The electronic mail (e-mail) systems provided by or used at True Value Company are intended to assist employees and vendors in carrying out corporate business by facilitating communication between individuals and work groups. The intent of this Policy and its Standards is to address the use of, access to, review, and disclosure of e-mail messages transmitted through True Value's systems.

Corporate e-mail systems are to be used for True Value related business purposes only. True Value treats all e-mail messages sent, received, and/or stored in its systems as corporate records. Corporate e-mail systems must not be used to continue, distribute, or circulate chain letters and inappropriate/offensive content.

True Value does not assure any personal right of privacy for any e-mail message or document transmitted through the use of corporate equipment or systems. True Value reserves the right to access all e-mail messages transmitted through corporate equipment or systems, without prior notice, and to disclose the message to any person or entity that True Value deems appropriate. True Value retains the right to determine the acceptable use of its e-mail systems.

E-mail messages are company records. The content of e-mail, properly obtained for legitimate business purposes, may be disclosed within the Company without user permission. Therefore, it should not be assumed that messages are confidential. Backup copies of e-mail messages may be maintained and referenced for business and legal reasons.

The Company may inspect the contents of electronic messages:

•  In the course of an investigation triggered by the indication of impropriety, as necessary to locate substantive information that is not readily available by some other means
• In the process of correcting a problem with a respective electronic mail tool where no other alternative is available
• At any time the Company deems it necessary

Requests to access the content of electronic mail messages must be approved in advance by the Sr. V.P. of Human Resources.

The use of e-mail to transmit any message or file whose content violates any True Value Policy or state or federal law is prohibited.

Examples of prohibited use include, but are not limited to:

• Communications that contain defamatory, sexually-oriented, obscene, offensive, threatening, or harassing language, pictures and/or videos
• Files that contain copyrighted materials for which required permission to use or distribute was not obtained

Incidental use of the e-mail systems to transmit messages of a personal nature will be treated by True Value no differently than True Value related business e-mail messages.

Local copies of a user's GroupWise mailbox should have the password set. This will prevent somebody from opening the local mailbox without knowledge of the user's GroupWise password. The local mailbox contains a replicated copy of the user's GroupWise mailbox and calendar.

The True Value mail system can send and receive Internet mail messages. Unauthorized use of external mail services (examples: AOL mail, MSN mail, CompuServe mail) for company correspondence is expressly forbidden (authorization must be obtained from Information Security in World Headquarters). To use Internet electronic mail appropriately, the following must be done:

•  Treat all information put into Internet electronic mail as if it were publicly available information. Internet electronic mail is susceptible to interception, redirection, or loss. As a result, electronic mail through the Internet must not be used as a secure method of communications for sensitive information.
•  Treat all electronic mail correspondence as if it is a potential record that can be used in litigation. (Legal precedents exist where electronic mail has been subject to discovery in lawsuits.) Do not put information in Internet electronic mail correspondence that you would not put on True Value letterhead paper correspondence.

E-mail must NOT be used on the Internet to:

• Develop business processes that depend on guaranteed or reliable message delivery through the Internet unless the inherent unreliability of the Internet is accounted for in the process. Internet electronic mail is frequently delayed or lost and can not be counted on as a totally reliable message delivery system
• Send or receive information with inappropriate humor or graphics. Use of electronic mail on the Internet must be in accordance with other True Value Company policies
• Distribute chain letters
• Distribute personal opinions that do not reflect the stated position of True Value
• Distribute information that may be sensitive to True Value

E-mail and electronic scheduling are excellent tools for communicating, sharing documents, and scheduling meetings. These tools can reduce the time required to share information and enhance business processes. However, information transmitted via e-mail can be vulnerable to a variety of security and confidentiality threats. Additional considerations when using e-mail include:

• Erasing a message from personal files does not necessarily erase all copies of the message. The message may have been forwarded, printed, or archived and may be stored for substantial periods of time
• Federal law does not establish a general right to privacy in the work place
• E-mail can be connected by gateways to other e-mail systems
• E-mail may include attachments in electronic form and may be saved as files in a directory that is not encrypted
• Computer viruses can be spread via e-mail systems
• E-mail messages can be "blind copied" to other e-mail users (E-mail can be forwarded without all recipients names displayed on the message).

Local Area Network (LAN) and e-mail administrators are responsible for:

• Implementing safeguards that ensure proper use of e-mail systems and the protection of Corporate information
• Purge e-mail after 1 year. E-mail messages, attachments, and calendars use shared resources that must be used efficiently.

Department managers are responsible for:

• Ensuring that all employees and service providers comply with this Policy and its related Standards
• Notifying the HR department of terminated and transferred employees
• Notifying the Information Systems Security Administration of terminated consultants and/or external providers who were allowed email access to the corporate network.  
• Approving extended access to terminated consultants and/or external providers who were allowed email access and notifying Information Systems Security Administration of such request.  Extended access will be limited to 2 weeks after formal notification of termination or account expiration. Requests for extended access to a deactivated/expired account must be approved V.P. of the business area requesting the extension.  

HR Department is responsible for:

• Notifying the Information Systems Security Administration office of terminated and transferred employees.
• Approving extended access to deactivated employee email upon management request and notifying Information Systems Security Administration of such request.  Extended access will be limited to 2 weeks after formal notification of user deactivation.  Requests for extended access to a deactivated account must be approved Sr. V.P. of Human Resources.

User responsibilities are to:

• Comply with all company policies and standards
• Exit or password-protect their workstation when it is left unattended
• Delete or archive e-mail messages within a reasonable period of time. E-mail messages, attachments, and calendars utilize disk space that is shared among many other users and must be treated as a shared resource
• Use e-mail consistent with its intended purpose. Do not use e-mail as a replacement for file transfer utilities. Attachments should be a business document of a reasonable size, not data files
• Change passwords in accordance with Corporate standards
• Use e-mail consistent with its intended purpose. Do not use an e-mail account assigned to another individual to either send or receive messages. Use features/facilities such as message forwarding to allow others read access to personal mail messages

See Chapter 6 Access Controls for more information on password security standards.

See Chapter 3 for additional standards related to the e-mail over the Internet.

See Appendix E: Laptop Security for more information on securing PCs and laptops.