Email Liability - Is Your Company Protected?

The dangers to companies posed by email content first got serious national attention in the Microsoft anti-trust trial. The legal implications of the Microsoft suit, and other trials where cases have hinged on e-mail evidence, make it clear that companies, as well as individuals, are liable for what happens on their email system.

For example, in April 2002, an internal e-mail was sent from a KPMG executive to 33 recipients stating that the firm had given a purposely incomplete list of tax shelter clients to the IRS, which prompted another KPMG executive to e-mail vice chairman Jeffrey Stein: "Given the sensitivity of this situation, should we be putting all this in print?" Plaintiff lawyers uncovered the damaging e-mails, which led KPMG to admit to criminal wrongdoing and agree to pay $456 million.

In another case, Wall Street investment bank J.P. Morgan Chase & Co. was ordered to pay $2.1 million in fines to settle accusations that it failed to retain e-mails sought in investigations of stock research analyst misconduct.

The most frequent cases, however, where e-mails are crucial exhibits are employee lawsuits against a company. These lawsuits include Sexual Harassment cases which often use as evidence e-mails by supervisors or other employees with lewd and sexually explicit content, discrimination cases which have used e-mails by employees containing racial or religious remarks or e-mails with comments on age, gender, or pregnancy of an employee, and in defamation cases which use e-mails by employees commenting on someone's conduct, character, or performance.

The use of emails in lawsuits has become such a serious issue that many companies in the insurance industry now offer policies for Internet and email liability. Coverage includes such items as damages associated with security breaches, as well as, libel, slander, and defamation of character. But, insurance aside, what can you do to protect you company?

Is it legal for a company to perform email auditing (sometimes called email monitoring), where email is checked after the actual transmission, and email interception (sometimes called email filtering), where email is intercepted and checked during transmission, on employee e-mail accounts? Well, yes and no. Cases in the United States have proven that both are permitted if (a) done in a reasonable manner, (b) backed up by an email policy, and (c) backed by employee training that has been documented.

The best protection is a clear e-mail security Policies and Procedures document that covers all the potential danger zones, then well-planned, regular training that includes all new employees and all new updates to policies. The Society for Human Resource Management urges their members to establish a clear training program to ensure proper and effective use of email. One survey claims that 73% of companies do not offer Web training and 70% do not have a written content security policy.

Another important protection companies can adopt is the addition of legal disclaimers in the footer of every e-mail. Since content sent via email carries the same weight, legally, as those sent on company letterhead, if the email address includes the name of a company, a disclaimer such as, "the views of this email and of Company X's employees do not necessarily reflect the views of Company X," should be built into the template of every company e-mail account.

Another good idea is to emphasize in training, and with intermittent e-mails/memos reminders, that employees must remember that the email system is for business use, not personal use, and that their emails to others should be treated with the same respect as a company letter or memo. Also, it is a good idea to remind employees in writing that company email accounts belong to the company and are, therefore, not confidential for the employee, only the company. Employees should also be instructed to review what they have written before they send their messages and not send messages without verifying the accuracy of the factual information to be conveyed and verifying that the information about to be sent is not confidential information.

Vickie Adair is the senior technical writer at Media A-Team http://www.mediaateam.com and also publishes as a freelance writer. She writes for several websites such as http://www.houstonmanufacturers.com, an online directory and news site for the Houston manufacturing community, http://www.booksisters.com