadvertently sharing email addresses in a group email. You should caution against using inappropriate language and tone and what to do if you receive an email that does not conform to these guidelines. Employees should be told sending confidential or sensitive information over email is not secure. They should never include user names, passwords or other client or personal information in an email.
Exercise sound judgment and common sense when sending email messages. Client-related messages should be carefully guarded and protected, like any other written materials. You must also abide by copyright laws, ethics rules and other applicable laws. Exercise caution when sending blind carbon copies (BCC) and carbon copies (CC) to ensure you don’t violate addressees’ privacy by inadvertently sharing email address information.
Email usage must conform to [COMPANY]’s harassment and discrimination policies. Messages containing defamatory, obscene, menacing, threatening, offensive, harassing, or otherwise objectionable and/or inappropriate statements and/or messages that disclose personal information without authorization will not be tolerated. If you receive this type of prohibited, unsolicited message, do not forward it. Notify your supervisor, the HR department, and the Director of Information Technology about the message. Handle the message as instructed by management.
EMAIL MISUSE AND ABUSE
Email should not be used for frivolous purposes. Company email should not be used to share jokes or other inappropriate or suggestive content (pornography). Also, include a warning about sending firm-wide (ALL STAFF) email. I have seen firm-wide email regarding after-hour parties/outings and lost and found items sent using ALL STAFF distribution lists. This is not a good use of the company’s resources and should be avoided.
E-mail messages should be treated as formal business documents, written in accordance with [COMPANY]’s correspondence guidelines. E-mail creates a permanent and documented communication and must not be treated casually.
Employees are prohibited from sending jokes, rumors, gossip, or unsubstantiated opinions via email. These communications, which often contain objectionable material, are easily misconstrued when communicated electronically. Employees should not waste [COMPANY]’s computer resources or colleagues’ time.
Send email messages and copies only to those with a legitimate need to read your message. Chain messages, jokes and large graphics should be deleted, not forwarded, as they can overload the system. Use Reply All ONLY when you need to reply to everyone on the email thread. Sending reply email with just the word “Thanks” or “Thank You”, especially to an entire group (Reply All) is courteous but usually not necessary.
Employees are prohibited from sending firm-wide email messages to All Staff without prior authorization and this practice is limited to only necessary correspondence. In addition, employees are prohibited from requesting replies to firm-wide email without prior authorization. Sending firm-wide email is generally discouraged.
Misuse and/or abuse of [COMPANY]’s electronic assets (wasting productive time online, copying or downloading copyrighted materials, visiting inappropriate sites, sending inappropriate/abusive email messages, etc.) will result in disciplinary action, up to and including termination.
Please address any questions or concerns regarding firm-wide email to the Director of IT or the Director of HR.
EMAIL RETENTION AND BACKUP
Email should be retained according to the company’s Document Management guidelines and legal requirements. Your policy should explain the difference between “record” email and “non-record” email, email that should be saved versus email that can be discarded. In this section, you can also explain the means and limits of email backup. Depending on your legal requirements and the type of email, you need clear standards explained for saving and deleting email.
Many companies deliberately delete non-record email. When email is backed up, depending on your backup system, you may not have the ability to retrieve individual emails for each account. Employees need to understand the limits of the email backup and retrieval and plan accordingly.
All email messages (whether in electronic form or printed) with an ongoing legal, compliance, business, or project value (considered a “business record”) must be retained in accordance with the company’s records management policies and applicable retention schedules. Project related email, particularly critical project email, such as milestone progress reviews and approvals and scope changes must be filed using the [name of email archiving or filing software’s] filing system.
(See the most recent Records Retention Policy for further information)
It is the responsibility of every email user to maintain email records. It is the responsibility of each user to retain email records (defined as any email having an ongoing legal, compliance, business, operational, project or historical value) like all other records in accordance with the company’s retention policies.
Project electronic files are regularly backed up and retrievable. Email accounts are not typically permanently backed up or retrievable except in the case of disaster recovery. For this reason, it is essential all important project-related email is transferred to the network project folders on a regular basis using the [name of email filing software] program.
To maximize the operating efficiency of the company’s email system and to minimize the storage costs associated with retaining large volumes of unnecessary email, every employee has a limited amount of email storage in their email account. Requests for additional space will be considered on a case-by-case basis. Keep your email storage cleaned out and up to date. [describe the email storage limits if any]
Email will be backed up daily for disaster recovery purposes only and will thereafter be retained for [X] months. The company is not able to restore individual email messages. If you are unable to access your email account for more than 14 days, please contact IT or HR to make arrangements for your email account during your absence.
