Email - the legal issues
E-mail has been around since 1972 and was already a very established form of communication in the pre World Wide Web incarnation of the Internet.
In the early 1990's e-mail was confined to text messages, and was used largely by academics and for other non-commercial activities. The role of e-mail has developed in the last 5 years into a normal business tool, and is regarded with no special considerations compared to the other more long-standing means of communication.
The second generation of e-mail users, use e-mail to send not only simple messages, but also word processing documents, voice, fax, video and audio - and anything else digital.
The reach of e-mail has extended beyond the boundaries of the company to anybody who has an Internet address. This includes customers, suppliers, potential customers, and competitors and allies, in the personal world it also includes friends and family. E-mail can have the characteristics of a written telephone conversation, rather than the measured formality normally associated with business letters. The ability to respond almost immediately to an e-mail bypasses the drafting and filtering process that letters normally undergo.
The consequences of being able to send anything to anybody has potentially serious implications for companies and individuals. Such consequences include, legal liability for anything from breach of confidence (e.g. sending client lists to competitors), defamation (Norwich Union paid £450,000 in one instance), sexual, racial and other harassment (several cases have involved use of e-mail), as well as numerous potential offences ranging from breaches of the companies acts to hacking and breach of copyright.
Other Internet use related issues which should be addressed by all companies include preventing virus attacks and employee access to pornography. From a company's point of view, the potential of the company to be vicariously liable for the acts of employees in certain circumstances should be a major concern.
A commonly overlooked issue relates to the required information to be included in any of business communication of a company. These include company number, name and registered office and other similar matters addressed in the Companies Act 1985 and the Business Names Act 1985. Many companies appear not to view e-mail as a communication within the meaning of these acts. This is mistaken. All companies should implement an acceptable user policy for both Internet access and e-mail use.
Any policy should start with the basic issue of whether it is acceptable to use the corporate e-mail system for private messages. A total prohibition against private use may protect the company from liability for individual abuses. However, if private use is allowed, then an authorised act done in an unauthorised way may leave the company exposed to liability.
The key to avoiding liability without hindering effective use of the technology available to business is through enhancing staff understanding of the many implications (including legal ones) stemming from their acts whilst using the Internet or e-mail. Through such education effective risk management can be achieved.
Part of a risk management strategy would include in the e-mail user policy the need for confidentiality notices on e-mails sent to external bodies and clients, and disciplinary measures being included in employee contracts. The ability of a disaffected employee, or someone who is soon to leave a company to send by e-mail large quantities of confidential information - whether it be trade secrets, client lists, technical and know how information - in short anything valuable, to either a personal external e-mail address or to a competitor should be a matter of real concern. To safeguard against such events, high profile monitoring, of both e-mail and web use, should be a priority. Whilst such measures will not prevent such disclosures, they may deter them. Similarly, publicising and including the right for the company to monitor such use in employees' contracts will safeguard the company from complaint. We have developed a standard user policy document which is available upon request for a modest charge.
Information that is considered to be particularly sensitive should only be sent via e-mail after some consideration has been given to the use of encryption and possibly obtaining the consent of the recipient to receive it electronically. Lawyers for example have got specific duties to protect their client's confidentiality.
Some thought should be given to the form of signature, which should be attached to e-mails which identify the e-mail as emanating from the company, similarly if private use is allowed a separate signature should be used to distinguish corporate e-mails from personal ones. This may be particularly pertinent if employees post messages to newsgroups.
E-mails should carry a form of confidentiality notice similar to that used in faxes as a matter of routine.
Another issue, which appears to have received scant attention, is the maintenance of records, which is a legal obligation covering many types of business communications. Company policy in respect of storing or destruction of documents should be extended to take account of e-mail use in the business process. This may also have ramifications in respect of any litigation involving the company, as e-mail will be subject to the discovery process obliging all relevant documents (including e-mails) to be made available to the other party.
The ability to send abusive, harassing and offensive material via e-mail can have serious consequences for a company which may be liable if effective steps to prevent such activities are not put in place and maintained.
As the identity of the sender can be manipulated, it is possible to appear to be someone else and use this for nefarious purposes such as sending abusive e-mail in the name of others. It may be difficult to prove that the e-mail did not emanate from you.
Conclusion
As e-mail use increases and becomes the medium of choice for business communications, unless companies adopt effective risk management strategies, which need not be overly complicated, they leave themselves exposed to liabilities which they may not have considered previously. An effective strategy requires an appropriate e-mail and web access user policy, which addresses the matters we have discussed above. Changes to contracts of employment and disciplinary procedures need to be implemented to deal with any breaches of the policy and set out the consequences thereof. Last but not least continuous training should be put in place so that employees understand the potential risks and how they can be avoided.
© This article is copyright Sprecher Grier Halberstam LLP.2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. The contents are intended for general information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.