2/5/2016
Business Law Today
Advertisement
Follow ABA
myABA | Log In
JOIN THE ABA
SHOP ABA
CALENDAR
Membership
ABA Groups
Diversity
Advocacy
Resources for Lawyers
MEMBER DIRECTORY
Publishing
CLE
Career Center
News
About Us
Home
Membership
Committees
Events & CLE
Publications
Section News
Initiatives & Awards
About Us
Contact Us
Volume 11, Number 6 ­ July/August 2002
Work Station or Purgatory?
Steps toward a company policy on e­mail and using the Related Article:
Net
Some Sample
By Kathleen M. Porter, David Wilson and Jacqueline
Provisions and Why to Use
Scheib
Them
By Wilson, Scheib &
Porter Electronic communication is like fire: It is immensely powerful, but can easily scorch
those who are careless. The very characteristics that make e­ communication
attractive to businesses also invite mischief, mistakes and risk. For example, according to a recent Accenture Research study, 80 percent of the
world's leading pharmaceutical manufacturers thought that Internet technologies
could shorten the time it takes to bring new drugs to market, while at the same
time reducing drug development and administration costs. However, as Eli Lilly and
Co. recently experienced, using e­mail is not without some risk. In June 2001, an Eli Lilly employee sent an e­mail to individuals who signed up to
receive electronic notices about the drug Prozac. The e­mail listed all of the
recipients' e­mail addresses in the "To:" line. In that instant, the employee
unintentionally disclosed to each recipient the e­mail addresses of all of the 669
other recipients. After the e­mail was sent, Eli Lilly immediately adopted corrective
measures, such as blocking outgoing e­mails to the group who signed up for notices,
if the e­mail was going to more than one recipient. However, those measures didn't stop the Federal Trade Commission from bringing a
complaint against the company, alleging that it failed to follow its own Web site
http://apps.americanbar.org/buslaw/blt/2002­07­08/porterwilson.html
1/5
2/5/2016
Business Law Today
privacy policy for safeguarding personally identifiable information. In early 2002,
while not admitting any liability, Eli Lilly entered into an FTC consent order, agreeing
to establish an "information security program" with training, security and auditing
components. In addition to potential government enforcement action, employers face liability for
misuse of e­communications by third parties and by employees. You may be
surprised to learn that in many situations an employer will be held liable for the acts
of its managers or supervisors. In some jurisdictions, managers and supervisors also
can be held individually liable for their own acts of discrimination or harassment. These principles are alarming when you consider the immediate and casual nature
of e­mail, and the potential for e­mails with allegedly discriminatory, defamatory or
harassing statements that can find their way around a company.
With proper tools, a company can leverage the time and often cost­saving benefits
of electronic communications, while shielding itself from the risks. This article
provides such tools to aid companies in managing workplace electronic
communications. How does an employer shield itself from liability for misuse of its electronic
communications? How can a company take action against an employee who
misuses its technology? In large part, the answers to these questions depend on
whether the company has adopted and institutionalized an appropriate program
designed to maximize its options while providing clear guidance, training and notice
to employees about what uses are appropriate.
Every company using modern technology should have a "comprehensive electronic
communications program." Such a program leads to better communication between
the company and its employees regarding professional and personal use of the
company's computer system. A program will empower managers who need to
discipline an employee for misuse of technology and educate employees on the
capabilities of the technology and the risks associated with its misuse. The program
should include:
a written policy governing the professional and personal use of the Internet and e­mail;
education of employees on proper use and the risks of misuse;
mechanisms designed to minimize the company's liability in connection with an employee's use of
technology; and
procedures to audit the implementation of the other parts of the program.
The heart of any comprehensive program governing the use of e­mail and the Net is
an "acceptable use policy." A successful policy will balance the needs of the company
and the expectations of the employees. When framing your policy, take into
consideration the culture and specific needs of your company. Don't let your use
policy contradict the tone and scope of existing corporate policies. If your company relies heavily on trade secrets to maintain its competitive edge, for
instance, your policy should address the implications of releasing trade secrets.
