E-mail Ethics on Intranets
[1]
Micalyn S. Harris, Winpro Inc.
Electronic mail ("e-mail"), once the province of academics and the
technically sophisticated, has become the communication medium of choice for
organizations in which time is of the essence. Broker-dealers and merchant
bankers, law firms, accounting firms and corporations have embraced e-mail for
its convenience. "Intranets" provide internal communications systems which
permit people within an organization to communicate among themselves rapidly
and inexpensively, without intermediaries (e.g. a secretary), and without the
inconvenience of "telephone tag". A variety of systems enable people in
different organizations to communicate enjoying similar advantages of rapid,
inexpensive, efficient and informal communication. Ease and low cost combined
with the efficiency lures even the most reluctant.
E-mail feels like a telephone conversation. It tends to be casual, a scribbled
note rather than a formal memo, and, like a telephone conversation, regarded as
private. But e-mail is written communication. However beguiling its ease of
use, e-mail creates a document, and depending upon internal e-mail policies and
procedures, that document may or may not be handled as confidential, deemed
"published", or be discoverable in connection with litigation and/or
investigations by government agencies. In addition, a copy of e-mail is likely
to be retained in an automatic system backup long after a hastily-scribbled
note would have been destroyed. Unlike verbal conversations which are subject
to the vagaries of memory, proof of what was said in an e-mail message, if it
is recovered and discoverable, is relatively easy and straightforward.
Increasingly, employers are being confronted by angry employees complaining
that their private messages have been read, or claiming that they have been
harassed or defamed by the messages of others, and litigators are, depending on
their views, finding gold mines or land mines in e-mail records.
The Electronic Communications Privacy Act of 1986 ("ECPA"), 18 U.S.C.
2510-2520 (1988, 1993) prohibits unauthorized persons from gaining access to
e-mail transmitted by public carrier service providers, e.g. America Online,
Prodigy, CompuServe, MCI, AT&T, etc. The Act was designed primarily to
protect these service providers by making it illegal to "intercept" e-mail
traveling via their systems. The Act also prohibits the service providers from
knowingly disclosing the contents of the messages they carry or store other
than for the purpose of providing processing or storage services, unless
authorized by the service agreement with their customers.
Although the ECPA prohibits unauthorized "interception" of e-mail under
§2511(1)(a), the Act appears, under §2701(c)(1), to provide broader permission
to access and monitor stored messages. Case law, although meager, supports this
interpretation. The Fifth Circuit has construed ECPA's definition of
"intercept" to exclude stored e-mail messages on the grounds that "Congress did
not intend for intercept to apply to electronic communications when those
communications are in electronic storage." If that reasoning becomes standard,
e-mail which is inaccessible to third parties while en route may be more easily
accessed by them once it is delivered and stored. A fortiori, e-mail
stored within a firm's own system seems unlikely to be protected by ECPA.
Thus, the ECPA appears to have limited applicability to internal e-mail
systems. It follows that even excluding issues arising from security breaches
("hacking" into the system), whether e-mail within a particular organization is
private and secure depends not only upon the technology used by the
organization, but also on the mechanics of managing the system, the policies of
the organization in handling e-mail, the procedures used to publicize and
enforce those policies, and the application of record retention policies and
procedures.
An e-mail system requires management. The manager may or may not look at
messages, but in order to manage the system and be able to repair problems when
they arise, the manager will, in general, have the ability to read e-mail
messages unless extraordinary steps are taken to prevent him or her from doing
so. There are practical considerations flowing from these circumstances. For
example, while within an organization such disclosure may not compromise
confidentiality, it may be sufficient "publication" to support a claim of
libel.
Limited use of company telephones for personal communications is generally
recognized as acceptable. In the absence of recording devices however,
telephone conversations do not create documents or records whose exact content
is retrievable. In contrast, all e-mail messages are recorded; they are
documents, and as such, leave a trail. Thus, the risks of permitting use of
e-mail for personal messages are considerably greater than the risks of
permitting personal use of business telephone lines. It is therefore not
surprising that policies regarding personal use of company e-mail facilities
vary widely among companies.
Formulating an e-mail policy is not a simple matter. If it is company policy
that e-mail is to be used only for company business, then entering e-mail into
evidence may also be relatively easy - either side may claim that it is a
business record and entitled to be admitted into evidence as such.
Alternatively, if it is company policy is to permit personal use of company
e-mail, employees may feel free to send messages containing derogatory,
unflattering, or otherwise unpleasant comments about co-workers which, if
disclosed, may provide a foundation for claims of harassment or even
defamation. Having no policy may result in realizing the worst of both
alternatives.
Formulating a policy may be further complicated by the fact that in large
organizations in which maintaining communications with people in distant
locations is deemed desirable (e.g. investment banking), business and social
life often merge, and use of e-mail to establish and maintain contacts is
encouraged. A greeting, arrangements for a dinner after work when a business
trip is planned, and comparing notes on current events are often seen as
appropriate uses of a corporate communications system, just as they would be
appropriate uses of a telephone. Such communications are not "strictly
business" but unlike telephone conversations which are not, in most instances,
recorded and therefore disappear at their close, these e-mail conversations
are, by definition, written records.
Taking the time to develop a thoughtful policy on the proper use of internal
e-mail, and implementing it with meaningful training, can avoid unpleasant and
embarrassing problems. Effective training generally includes guidance, by
stating principles and providing examples, and publicizing the risks and
benefits of recommended uses of e-mail, together with illustrations of the
undesirable consequences which may result from misuse. For example, an employee
who has been advised that e-mail is monitored, that writing an e-mail message
is like writing a memorandum and that language which is inappropriate in a
formal memorandum is equally inappropriate in an e-mail message, is less likely
to write defamatory messages or to use e-mail to harass other employees.
