Work Station or Purgatory?
Steps toward a company policy on e-mail and using the Net
By Kathleen M. Porter, David Wilson and Jacqueline Scheib
|
|
Electronic communication is like fire: It is immensely powerful, but can
easily scorch those who are careless. The very characteristics that make e-
communication attractive to businesses also invite mischief, mistakes and
risk.
For example, according to a recent Accenture Research study, 80 percent of
the world's leading pharmaceutical manufacturers thought that Internet
technologies could shorten the time it takes to bring new drugs to market,
while at the same time reducing drug development and administration costs.
However, as Eli Lilly and Co. recently experienced, using e-mail is not
without some risk.
In June 2001, an Eli Lilly employee sent an e-mail to individuals who
signed up to receive electronic notices about the drug Prozac. The e-mail
listed all of the recipients' e-mail addresses in the "To:" line.
In that instant, the employee unintentionally disclosed to each recipient the
e-mail addresses of all of the 669 other recipients. After the e-mail was
sent, Eli Lilly immediately adopted corrective measures, such as blocking
outgoing e-mails to the group who signed up for notices, if the e-mail was
going to more than one recipient.
However, those measures didn't stop the Federal Trade Commission from
bringing a complaint against the company, alleging that it failed to follow
its own Web site privacy policy for safeguarding personally identifiable
information. In early 2002, while not admitting any liability, Eli Lilly
entered into an FTC consent order, agreeing to establish an "information
security program" with training, security and auditing components.
In addition to potential government enforcement action, employers face
liability for misuse of e-communications by third parties and by employees.
You may be surprised to learn that in many situations an employer will be
held liable for the acts of its managers or supervisors. In some
jurisdictions, managers and supervisors also can be held individually liable
for their own acts of discrimination or harassment.
These principles are alarming when you consider the immediate and casual
nature of e-mail, and the potential for e-mails with allegedly
discriminatory, defamatory or harassing statements that can find their way
around a company.
With proper tools, a company can leverage the time and often cost-saving
benefits of electronic communications, while shielding itself from the risks.
This article provides such tools to aid companies in managing workplace
electronic communications.
How does an employer shield itself from liability for misuse of its
electronic communications? How can a company take action against an employee
who misuses its technology? In large part, the answers to these questions
depend on whether the company has adopted and institutionalized an
appropriate program designed to maximize its options while providing clear
guidance, training and notice to employees about what uses are
appropriate.
Every company using modern technology should have a "comprehensive
electronic communications program." Such a program leads to better
communication between the company and its employees regarding professional
and personal use of the company's computer system. A program will empower
managers who need to discipline an employee for misuse of technology and
educate employees on the capabilities of the technology and the risks
associated with its misuse. The program should include:
a written policy governing the
professional and personal use of the Internet and e-mail; education of employees on
proper use and the risks of misuse; mechanisms designed to minimize
the company's liability in connection with an employee's use of
technology; and procedures to audit the
implementation of the other parts of the
program.
The heart of any comprehensive program governing the use of e-mail and the
Net is an "acceptable use policy." A successful policy will balance
the needs of the company and the expectations of the employees. When framing
your policy, take into consideration the culture and specific needs of your
company. Don't let your use policy contradict the tone and scope of existing
corporate policies.
If your company relies heavily on trade secrets to maintain its competitive
edge, for instance, your policy should address the implications of releasing
trade secrets. Employees privy to these secrets have the ability, through the
Internet, to disseminate this information around the world at the push of a
button.
These indiscretions are already occurring. In February 1999, Raytheon Co.
sued 21 anonymous authors who posted arguably confidential information about
Raytheon to a computerized bulletin board. This suit led to the eventual
resignation of at least two Raytheon employees. In April 1999, a
Massachusetts engineering and construction firm, Stone & Webster Inc.,
brought a similar suit. Tailoring the policy to your company's needs and
culture will provide the company with a more effective tool and the employees
with a mechanism that they can relate to, appreciate and follow.
An acceptable-use policy must set clear and strict guidelines and must
further the business goals of the company, but it must also be reasonable.
For example, it likely would not be practical or efficient for an employer to
ban all personal use of company computer systems. Indeed, such a policy is
likely to be counterproductive in the same way that a blanket ban on all
personal use of company telephones would be counterproductive.
A company might be better off permitting an employee to handle a personal
obligation efficiently by e-mail rather than spend a much longer time out of
the office on errands or making multiple phone calls. A clear understanding
of what is appropriate will prevent misunderstandings.
Dispelling misperceptions that an individual's use of e-mail and the
Internet are relatively anonymous and without any real repercussions is key
to a successful use policy. An extension of privacy claims to e-mail could
have widespread impact, because even today a number of American businesses
monitor employee e-mail without telling their employees. Recent court cases
have granted employers wide latitude in reviewing e-mail, but the law in this
area is in considerable flux.
Caution, though, is required. This lesson was learned by the president of
one Massachusetts company, who heard that an employee was "spending a
lot of time using the e-mail system" and decided to find out for
himself. The employer used his supervisory password to gain access to backup
tapes of employee e-mail, and spent eight hours reading the messages. He
learned that employees discussed details of his extramarital affair and
referred to him by nicknames, no doubt unflattering. The employer terminated
two employees for what he claimed was excessive use of e-mail.
The employees responded with a lawsuit alleging invasion of privacy, among
other grievances. The court refused to dismiss the employees' claim of
invasion of privacy, apparently believing that each employee had an
expectation of privacy created by the passwords used to gain entry to the e-
mail system and by the fact that they were never told that the files were
saved on a backup tape to which their boss had access.