Employees privy to these secrets have the ability, through the Internet, to
disseminate this information around the world at the push of a button. These indiscretions are already occurring. In February 1999, Raytheon Co. sued 21
anonymous authors who posted arguably confidential information about Raytheon
to a computerized bulletin board. This suit led to the eventual resignation of at least
two Raytheon employees. In April 1999, a Massachusetts engineering and
construction firm, Stone & Webster Inc., brought a similar suit. Tailoring the policy
to your company's needs and culture will provide the company with a more effective
tool and the employees with a mechanism that they can relate to, appreciate and
follow. An acceptable­use policy must set clear and strict guidelines and must further the
business goals of the company, but it must also be reasonable. For example, it likely
would not be practical or efficient for an employer to ban all personal use of
company computer systems. Indeed, such a policy is likely to be counterproductive
in the same way that a blanket ban on all personal use of company telephones
would be counterproductive. A company might be better off permitting an employee to handle a personal
http://apps.americanbar.org/buslaw/blt/2002­07­08/porterwilson.html
2/5
2/5/2016
Business Law Today
obligation efficiently by e­mail rather than spend a much longer time out of the
office on errands or making multiple phone calls. A clear understanding of what is
appropriate will prevent misunderstandings. Dispelling misperceptions that an individual's use of e­mail and the Internet are
relatively anonymous and without any real repercussions is key to a successful use
policy. An extension of privacy claims to e­mail could have widespread impact,
because even today a number of American businesses monitor employee e­mail
without telling their employees. Recent court cases have granted employers wide
latitude in reviewing e­mail, but the law in this area is in considerable flux.
Caution, though, is required. This lesson was learned by the president of one
Massachusetts company, who heard that an employee was "spending a lot of time
using the e­mail system" and decided to find out for himself. The employer used his
supervisory password to gain access to backup tapes of employee e­mail, and spent
eight hours reading the messages. He learned that employees discussed details of
his extramarital affair and referred to him by nicknames, no doubt unflattering. The
employer terminated two employees for what he claimed was excessive use of e­
mail. The employees responded with a lawsuit alleging invasion of privacy, among other
grievances. The court refused to dismiss the employees' claim of invasion of privacy,
apparently believing that each employee had an expectation of privacy created by
the passwords used to gain entry to the e­ mail system and by the fact that they
were never told that the files were saved on a backup tape to which their boss had
access. Other cases have gone the other way. In Pennsylvania, an employee who sent an e­
mail to his supervisor that contained threats to management and referred to the
planned holiday party as the "Jim Jones KoolAid affair" was terminated when
management intercepted his e­mail. The employee challenged his termination on
the ground that he had an expectation of privacy with respect to his e­mail. He cited
a company policy that assured employees that e­mail messages were confidential
and that the employer would not intercept or use them against employees for
termination or reprimand. The court decided that there was no expectation of
privacy where the employee had voluntarily sent the e­mail to his supervisor. In another case, a California appeals court rejected claims by two employees whose
e­mail was scrutinized after one e­mail message, chosen at random for an e­mail
training session, turned out to be of a personal and sexual nature. In that case, the
court found that the employees had no expectation of privacy because their
employer had instructed them not to use e­mail for personal messages and because
they had learned, prior to sending the offending messages, that people other than
the addressees sometimes read company e­mail. Even judges are uncertain. On May 24, 2001, a group of California federal judges
ordered their technical staff to disable the monitoring software on all computers in
the Ninth Circuit, the largest of the nation's 12 regional circuits, covering nine
Western states and two territories. The conflict results from the judges' concerns
about the legality of monitoring Internet usage, particularly when employment
policies are unclear. It should be noted that this article focuses on the current and emerging law in the
United States with regard to managing employees' use of the Internet and e­mail,
and that other countries have a very different view of employee privacy rights. The
most prominent example of this is a recent decision by France's highest court, in
which the court held that Nikon France SA improperly fired its employee for using
his workplace computer during work hours to send e­mails marked "personal." The court based its ruling on the right to privacy found in Article 8 of the European
Convention on Human Rights. In its decision, the court reversed an appellate court
ruling, which affirmed the trial court's decision, which had both recognized a
company's right to prohibit personal use of company­ issued equipment. The Nikon decision highlights the need for a company with employees or activities
outside the United States to consider the laws and practices of the relevant
countries before implementing a comprehensive monitoring program. Some global
companies, Schlumberger Limited among them, are exploring the development of
"model Internet monitoring procedures" as part of their comprehensive program.
The goal is that a company — as evidence of its good faith and reasonableness —
would use the to­be­developed model procedures if or when it is forced to defend the
company's monitoring of an employee's activities. http://apps.americanbar.org/buslaw/blt/2002­07­08/porterwilson.html
3/5
2/5/2016
Business Law Today
In addition to the acceptable­use policy, there are several other components of a
comprehensive program. The first is periodic employee education and refresher
training to teach and reinforce proper use and the risks of misuse of the Internet
and e­mail. Education is particularly critical given that better informed and trained
employees make better decisions. The education records also enable a company to
demonstrate its good­faith reasonable efforts to educate employees and protect
confidential information and intellectual property. Training will also continue to dispel incorrect perceptions about the anonymity of e­
mail and Internet use. In addition to formal education, many companies issue
periodic reminders on key points, such as the discoverable nature of e­mail and the
frequent need to clean out folders containing e­ mail.