All copies of non-record email (those with no ongoing legal, compliance, business, operational, project or historical value) can be deleted and paper printouts of such messages disposed of when no longer needed.
Non-record email messages include, but are not limited to, administrative email (such as an invitation to the company holiday party or a meeting notice); they do not need to be retained as a company record, according to the records retention schedule. Such messages only need to be kept if they are needed to conduct business. Failure to dispose of such messages wastes valuable company computer resources and employee time. However, if you would retain the message if it had been sent in paper form, then you should retain record copies of the email transmission. Email can be archived electronically using [email archive software]. Please see IT for instructions on archiving email.
You should, unless otherwise directed:
- Purge drafts and non-record email messages immediately when no longer needed.
- Purge convenience or reference email copies immediately when no longer needed.
- Purge duplicate email immediately when no longer needed.
PERSONAL USE OF EMAIL / OPINIONS / PERSONAL VIEWS / SOLICITATION
Employees will unavoidably use their company email for personal reasons. While almost everyone has a personal email account, inevitably there will be an intermingling of personal email and work email. Employees corresponding to each other may by default use the company email rather than a personal email. They may not even know each other’s personal email address.
Recognizing this will happen, you should include language in your email policy to describe the acceptable personal use of company email. If it is 100% prohibited, you should say that.
[COMPANY]’s electronic mail service is reserved primarily for business use. All users should consider this in their decision to use the firm’s email services for personal purposes.
Employees may use [COMPANY]’s email service for incidental personal reasons with the following guidelines:
- Communication with non-business contacts is permitted but should be minimized during business hours.
- Personal email communication that exceeds the limits outlined above is prohibited unless justified by family emergency or otherwise specifically authorized by [COMPANY]’s Human Resources Director. Personal email should not directly or indirectly interfere with the firm’s operation of computing facilities or electronic mail services or burden the firm with noticeable additional cost.
- The use of [COMPANY]’s email system to solicit for any purpose, campaign for a political candidate, espouse political views, promote a religious cause, and/or advertise the sale of merchandise is strictly prohibited.
- Personal Email usage must also conform to [COMPANY]’s harassment and discrimination policies.
- Company email should be used to sign up for online training or when creating accounts or downloading information that requires an email address AND is company or business related.
Employees also are free to correspond during the lunch hour and other break times. Personal email should not interfere with the email user’s employment or other obligations and responsibilities to the firm.
SECURITY / TRADE SECRETS / PERSONAL INFORMATION / VIRUSES
This section discusses email security. Users are required to use secure passwords and change their password often. Include a warning about sending personal information or trade secrets via email. Email (unless encrypted) is not secure. Employees should know any sent email can be intercepted or read. Phone and snail mail are both more secure than email. Finally, warn employees about opening email they do not recognize or are not expecting. Most email systems have SPAM and virus protection but occasionally something will slip through security. Employees need to think before opening email and if they suspect an email, they need to know what to do with it and who to notify.
Email passwords are the property of [COMPANY]. Employees are required to provide the Director of Information Technology with current passwords upon request. Only authorized personnel are permitted to access another employee’s email without consent. Misuse of passwords, the sharing of passwords with non-employees, and/or the unauthorized access of another employee’s password or mailbox for any reason will result in disciplinary action, up to and including termination. You should change your password at least 4 times a year (or according to company policy) and use strong passwords which include upper and lower case letters, numbers and symbols. Do not write passwords down, keep them secure.
Security is difficult if not impossible to achieve in the electronic age. Confidential or personal information should never be sent via email understanding it can be intercepted. This includes the transmission of client information, Social Security numbers, employee health records, proprietary data and trade secrets, or other confidential material. When sending sensitive material (or any message, for that matter), employees should use extreme caution to ensure the intended recipient’s email address is correct. Email is not secure, if you have secure information that needs to be transmitted, see IT for alternate ways to secure your communications.
Be careful when opening email with attachments. While [Company] has email SPAM and virus filtering, there is a possibility a malicious link or new exploit can bypass our system. If you receive strange messages or unexpected email from someone, use caution and common sense before opening. When in doubt, contact the sender to verify the email is legitimate and safe. If you accidentally open an unknown file or click on an unsafe link, notify IT as soon as possible and they can determine if it was safe.
QUESTIONS / WHO TO ASK / SIGNATURE LINE AND DATE
Finally, let staff know who to contact if they have questions or concerns. When reviewing this policy with a new employee or introducing an email policy for the first time, you can include a signature line to state the employee has received and read the email policy.
If you have any questions about the above policies, please address them to the Director of Information Technology or Human Resources Director.
I [Employee Name] have received and read [Company]’ Email Policy [version or dated]