If you have an e-policy, make sure people know about it. Educate your employees and provide examples of risk. Follow up periodically; you don't want the e-policy to be out of sight and out of mind. The National Federation of Independent Business recommends placing the email policies in employee contracts so there is a signed agreement, and having monitoring notice appear whenever employees log on.

Sometimes instituting an e-policy isn't enough to protect your organization from legal woes. I recommend backing up that policy with an automated archiving tool to keep your company protected from potential productivity, privacy and legal issues.

Archiving
Are you a paranoid archiver who saves everything or a selective archiver who saves specific material and/or purges the archive periodically?

Depending on the business you are in, you'll want to develop an appropriate archiving strategy and purchase an archiving product that meets your company's needs. For example, SEC (the U.S. Securities and Exchange Commission) Rule 17a-4 requires that all financial institutions retain electronic documents -- including email and instant messaging -- for at least six years. Of course, if you're outside the U.S., your regulations may be different, but more and more countries are establishing similar record-keeping regulations.

Many companies institute an archiving policy (as part of the email management section of the e-policy) that tells employees what to save, how to categorize files, where to store information, and where and how to destroy files.

I recommend purchasing an archiving product with multi-criteria rules to ensure retention, reduced risk and optimized performance. Some products just allow single criteria archiving (i.e., Bob's email goes into storage location A) but multi-criteria rules allow flexibility to meet the needs of an e-policy (i.e., Bob's email related to finance goes into storage location A and his email related to sales goes into storage location B).

You'll also need this flexibility, since e-policies vary from company to company, sometimes from division to division and even from day to day. For example, New York law firm Fish & Richardson has several policies from regular attachment extensions blocking and spam filtering to message and mailbox size limits. Oklahoma State Regents is developing an e-policy to work in conjunction with the Open Records Act. Willkie Farr & Gallagher's e-policy requires removing email from the system after a certain number of days.

E-policy enforcement is at the heart of all best practice email user organizations. Dale Holley, network engineer at Sartomer in Exton, PA, sums it up well: "I used to think that e-policies were implemented to enforce controls and change everyday practices. I now see them more as a legal protection. We don't spend time monitoring user's inboxes and scolding them for noncompliance. Instead, if a user files a complaint concerning illicit or offensive content, we take appropriate action to block it if possible, hand the case over to HR when prudent, and rest assured that the e-policy absolves us of complicity."

Email risks Don't have an e-policy yet? Here's just a few reasons why your organization should: An inappropriate email can lead to a sexual harassment or hostile work environment lawsuit. When two employees are discussing a product defect, such as the harmful side effects of a medication, the email can become evidence in a class action lawsuit. Emails between a supervisor and an employee (or two co-workers) may be important in a wrongful termination lawsuit. Did the Sobig virus hit your organization? It might not have if an e-policy was in place. Theft of confidential data and sabotage are made easy, thanks to email.

Dave Hunt is the CEO at C2C Systems Inc., a leading provider of email lifecycle management solutions for Exchange. He can be reached at dave.hunt@c2c.com.