It’s fast, easy, and for some, completely irresistible. In fact, you’ve probably done it several times today already, as has nearly everyone you work with.
But as convenient and efficient as e-mail is, for employers it can also be a “clicking” time bomb exposing them to security problems and potential liability, as well as costly and time-consuming system searches.
“E-mails are the cockroaches of employment litigation,” said Thomas Watkins, a partner at Brown McCarroll LLP in Austin, Tex. who frequently speaks to attorneys about the potential perils of e-mail. “They are out there, you know that they are multiplying, but you don’t know where they are coming from, and it’s hard to impossible to stop them.”
If cockroaches aren’t bad enough, some attorneys say the quick and silent nature of e-mails may make them more like termites. Once you see the damage, it’s usually too late to stop it, and fixing the problem can be costly.
Those problems can run the gamut – such as exposure of trade secrets or nonpublic securities information, liability for defamation or sexual harassment, and burdensome discovery requests.
A real threat
Employee practices like e-mail forwarding and instant messaging can pose real security problems for employers. Instant messaging by employees, for example, can leave company computers systems vulnerable to electronic worms, hacking attacks and other Internet threats.
“Since most [IT] departments have secured e-mail but have left [instant messaging programs] unprotected, it’s only natural that hackers are adjusting their sights to delivering malicious code through the path of least resistance,” said Don Montgomery, vice president of marketing for Akonix, a San Diego-based data security company that recently released a report on instant messaging security attacks. “In corporate networks, that path of least resistance is instant messaging.”
The report found that reported threats to instant messaging programs on company servers had increased by 78 percent over the last year.
As a result, e-mail and instant messaging activities can also be hazardous to employees’ job security.
Many employers are adopting Internet usage policies to protect against security and legal threats, often with tough enforcement teeth. A July study by Proofpoint, Inc., a California-based electronic data security and loss prevention company, found that 28 percent of surveyed employers have terminated employees for e-mail policy violations.
The survey found that e-mailing posed the biggest problem for employers, and is the primary source of leaked information leading to regulatory compliance violations, legal problems and loss of competitive position.
Pandora’s inbox
One reason for the problem is that unlike other communication media, e-mails and instant messages are almost never vetted by anyone other than the sender, which gives users the false sense that anything they type won’t come back to haunt them.
Watkins said that in one product liability case he handled, discovery produced an e-mail sent from one of his client’s safety engineers to an assistant engineer that read: “Did that darn thing blow up again?”
The false sense of privacy that e-mail and instant messaging gives users can allow a small problem to quickly spiral into a big one.
“People forget there is a permanent record of whatever you do over e-mail,” said Lisa S. Burton, a partner in the labor and employment department of Wilmer Hale in Boston. “They forget and say things that they would never write down or say in public.”
She gave the example of an executive having an affair with a subordinate, with whom she exchanges suggestive e-mails and other electronic communications on the company system.
“Suddenly, you have boatloads of inappropriate communications – e-mails, instant messages – sent back and forth. If the [executive] gets a demand letter from the subordinate’s lawyer saying he plans to sue for sexual harassment, you’ve got a problem.”
Add to that the instantaneous nature of e-mail – coupled with common practices like automatic copying to other e-mail accounts – and it becomes nearly impossible for firms to get ahead of a potentially damaging problem.
In one trade secrets case Watkins handled, a client had a program that automatically sent copies to other people. When proprietary information accidentally founds its way into one e-mail, it was sent to 39 people instantaneously.
“If you were thinking about it, you would know you shouldn’t widely disseminate something like that,” he said. “But when it’s e-mail, it’s automatic and you don’t think about it until it’s too late.”
The problem is compounded by the slow pace of state and federal law in adapting to the new medium. For example, the extent to which employees have a privacy interest in e-mail or other electronic communications in the workplace varies from state to state, making it tougher for managers and employment lawyers to stay ahead of potential problems.
And once employment or business cases get to the litigation phase, e-mails become anything but user-friendly and paper-free.
“In this paperless society, we are killing more trees producing e-mails in discovery than we ever did before,” Watkins said.
Particularly with e-mail “stacking” – forwarded or reply e-mails that include the previous comments, “you can easily have to produce millions of pages,” he said.
An ounce of e-prevention
Since few companies will realistically be able to adopt “no-e-mail” policies, clear and strong rules are the next best defense.
“I recommend to clients that they adopt a clear electronic communication policy outlining what is considered appropriate and inappropriate behavior,” said Stephen M. Foxman, a member in the Philadelphia office of Eckert Seamans. And the policy should have teeth, he said. “They should make it clear in the policy that termination could result. You want to be able to take disciplinary action.”
Since state law varies when it comes to employees’ privacy expectation in their work e-mails, the policy should explicitly make clear to employees the company reserves the right to monitor all communications that take place within its system – including accessing personal e-mail accounts.
“That puts the issue [of privacy rights] to bed, at least in the United States,” said Foxman, although multinational companies should consult with their attorneys to see how such policies could be interpreted in other countries.
It’s important that the communications policy not be tucked inside an employee handbook. It should be presented separately, and companies should require that employees read and sign it.
“It’s easy for an employee to say, ‘Oh, I didn’t get a handbook,’ or ‘I don’t know where it is’ or ‘I threw it away,’” Foxman said. “But if you have a signed policy, that’s pretty hard to dodge.”
Aside from the policy, it’s important for managers to try to get employees to think differently about the nature of e-mail. The vast majority of problems arise because users simply hit “send” before thinking about all the potential consequences.
Watkins tells clients that e-mails should be thought of and treated as letters. One way to do that is to require each e-mail be written in a more formal tone, with a salutation line, and end with “very truly yours” or another phrase that will cause the writer to think a bit more before firing it off.
“People need to stop thinking about it as though it is an evaporative medium and think about if it were a letter,” Watkins said. “People send e-mail and it goes out – boom. No one sees it, no one reviews it – you would never send a letter out that way.”