E-mail Ethics on Intranets [1]
Micalyn S. Harris, Winpro Inc.

Electronic mail ("e-mail"), once the province of academics and the technically sophisticated, has become the communication medium of choice for organizations in which time is of the essence. Broker-dealers and merchant bankers, law firms, accounting firms and corporations have embraced e-mail for its convenience. "Intranets" provide internal communications systems which permit people within an organization to communicate among themselves rapidly and inexpensively, without intermediaries (e.g. a secretary), and without the inconvenience of "telephone tag". A variety of systems enable people in different organizations to communicate enjoying similar advantages of rapid, inexpensive, efficient and informal communication. Ease and low cost combined with the efficiency lures even the most reluctant.

E-mail feels like a telephone conversation. It tends to be casual, a scribbled note rather than a formal memo, and, like a telephone conversation, regarded as private. But e-mail is written communication. However beguiling its ease of use, e-mail creates a document, and depending upon internal e-mail policies and procedures, that document may or may not be handled as confidential, deemed "published", or be discoverable in connection with litigation and/or investigations by government agencies. In addition, a copy of e-mail is likely to be retained in an automatic system backup long after a hastily-scribbled note would have been destroyed. Unlike verbal conversations which are subject to the vagaries of memory, proof of what was said in an e-mail message, if it is recovered and discoverable, is relatively easy and straightforward.

Increasingly, employers are being confronted by angry employees complaining that their private messages have been read, or claiming that they have been harassed or defamed by the messages of others, and litigators are, depending on their views, finding gold mines or land mines in e-mail records.

The Electronic Communications Privacy Act of 1986 ("ECPA"), 18 U.S.C. 2510-2520 (1988, 1993) prohibits unauthorized persons from gaining access to e-mail transmitted by public carrier service providers, e.g. America Online, Prodigy, CompuServe, MCI, AT&T, etc. The Act was designed primarily to protect these service providers by making it illegal to "intercept" e-mail traveling via their systems. The Act also prohibits the service providers from knowingly disclosing the contents of the messages they carry or store other than for the purpose of providing processing or storage services, unless authorized by the service agreement with their customers.

Although the ECPA prohibits unauthorized "interception" of e-mail under §2511(1)(a), the Act appears, under §2701(c)(1), to provide broader permission to access and monitor stored messages. Case law, although meager, supports this interpretation. The Fifth Circuit has construed ECPA's definition of "intercept" to exclude stored e-mail messages on the grounds that "Congress did not intend for intercept to apply to electronic communications when those communications are in electronic storage." If that reasoning becomes standard, e-mail which is inaccessible to third parties while en route may be more easily accessed by them once it is delivered and stored. A fortiori, e-mail stored within a firm's own system seems unlikely to be protected by ECPA.

Thus, the ECPA appears to have limited applicability to internal e-mail systems. It follows that even excluding issues arising from security breaches ("hacking" into the system), whether e-mail within a particular organization is private and secure depends not only upon the technology used by the organization, but also on the mechanics of managing the system, the policies of the organization in handling e-mail, the procedures used to publicize and enforce those policies, and the application of record retention policies and procedures.

An e-mail system requires management. The manager may or may not look at messages, but in order to manage the system and be able to repair problems when they arise, the manager will, in general, have the ability to read e-mail messages unless extraordinary steps are taken to prevent him or her from doing so. There are practical considerations flowing from these circumstances. For example, while within an organization such disclosure may not compromise confidentiality, it may be sufficient "publication" to support a claim of libel.

Limited use of company telephones for personal communications is generally recognized as acceptable. In the absence of recording devices however, telephone conversations do not create documents or records whose exact content is retrievable. In contrast, all e-mail messages are recorded; they are documents, and as such, leave a trail. Thus, the risks of permitting use of e-mail for personal messages are considerably greater than the risks of permitting personal use of business telephone lines. It is therefore not surprising that policies regarding personal use of company e-mail facilities vary widely among companies.

Formulating an e-mail policy is not a simple matter. If it is company policy that e-mail is to be used only for company business, then entering e-mail into evidence may also be relatively easy - either side may claim that it is a business record and entitled to be admitted into evidence as such. Alternatively, if it is company policy is to permit personal use of company e-mail, employees may feel free to send messages containing derogatory, unflattering, or otherwise unpleasant comments about co-workers which, if disclosed, may provide a foundation for claims of harassment or even defamation. Having no policy may result in realizing the worst of both alternatives.

Formulating a policy may be further complicated by the fact that in large organizations in which maintaining communications with people in distant locations is deemed desirable (e.g. investment banking), business and social life often merge, and use of e-mail to establish and maintain contacts is encouraged. A greeting, arrangements for a dinner after work when a business trip is planned, and comparing notes on current events are often seen as appropriate uses of a corporate communications system, just as they would be appropriate uses of a telephone. Such communications are not "strictly business" but unlike telephone conversations which are not, in most instances, recorded and therefore disappear at their close, these e-mail conversations are, by definition, written records.

Taking the time to develop a thoughtful policy on the proper use of internal e-mail, and implementing it with meaningful training, can avoid unpleasant and embarrassing problems. Effective training generally includes guidance, by stating principles and providing examples, and publicizing the risks and benefits of recommended uses of e-mail, together with illustrations of the undesirable consequences which may result from misuse. For example, an employee who has been advised that e-mail is monitored, that writing an e-mail message is like writing a memorandum and that language which is inappropriate in a formal memorandum is equally inappropriate in an e-mail message, is less likely to write defamatory messages or to use e-mail to harass other employees.

