The legal traps of e-mail
(IDG) -- The public display of corporate e-mail in Microsoft's antitrust trial may have made employees across corporate America realize that private e-mail messages don't always remain that way. But this publicity is not enough to educate employees about the proper use of e-mail.
To protect themselves against a host of legal problems, experts say, companies need clear policies on e-mail use. The policies should cover everything from how long to keep old messages to who can read other people's messages -- and IT managers need to be part of the team that creates and enforces them.
The legal issues raised by e-mail are not new ones. What is new is determining how old laws apply to e-mail -- and educating employees about the subject.
"People say the most incredible things on e-mail," says Jim Bruce, a partner at the law firm of Wiley Rein & Fielding, in Washington. "The power of e-mail is in a sense its own downfall, because it's so easy to transmit and collect."
According to a study commissioned by Cambridge, Mass.-based Elron Software, which makes network and e-mail monitoring software, more than 85 percent of adults say they send or receive personal e-mail messages at work. Seventy percent of those say they send or receive adult-oriented personal e-mail messages at work; 64 percent of those who use their employers' systems for personal use say they have received or sent sexist or racist e-mail messages.
How large a problem is it that employees send jokes to each other via e-mail? In some cases, it isn't a problem at all; in other cases, the jokes could become evidence in a sexual harassment lawsuit. Unfortunately, the legal lines are still being drawn that specify exactly what employers need to do to protect themselves.
"There is very little law regarding e-mail right now," says Michael Overly, a Los Angeles-based attorney who is special counsel to the information technology group at the Milwaukee-based law firm of Foley & Lardner. "The law that exists is state-based, which means that [laws in] each state vary, and even the courts within a particular state may have different ways of handling this issue."
The safest step companies can take for the moment is to establish a reasonable policy on what constitutes appropriate e-mail use and to enforce it.
The best policies are created by representatives of all the groups involved, including IT.
"You need the lawyers to understand what's dangerous and what's not; you need the IT people to know what's feasible and what's not; and you need a smattering of people from the rest of the company to know what the culture is," Bruce says.
Once a policy is established, IT managers can end up having a hand in enforcing it. This can make some IT people feel uncomfortable.
"IT was involved in establishing the policy, but being the whip-holder is not our job," says an IT manager at a manufacturing company in the South whose rarely-enforced policy says that e-mail is not to be used for personal use. "I'm a service function. I don't want to be a jerk. I'd rather give people the benefit of the doubt."
This example illustrates how important it is to make sure a policy is realistic and has the support of those affected by it.
When representatives from IT, human resources, and other groups in the company get together to formulate an e-mail policy -- or to make sure an existing policy is working -- they should make sure it addresses several legal issues.
* Liability. An employer without a solid e-mail policy is at risk of being sued, both by its own employees and by outsiders, Overly says. E-mail can be used as evidence in cases claiming sexual harassment, discrimination of all sorts, or hostile work environments. But if an employer goes too far in the direction of reading employees' e-mail, in an effort to prevent this kind of liability, it could also be sued by employees for invasion of privacy. Furthermore, third parties can sue a company for what its employees do using e-mail, including e-mailing copyrighted documents without permission, libeling another company, or violating anti-spam laws.
"Any kind of liability that an employee can create through communication, they can do through e-mail," Bruce says.
One IT professional who has been through the process of creating a policy with his company says that a team approach helps to ensure that the policy is balanced.
Overly says that many problems can be prevented by a solid policy that spells out the company's right to read employees' e-mail when necessary.
"Employers must have the ability to review everything on their computer systems to make sure that there's no illegal activity being conducted," Overly says. "If someone conducts criminal activity using an e-mail system, unknown to the company, the company's e-mail system can be subject to seizure. Or an employer may be sued in a breach of contract case. As part of that they're going to have to go through a lot of employee e-mail."
Even if no one has done anything illegal, it is sometimes necessary to go through an employee's e-mail for other reasons, such as to retrieve crucial documents if they are unexpectedly absent.
"Can employees sue for invasion of privacy?" Overly says. "The general rule is that if an employer has a clearly written e-mail policy that says the employee has no expectation of privacy, the employer will probably be safe."
* Protection of the information and reputation of the business. "It's so easy to send information with e-mail," Overly says. This includes, of course, information that a company may not want sent anywhere, such as the strategic plan for the next product release. The ease of forwarding messages and using mailing lists means that employees may inadvertently send sensitive information outside of the company.