Another component of a program is understanding and employing mechanisms that
can affect the company's liability in connection with an employee's use of
technology. One example is the company's policy of backing­up e­mails and other
documents on tapes for security and continuity purposes. In the Linnen v. A.H. Robins Co. case, the plaintiff, who alleged harm caused by the
diet drugs fenfluramine and phentermine, demanded to see relevant documents in
the possession of defendant Wyeth­Ayerst Laboratories. The plaintiff defined
"document" to include information stored on paper, computer, film, tape and other
media. Wyeth's practice was to store computer backup tapes for three months and then
reuse, or recycle, the old tapes, erasing data that had been stored on them. Wyeth
delayed in disclosing the existence of the backup tapes, and then conceded that it
had continued to recycle the tapes — erasing data on them — even after the
plaintiff had asked for access to them. The court in Linnen found that the late disclosure of the tapes was "uncooperative,
be it unintended or willful," and ordered Wyeth to pay all the plaintiffs' fees and
costs in seeking that data. The court found that the erasure of backup tapes was
"inexcusable," and allowed the jury to infer at trial that Wyeth erased the backup
tapes because they contained unfavorable information. Expect that any litigation
involving a company will include demands to see not only active e­mail messages,
but also copies of relevant messages stored on backup tapes.
Other mechanisms include available technology tools designed to protect privacy and
to minimize errors and misuse, such as passwords, blocking or restricting access to
sensitive information, restricting ability to send multiple­recipient e­mails and the
like. Software that allows the employer to block employee access to Web sites
unrelated to work or likely to contain inappropriate materials may be helpful. Also,
many companies use software that captures incoming e­mail that may contain
materials that are inappropriate or likely to harm the security of the company's
systems because of the amount of data or its capacity to contain a virus.
Procedures to audit the implementation of the other components of the program are
also important. Companies should audit the observance of the use policy, to make
sure that actual monitoring occurs, and also that it conforms to the policy language,
is nondiscriminatory and is uniformly administered. In addition, the audit will gauge
the correlation between the training measures and compliance with the policy. Perhaps most important, companies should instill a sense of ambassadorship in
employees by reminding them that they represent a company with high standards
that places a strong emphasis on professional behavior.
All three authors are with Robinson and Cole LLP. Wilson and Porter are partners in
the Boston office and Scheib is an associate in the Hartford, Conn., office. Wilson's e­
mail is [email protected]; Scheib's is [email protected] and Porter's is [email protected].
Back to Top
FOR THE PUBLIC
RESOURCES FOR
ABA­Approved Law Schools
Bar Associations
http://apps.americanbar.org/buslaw/blt/2002­07­08/porterwilson.html
Non­US Lawyers
STAY CONNECTED
Twitter
4/5
2/5/2016
Business Law Today
Law School Accreditation
Public Education
Government and Public
Sector Lawyers
Judges
Public Resources
Law Students
Public Interest Lawyers
Facebook
Senior Lawyers
LinkedIn
Solo and Small Firms
ABA Career Center
Young Lawyers
Contact Us Online
Military Lawyers
Terms of Use
Reserved
| Code of Conduct
| Privacy Policy
| Your California Privacy Rights | http://apps.americanbar.org/buslaw/blt/2002­07­08/porterwilson.html
Copyright & IP Policy
| Advertising & Sponsorship | ABA
| © 2015 ABA, All Rights
5/5
2/5/2016
Business Law Today
Advertisement
Follow ABA
myABA | Log In
JOIN THE ABA
SHOP ABA
CALENDAR
Membership
ABA Groups
Diversity
Advocacy
Resources for Lawyers
MEMBER DIRECTORY
Publishing
CLE
Career Center
News
About Us
Home
Membership
Committees
Events & CLE
Publications
Section News
Initiatives & Awards
About Us
Contact Us
Volume 11, Number 6 ­ July/August 2002
Some Sample Provisions and Why to Use Them
Related Article:
Work Station or
Purgatory?
By Porter, Wilson &
Scheib Business reasons for a policy — State the business reason for adopting a policy,
which may include the need for protecting trade secrets, maintaining the
integrity and security of the company's computer system, protecting sensitive
customer information, protecting the employer from liability to third parties,
protecting the integrity and reputation of the company and its line of business,
and ensuring optimal employee productivity. These needs establish the
reasonableness of the policy and its scope, and demonstrate that the policy is
not unnecessarily intrusive.
