If you don’t have one, then the first step on your road to creating one is to get some understanding of the rules and regulations governing your business, and by extension, your use of email. The heavy hitters in this area are:
PCI DSS(Payment Card Industry Data Security Standards) – outlines how cardholder data is to be transmitted, and under what circumstances.
GLBA (Gramm-Leach-Bliley Act) – governs policy and technologies to be used to secure the confidentiality of stored or transmitted customer records.
S-OX (Sarbanes-Oxley Act) – Requires company to establish internal controls, and properly track and report financial information.
HIPAA (Health Insurance Portability and Accountability Act) – Governs the storage and transmission of patient health information and personally identifiable patient information.
Once you’ve got a good sense for what rules you’re playing by, you’ll need to assess the information you have to see which particular bits should be deemed confidential, then set strict limits on who has access to that information and create rules governing its transmission. These rules will also govern if or whether such information must be encrypted during transmission.
After that, you’ll need to put tracking and enforcement mechanisms in place, and most importantly, to educate your users on the importance of abiding by the new policies. Unfortunately, it is this last step which is often skipped, or skimped on, and it is actually the most critical to the success of whatever policy you implement.