A good e-mail policy will caution employees to be careful about what they send outside the company -- both to make sure there's no confidential information and to be sure they know that whenever they send an e-mail message outside of the company, they are in effect representing the company.
"Employees need to understand that when they are using e-mail they are a de facto [representative] for the company," Overly says.
* Protection of the company's resources. One large, innocuous graphics file forwarded to the whole company can bring down an e-mail system. Experts say e-mail policies need to explain to employees how to handle attachments and other documents that might cause problems.
"I've had major companies tell me they're more concerned about this issue than they are about [all the other] issues combined," Overly says.
* Encryption. Sometimes it's useful for companies to encrypt e-mail, Bruce says.
But what if employees decide to encrypt their own e-mail so that the employer can't read it? Overly says most policies should include a provision saying that employers must have the key to decrypt any messages that an employee encrypts on an employer's system.
* Document retention. Many companies routinely destroy paper documents that they aren't legally required to keep -- but many do not extend this policy to e-mail, experts say.
"If a company is sued, it is routine for the other party to ask the company to produce all their records [on the subject], including e-mail," Bruce says. "E-mail is a really juicy target because it can be searched by keyword."
Bruce says that there's no reason not to routinely delete e-mail. However, an e-mail-deletion system must preserve any documents that the company is legally required to keep. And if the company becomes involved in litigation, it must stop deleting e-mail that might be relevant.
Some companies' policies say that e-mail can be stored only for a limited time, and that e-mail messages that need to be preserved should be converted into another form.
The Fortune 50 project manager says that his company's policy makes it clear that its e-mail system is not a document-retention system."If it is a record that needs to be preserved, then it needs to be moved into something where we can retrieve it," he says. "There is an enormous amount of stuff built into a records retention system to make sure that 50 years from now you'll be able to recover it."
Promoting the policy
In addition to creating a realistic policy about e-mail use, companies need to educate employees about that policy and enforce it.
The policy that makes the most sense for most companies, Bruce says, is to allow a limited amount of personal use of e-mail, but to make sure employees understand that any documents they create with the company's system will be treated like other company documents.
The policy should deal with enforcement, as well. Some employers enforce their policy with monitoring software that flags messages containing suspicious words. You can set monitoring software, for example, to not let documents with code words for secret projects be e-mailed to anyone outside the company. It can also catch words that might be discriminatory or offensive.
In some cases, using monitoring software may help a company defend itself against sexual harassment lawsuits, for example -- it can help show that the company was really trying to prevent harassment, Bruce says. However, if a company is monitoring e-mail, it's vital to make sure the employees know about it, Bruce warns.
Jeff LePage, director of MIS at American Fast Freight, in Kent, Wash., has been using Content Technologies' MIMEsweeper to monitor e-mail at his company for about one year. He says the employees' knowledge that the filter was there has cut down on the number of adult-oriented jokes and other inappropriate messages. He says that once the policy and software were explained to employees, few complained.
"I would have thought people would take it differently, but most people don't seem to mind," LePage says. "There were a few individuals who were detractors of the policy. But how do you fight something like this -- demand that you should be able to send dirty jokes to everyone in the organization?"
However, not all companies have found e-mail monitoring to be practical.
"It's a lot of administrative work," says the Fortune 50 project manager of the work required to check out the messages that are caught by the software, some of which turn out to be harmless. "If someone wants to communicate something externally that's proprietary information, they're going to do that anyway -- they'll put it on a diskette or a CD."
Once the policy has been written and communicated, employee education and communication must be ongoing.
"From a morale standpoint it makes sense for employees to know where they stand," Bruce says. "Usually rumors of what companies are doing with e-mail systems are a lot worse than the truth."
"The place where you end up in trouble is if different people in the company think there are different policies, because where that typically gets sorted out is in the courts," says the project manager.
Employees need to realize that despite e-mail's casual feel, it is nonetheless an official company document.
"E-mail doesn't look like the traditional business communication -- it has the feel of sticking a Post-It on somebody's desk," Overly says. "E-mail can be sent without a lot of reflection. Most employees don't really think of the fact that when you send an e-mail there will be a copy on your computer, the network backup tape, etc. It's frequently harder to get rid of an e-mail than a written document."
Finally, remember that making a policy work requires an ongoing effort.
"You really have to work at this," Bruce says. "You can't just do it and say that's it. You have problems that come up every day."
Margaret Steen edits InfoWorld's Enterprise Careers section.
Companies must brace for more customer e-mail
RELATED IDG.net STORIES:
Gates e-mail criticizes Grove
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.