Cases involving claims of breach by employers of employees' anticipated e-mail privacy are beginning to appear. In California, a supervisor began monitoring the e-mail of two employees after being told it was "steamy". Monitoring disclosed behavior which was grounds for termination. Based on the monitored e-mail messages, the two employees were terminated. Both filed grievances, claiming that their privacy had been violated. The case was dismissed by the trial court on the grounds that the company owned the system and had a right to monitor the messages it contained (Bourke v. Nissan Motor Co., No. YC 003979, L.A. Super. Ct, 1994), and was appealed. In another California case, a system administrator was told e-mail communications would be private, and so advised employees during the course of training for which she was responsible. When she discovered that employees' e-mail was being read by her supervisor, she complained and was terminated. She sued (Shoars v. Epson America Inc., No. SWC 112749 (L.A. Super. Ct.), and a class action by defendant's employees was filed as a companion case (Flanagan v. Epson America Inc., No BC 007036, L.A. Super. Ct, March 12, 1991). Both cases were dismissed on the grounds that California's privacy statutes do not mention either e-mail or the workplace, which the court saw as indicating that the law was not intended to protect employees' workplace communications. These cases were also appealed. Securities arbitrators are hearing cases in which employees of member firms complain of discrimination and harassment using e-mail as an instrument of the illegal behavior. Other cases have involved e-mail sent by persons other than the person appearing as the signer of the message, giving rise to additional management problems in which e-mail is the instrument and provides evidence of illegal practices. An employee's written promise to use the employer's e-mail for business only may forestall a later claim of protectable expectation of privacy, but relying on manage ment's assurance of privacy may be ill-advised. In Smyth v. The Pillsbury Company, 914 F. Supp. 97 (E.D. Pa., 1966), where an employee's e-mail exchange (with a supervisor) which included unappealing statements about management was the cause of his discharge, his wrongful discharge claim was dismissed "for failure to state a claim."

The California cases do not establish a federal standard (both were based on state law), but these three cases, and others, as well as arbitrated cases, indicate that employers, at a minimum, are well-advised to establish and enforce clear and detailed policies concerning the appropriate use of e-mail.

Whatever policy is deemed appropriate, the risks of employee complaints and surprise can be reduced by adopting and publicizing organization policies on the acceptable uses of e-mail. If employees know that their e-mail communications are being, or may be, monitored, they are less likely to use e-mail to send messages which, if disclosed, would be embarrassing to them. If e-mail is to be used for confidential correspondence, it is advisable to explore instituting special procedures which will support the position that confidentiality is being maintained.

E-mail policies need to address not only the use of e-mail, but related record retention and destruction policies. Organizations often have automatic back-up systems which make and store, off-site, a copy of all electronically-stored information on a regular basis, e.g., daily, weekly, or monthly. If these back-up systems include copies of e-mail, or even e-mail which is stored because not yet sent or not yet received or filed within the e-mail system, appropriate handling of the back-up disks or tapes is also required. If the back-up tapes include confidential information or trade secrets, it is advisable to handle the tapes accordingly. If back-ups are stacked where anyone can gain access to them, an argument that the information they contain is not being treated as confidential and therefore is not entitled to trade secret or other confidential status may be successful. And whether or not such tapes or disks are handled as confidential information, they may be found to be subject to discovery, and may contain relevant and damaging evidence. (Under the new Rule 26 of the Federal Rules of Civil Procedure, adopted in some jurisdictions, it may even be argued that a party litigant would be obligated to provide copies of such back-ups without having been specifically requested to do so.)

E-mail is seductive, and justifiably so. Its speed and low cost give it great potential for facilitating communications - advising businesses of opportunities and problems, and enabling them to take advantage of the former and respond to the latter rapidly. Such rapid responses make businesses more competitive, benefit customers, and reduce the duration and cost of dealing with problems. An e-mail exchange may be faster than telephone contact, and messages can travel from one problem-solver to another without a customer having to tolerate being "passed around" and encountering irritating delays.

The advantages however are not without risks. Whatever the e-mail technology, e-mail, for the foreseeable future, will create a record which, however it feels, is in effect similar to a written record. As with any written record, the processes of creation, retention and destruction warrant attention. Policies which establish guidelines for the appropriate use of e-mail, and procedures which implement those policies by informing users of specific methods for maximizing benefits and minimizing risks, including illustrations of misuse and an indication of the problems to which they can give rise, are worthy of executive attention. Formulation of policies and procedures in advance can significantly reduce the risk of conflict and abuse, and the attendant expenses of resolution after damage has been done. With awareness of specific technology and some advance planning, risks of misuse can be minimized and e-mail can be a valuable tool for decreasing operating costs and increasing productivity and efficiency.

This article provides general information, and represents the views of the author(s). It does not constitute legal advice, and should not be used or taken as legal advice relating to any specific situation. Brief portions may be quoted with attribution, including the name(s) of the author(s) and citation to the publication in which they first appeared.

FOOTNOTES

1Copyright 1997, Micalyn S. Harris. All Rights Reserved. First Printed in wallstreetlawyer.com, May, 1997.