Other cases have gone the other way. In Pennsylvania, an employee who sent
an e-mail to his supervisor that contained threats to management and referred
to the planned holiday party as the "Jim Jones KoolAid affair" was
terminated when management intercepted his e-mail. The employee challenged
his termination on the ground that he had an expectation of privacy with
respect to his e-mail. He cited a company policy that assured employees that
e-mail messages were confidential and that the employer would not intercept
or use them against employees for termination or reprimand. The court decided
that there was no expectation of privacy where the employee had voluntarily
sent the e-mail to his supervisor.
In another case, a California appeals court rejected claims by two
employees whose e-mail was scrutinized after one e-mail message, chosen at
random for an e-mail training session, turned out to be of a personal and
sexual nature. In that case, the court found that the employees had no
expectation of privacy because their employer had instructed them not to use
e-mail for personal messages and because they had learned, prior to sending
the offending messages, that people other than the addressees sometimes read
company e-mail.
Even judges are uncertain. On May 24, 2001, a group of California federal
judges ordered their technical staff to disable the monitoring software on
all computers in the Ninth Circuit, the largest of the nation's 12 regional
circuits, covering nine Western states and two territories. The conflict
results from the judges' concerns about the legality of monitoring Internet
usage, particularly when employment policies are unclear.
It should be noted that this article focuses on the current and emerging
law in the United States with regard to managing employees' use of the
Internet and e-mail, and that other countries have a very different view of
employee privacy rights. The most prominent example of this is a recent
decision by France's highest court, in which the court held that Nikon France
SA improperly fired its employee for using his workplace computer during work
hours to send e-mails marked "personal."
The court based its ruling on the right to privacy found in Article 8 of
the European Convention on Human Rights. In its decision, the court reversed
an appellate court ruling, which affirmed the trial court's decision, which
had both recognized a company's right to prohibit personal use of company-
issued equipment.
The Nikon decision highlights the need for a company with employees
or activities outside the United States to consider the laws and practices of
the relevant countries before implementing a comprehensive monitoring
program. Some global companies, Schlumberger Limited among them, are
exploring the development of "model Internet monitoring
procedures" as part of their comprehensive program. The goal is that a
company — as evidence of its good faith and reasonableness —
would use the to-be-developed model procedures if or when it is forced to
defend the company's monitoring of an employee's activities.
In addition to the acceptable-use policy, there are several other
components of a comprehensive program. The first is periodic employee
education and refresher training to teach and reinforce proper use and the
risks of misuse of the Internet and e-mail. Education is particularly
critical given that better informed and trained employees make better
decisions. The education records also enable a company to demonstrate its
good-faith reasonable efforts to educate employees and protect confidential
information and intellectual property.
Training will also continue to dispel incorrect perceptions about the
anonymity of e-mail and Internet use. In addition to formal education, many
companies issue periodic reminders on key points, such as the discoverable
nature of e-mail and the frequent need to clean out folders containing e-
mail.
Another component of a program is understanding and employing mechanisms
that can affect the company's liability in connection with an employee's use
of technology. One example is the company's policy of backing-up e-mails and
other documents on tapes for security and continuity purposes.
In the Linnen v. A.H. Robins Co. case, the plaintiff, who alleged
harm caused by the diet drugs fenfluramine and phentermine, demanded to see
relevant documents in the possession of defendant Wyeth-Ayerst Laboratories.
The plaintiff defined "document" to include information stored on
paper, computer, film, tape and other media.
Wyeth's practice was to store computer backup tapes for three months and
then reuse, or recycle, the old tapes, erasing data that had been stored on
them. Wyeth delayed in disclosing the existence of the backup tapes, and then
conceded that it had continued to recycle the tapes — erasing data on
them — even after the plaintiff had asked for access to them.
The court in Linnen found that the late disclosure of the tapes was
"uncooperative, be it unintended or willful," and ordered Wyeth to
pay all the plaintiffs' fees and costs in seeking that data. The court found
that the erasure of backup tapes was "inexcusable," and allowed the
jury to infer at trial that Wyeth erased the backup tapes because they
contained unfavorable information. Expect that any litigation involving a
company will include demands to see not only active e-mail messages, but also
copies of relevant messages stored on backup tapes.
Other mechanisms include available technology tools designed to protect
privacy and to minimize errors and misuse, such as passwords, blocking or
restricting access to sensitive information, restricting ability to send
multiple-recipient e-mails and the like. Software that allows the employer to
block employee access to Web sites unrelated to work or likely to contain
inappropriate materials may be helpful. Also, many companies use software
that captures incoming e-mail that may contain materials that are
inappropriate or likely to harm the security of the company's systems because
of the amount of data or its capacity to contain a virus.
Procedures to audit the implementation of the other components of the
program are also important. Companies should audit the observance of the use
policy, to make sure that actual monitoring occurs, and also that it conforms
to the policy language, is nondiscriminatory and is uniformly administered.
In addition, the audit will gauge the correlation between the training
measures and compliance with the policy.
Perhaps most important, companies should instill a sense of ambassadorship
in employees by reminding them that they represent a company with high
standards that places a strong emphasis on professional behavior.
All three authors are with Robinson and Cole LLP. Wilson and Porter are partners in the Boston office and Scheib is an
associate in the Hartford, Conn., office. Wilson's e-mail is dwilson@rc.com;
Scheib's is jscheib@rc.com and Porter's is
kporter@rc.com.
|
