Your company may be headed for E-mail disaster, according to a survey released Tuesday--and the problem has nothing to do with spam.

In spite of the growing scrutiny of E-mail by business regulators and the courts--which increasingly demand E-mail messages to determine compliance or during the discovery phase of lawsuits, most businesses do a poor job of managing their E-mail and are poorly prepared to respond to requests for records.

That's the stark conclusion of a joint survey done by the American Management Association, the ePolicy Institute, and Clearswift, a messaging security and management vendor.

According to the 2003 E-Mail Rules, Policies, and Practices Survey, corporate America is staring at more demands for E-mail records than ever before. In a similar survey two years ago, only 9% of U.S. companies reported that they'd been ordered by a court or regulatory to produce employee E-mail. That number is now 14%--about one out of every seven companies.

"It's standard operating procedure that E-mail will be discovered during a lawsuit, either to be used against you or for your own defense," said Nancy Flynn, the executive director of the ePolicy Institute, an E-mail consulting and training firm.

Yet most companies fail to prepare for the time when lawyers and regulators come banging on their door. Of the 1,100 U.S. companies polled, only 34% have a written E-mail retention and deletion policy in place. That's no more than two years ago, months before several Wall Street firms were nailed last December with an $8.3 million fine for not retaining E-mail.

"Employers have made no progress in covering E-mail retention and deletion," said Flynn, "even though whenever you pick up a paper or turn on the TV, it seems you see a story of yet another high-profile organization that's in trouble because of its E-mail.

"The majority of employers are in the situation that when a lawsuit hits, they're scrambling [to produce E-mail records]. They're just not prepared. They may have the necessary documents to defend themselves, but it may take them too long to uncover them. And courts aren't always patient."

Not only are most companies unprepared with something as straightforward as a written retention-deletion policy, some companies that have one don't bother to educate their workers on the policy, its implications, and their part in the process. Only 27% of companies conduct E-mail retention-deletion training, the survey reported. "You can't expect [employees] to understand and comply unless you educate them," Flynn said.

The potentially most damaging E-mail typical comes from internal messages, not those sent outside the organization, added Flynn. While the survey showed that 90% of companies deploy software to watch incoming and outgoing mail, just 19% monitor the content of internal messages. "Off-the-cuff, casual E-mail conversations among employees are exactly the type of messages that tend to arm prosecutors with damaging evidence," she said.

The bottom line for businesses, Flynn said, is that they must establish rules, educate workers on those rules, and enforce them with a combination of personnel oversight and software tools--regardless of the industry or the number of employees. She recommended that all companies not only follow these guidelines, but put those E-mail rules in writing and require every worker to sign and date a copy to acknowledge receiving and understanding them.

"It has to be done. If you don't put a policy in place, you're putting your company's assets, future, and reputation at risk," Flynn concluded.