Dispel expectations of privacy — State that e­mail, Internet and computer
usage will be monitored. State that monitoring "will" occur, as opposed to
monitoring "may" occur. State that the employer "reserves the right" to
monitor. Spell out exactly what monitoring activities will be. Many states have
laws prohibiting e­mail or computer­use monitoring without notice to the
employee of such monitoring. Even in those states without such monitoring
laws, courts have regularly allowed invasion of privacy claims for telephone
eavesdropping, communications recordings and the intercepting of employee
private mail. A company that never tells employees that monitoring will occur
may run into legal problems if it starts to monitor.
http://apps.americanbar.org/buslaw/blt/2002­07­08/wilsonscheib.html
1/3
2/5/2016
Business Law Today
Consent — Have employees sign an acknowledgement form with the policy
attached or require every user to accept the terms of the policy each time (or
periodically) that he or she logs onto the company's network as evidence of
consent to the policy and monitoring. Documenting consent to the policy will
combat the employee's later claim that he or she was unaware of it.
Prohibit inappropriate, sexually explicit or offensive material and language —
Computer screens can create liability for the employer if they are used to depict
sexually explicit images or materials that offend persons in the workplace.
Informal, inappropriate e­mails between co­workers can often be embarrassing,
if not damaging, for a company. Merrill Lynch recently discovered that when
internal employee e­mails negatively describing the value of certain dot­com
businesses that they or other company analysts were simultaneously promoting
were made public.
Deter defamatory language — Prohibit the use of defamatory language, the
ability to enter chat rooms and limitations on the use of the Web for other than
business purposes. Provide clear guidelines on how to describe and use
competitors' trade and service marks, products and services in communications
without engaging in trade libel. These measures will deter employees from going
onto Web sites, bulletin boards and chat rooms to voice criticisms of executives
or their employers.
Prohibit solicitations, ads or promotions — The distribution of solicitations wastes
employee time and often puts pressure on employees. More critically, an
employer who permits such distributions may find that it is compelled to permit
employees to use e­mail to distribute union literature and notices or other
materials that could be harmful to the interests of the employer. In one
example, the National Labor Relations Board found that E.I. du Pont engaged in
discriminatory conduct when it put its e­mail system off limits to a union, yet
allowed the e­mail system to be used to distribute information on such subjects
as drugs, the IRS, religion and TV programs.
Avoid intellectual property infringement, misappropriation and hyper­linking —
State that all employees should comply with software and other intellectual
property licenses and all copyright and trademark laws. The average employee is
often unaware that downloading a screensaver, copying software, forwarding an
e­mail or downloading music can all trigger copyright infringement claims under
certain circumstances.
Protection of confidential information — Reference the confidentiality
agreements already in place between an employer and key employees.
Additionally, explicitly restrict the release of confidential information about the
company and its clients/customers. Remind employees about the widespread
forwarding of e­mail to help keep employees more cautious about what they say
and how they say it.
Ban unapproved encryption devices — Specify that the employer must approve
encryption devices. This ensures that the employer will be able to access and
monitor equipment and content. This protects against the misuse of
information, or loss of information if the employee leaves the company.
Spell out disciplinary action — State the sanctions that will be imposed for
violations of the policy. Punishment should range from a warning, to suspension
of Internet and e­mail privileges, to counseling, to demotion, and finally to
termination. This flexibility will ensure that the "punishment fits the crime."
Enforcing these sanctions consistently and promptly will help defend against a
claim of unfair treatment.
Provide a clear method for reporting violations — Specify a confidential means
by which an employee can inform management of possible violations of the
policy. Designate more than one person who may be told of violations, to ensure
that no one person is untouchable and that employees will have a choice and
may report to the person with whom they feel most comfortable. The persons
designated to receive reports should have an explicit duty to investigate each
reported violation.
— David B. Wilson, Jacqueline P. Scheib and Kathleen M. Porter
Back to Top
http://apps.americanbar.org/buslaw/blt/2002­07­08/wilsonscheib.html
2/3
2/5/2016
Business Law Today
FOR THE PUBLIC
RESOURCES FOR
ABA­Approved Law Schools
Bar Associations
Law School Accreditation
Government and Public
Sector Lawyers
Public Education
Public Resources
STAY CONNECTED
Non­US Lawyers
Twitter
Public Interest Lawyers
Facebook
Senior Lawyers
Judges
Solo and Small Firms
Law Students
Young Lawyers
LinkedIn
ABA Career Center
Contact Us Online
Military Lawyers
Terms of Use
Reserved
| Code of Conduct
| Privacy Policy
| Your California Privacy Rights | http://apps.americanbar.org/buslaw/blt/2002­07­08/wilsonscheib.html
Copyright & IP Policy
| Advertising & Sponsorship | ABA
| © 2015 ABA, All Rights
3/3