Cases involving claims of breach by employers of employees' anticipated e-mail
privacy are beginning to appear. In California, a supervisor began monitoring
the e-mail of two employees after being told it was "steamy". Monitoring
disclosed behavior which was grounds for termination. Based on the monitored
e-mail messages, the two employees were terminated. Both filed grievances,
claiming that their privacy had been violated. The case was dismissed by the
trial court on the grounds that the company owned the system and had a right to
monitor the messages it contained (Bourke v. Nissan Motor Co., No. YC
003979, L.A. Super. Ct, 1994), and was appealed. In another California case, a
system administrator was told e-mail communications would be private, and so
advised employees during the course of training for which she was responsible.
When she discovered that employees' e-mail was being read by her supervisor,
she complained and was terminated. She sued (Shoars v. Epson America Inc.,
No. SWC 112749 (L.A. Super. Ct.), and a class action by defendant's employees
was filed as a companion case (Flanagan v. Epson America Inc., No BC
007036, L.A. Super. Ct, March 12, 1991). Both cases were dismissed on the
grounds that California's privacy statutes do not mention either e-mail or the
workplace, which the court saw as indicating that the law was not intended to
protect employees' workplace communications. These cases were also appealed.
Securities arbitrators are hearing cases in which employees of member firms
complain of discrimination and harassment using e-mail as an instrument of the
illegal behavior. Other cases have involved e-mail sent by persons other than
the person appearing as the signer of the message, giving rise to additional
management problems in which e-mail is the instrument and provides evidence of
illegal practices. An employee's written promise to use the employer's e-mail
for business only may forestall a later claim of protectable expectation of
privacy, but relying on manage ment's assurance of privacy may be ill-advised.
In Smyth v. The Pillsbury Company, 914 F. Supp. 97 (E.D. Pa., 1966),
where an employee's e-mail exchange (with a supervisor) which included
unappealing statements about management was the cause of his discharge, his
wrongful discharge claim was dismissed "for failure to state a claim."
The California cases do not establish a federal standard (both were based on
state law), but these three cases, and others, as well as arbitrated cases,
indicate that employers, at a minimum, are well-advised to establish and
enforce clear and detailed policies concerning the appropriate use of e-mail.
Whatever policy is deemed appropriate, the risks of employee complaints and
surprise can be reduced by adopting and publicizing organization policies on
the acceptable uses of e-mail. If employees know that their e-mail
communications are being, or may be, monitored, they are less likely to use
e-mail to send messages which, if disclosed, would be embarrassing to them. If
e-mail is to be used for confidential correspondence, it is advisable to
explore instituting special procedures which will support the position that
confidentiality is being maintained.
E-mail policies need to address not only the use of e-mail, but related record
retention and destruction policies. Organizations often have automatic back-up
systems which make and store, off-site, a copy of all electronically-stored
information on a regular basis, e.g., daily, weekly, or monthly. If these
back-up systems include copies of e-mail, or even e-mail which is stored
because not yet sent or not yet received or filed within the e-mail system,
appropriate handling of the back-up disks or tapes is also required. If the
back-up tapes include confidential information or trade secrets, it is
advisable to handle the tapes accordingly. If back-ups are stacked where anyone
can gain access to them, an argument that the information they contain is not
being treated as confidential and therefore is not entitled to trade secret or
other confidential status may be successful. And whether or not such tapes or
disks are handled as confidential information, they may be found to be subject
to discovery, and may contain relevant and damaging evidence. (Under the new
Rule 26 of the Federal Rules of Civil Procedure, adopted in some jurisdictions,
it may even be argued that a party litigant would be obligated to provide
copies of such back-ups without having been specifically requested to do so.)
E-mail is seductive, and justifiably so. Its speed and low cost give it great
potential for facilitating communications - advising businesses of
opportunities and problems, and enabling them to take advantage of the former
and respond to the latter rapidly. Such rapid responses make businesses more
competitive, benefit customers, and reduce the duration and cost of dealing
with problems. An e-mail exchange may be faster than telephone contact, and
messages can travel from one problem-solver to another without a customer
having to tolerate being "passed around" and encountering irritating delays.
The advantages however are not without risks. Whatever the e-mail technology,
e-mail, for the foreseeable future, will create a record which, however it
feels, is in effect similar to a written record. As with any written record,
the processes of creation, retention and destruction warrant attention.
Policies which establish guidelines for the appropriate use of e-mail, and
procedures which implement those policies by informing users of specific
methods for maximizing benefits and minimizing risks, including illustrations
of misuse and an indication of the problems to which they can give rise, are
worthy of executive attention. Formulation of policies and procedures in
advance can significantly reduce the risk of conflict and abuse, and the
attendant expenses of resolution after damage has been done. With awareness of
specific technology and some advance planning, risks of misuse can be minimized
and e-mail can be a valuable tool for decreasing operating costs and increasing
productivity and efficiency.
This article provides general information, and represents the views of the
author(s). It does not constitute legal advice, and should not be used or taken
as legal advice relating to any specific situation. Brief portions may be
quoted with attribution, including the name(s) of the author(s) and citation to
the publication in which they first appeared.
FOOTNOTES
1Copyright 1997,
Micalyn S. Harris. All Rights Reserved. First Printed in wallstreetlawyer.com,
May, 1997.
|