Does an employees use of email affect compliance with Sarbanes-Oxley?
February 21, 2008 at 9:09 pm (archive email, business, company email policy, corporate, data retention, Email Archiving, email compliance, email retention, email security, email surveillance, legal, message archiving, news, politics, sarbanes-oxley, sox, thoughts)
According to an article written by Paul Chen for the Sarbanes-Oxley Compliance Journal, the answer is absolutely. Chen discusses how “with regulations like SOX in place, organizations must take special precautions to ensure their employees do not send and receive damaging emails via their workplace account.” However, citing a recent survey on corporate email usage conducted by Harris Interactive, Chen says that “nearly half the people polled say they have sent or received jokes, comical pictures/videos, and stories of a questionable tone, while one in five say they have sent or received a password or log-in information via email.” Amazingly, Chen says that the survey also found that “92% of these employees do not have believe that they have ever sent a risky email, which demonstrates that there is a substantial discrepancy between perceived and actual risks posed by email exchange.”
The Sarbanes-Oxley (SOX) act, as described by Chen, requires all public companies to retain their business records, including email, for at least five years. Since Sarbanes-Oxley does NOT specify which documents are relevant and which are not, it makes the practice of email retention significant for all public companies. Businesses cannot afford to preserve only select electronic communications. But with that being said, I have several questions in regards to the survey conducted by Harris Interactive. If the survey results are truly accurate, what does this say about company email policies? Are organizations effectively communicating the use of business email for personal reasons? How about what language is considered proper? Or how about the tolerance of humor? And if a company DOES have this policy circulating around, then why are so many employees ignoring it? Apathy? No fear of consequences? The survey results say that nearly all the employees polled do not believe that they have ever sent a risky email. Therefore it seems that most employees are not even aware that they are doing anything wrong. I believe that companies need to lay out specific rules within the employee email policy and hold review sessions to make sure that the rules are being followed. Additionally, I think that consequences are necessary and should be mandatory to enforce the rules. With SOX email compliance such a crucial item on the business agenda, more companies should be taking the time to make sure that their employee email policy is stringently regulated.
Simplicato's Weblog 