Rupert Kendrick outlines key e-mail risks and some...

Rupert Kendrick outlines key e-mail risks and some basic strategies for avoiding them

E-mail presents excellent opportunities for developing more efficient and profitable business procedures. It also poses a number of risks which can damage companies' reputations and, in extreme cases, may even result in business failure. There are four key essentials for an e-mail communication.

  • Only the intended recipient must read it.
  • There must be no opportunity to interfere with its content.
  • The recipient must be certain who sent it.
  • The recipient must be able to prove it originated from the actual sender.The risks
    virus: One of the most serious threats to data is that of infiltration by a computer virus - and, most frequently, viruses are transmitted by e-mail. Infection takes place in various ways, for instance by running an infected programme or opening an infected file, most commonly an e-mail attachment.data: E-mail enables information to be transferred easily, and makes personal data easy to distribute, transfer, retain and store. Data can be lost, distorted or transferred accidentally These risks might result in exposure to both civil and criminal proceedings.confidentiality: A number of situations arise where confidentiality is put at risk through the use of e-mail. Employees present particular risks. E-mail may be sent to the incorrect recipient, or be accidentally and erroneously copied. Breach of confidentiality may expose an organisation to civil proceedings or professional disciplinary sanctions. advice: Increasingly, employees will be providing advice and information by e-mail. The speed and informality of e-mail can lead to the risk of advice being provided without adequate thought. This can expose an organisation to actions for negligence.contracts: The speed and informality of e-mail facilitates the inadvertent formation of contractual relations. If an employee has apparent authority to conclude a contract, the employer will be liable for the contractual obligations that arise, irrespective of whether the employee had actual authority. defamation: Defamation is an untrue statement which is published to a third party and damages the reputation of a person, persons or corporate entity. Defamation applies to e-mail in the same way as to any other communication. Liability can be incurred by publishers of an e-mail, so a company might attract liability for statements made by employees, acting in, or ostensibly within, the scope of their employment.pornography: It is an offence to send an offensive, indecent or obscene message by means of a public telecommunications system, which includes e-mail and any attachment. harassment: Harassment is conduct which the victim finds unacceptable, unreasonable or offensive and includes direct harassment by e-mail. The most obvious source of offending is likely to arise through the careless or irresponsible use of e-mail, which lends itself to the use of inappropriate and improper language and expression. monitoring: In certain circumstances, employers can monitor employees' use of e-mail. While they may have the right to monitor the use of e-mail in the workplace, there are limited grounds upon which they are entitled to do so. Taking action outside the exemptions contained in the legislation will expose the employer to the risk of criminal prosecution.IT solutions
    Encryption can be used to secure confidential e-mail. This disguises the message sufficiently to hide the content. A numerical key is created that scrambles data in such a way that it can only be deciphered by someone with a corresponding key. Symmetric encryption involves sender and recipient using the same key, both to encrypt and to decrypt. Asymmetric encryption involves a connected set of numbers. One key (the first set of numbers) is made public. The other key (the second set of numbers) remains private. The public key can be distributed. The private key must remain private. Only a specific (related) private key will decrypt (or unlock) a message encrypted with a particular public key. Privacy is maintained, as only the recipient can open the message with the private key. Integrity is also preserved. The message cannot have been tampered with because only the recipient can open it. The name given to the framework supporting the creation and administration of public key encryption is called Public Key Infrastructure (PKI).Digital signatures bind an individual's identity to an electronic record. As only one person creates a digital signature it provides confirmation of identity; and it can be easily stored and generatedThe Electronic Communications Act 2000 and Electronic Signatures Regulations 2001, which implement the Electronic Signatures Directive(1999/93/EC) in the UK, aim to ensure that electronic signatures are accorded legal admissibility on certain grounds and to establish benchmarks for signature creation devices and certificates used to support such signatures. Legal solutions
    data protection act: The Data Protection Act 1998 came into force on 1 March 2000. The Information Commissioner administers data protection compliance (www.dataprotection.gov.uk). Data includes data (which may be included in an e-mail) relating to an individual who may be identifiable from that data, or from that data and any other data that might be in the possession of, or likely to come into the possession of the data controller.In broad terms, the Act states that personal data shall be:
  • obtained and processed fairly and lawfully with the consent of the individual
  • obtained and held for one or more specified or lawful purposes
  • adequate, relevant and not excessive
  • accurate and up to date
  • held no longer than is necessary for the stated purpose(s)
  • processed in accordance with the rights of the data subject under the Act
  • subject to proper security measures
  • not transferred outside the European Economic Area unless the recipient country's protective measures comply with the EU Data Protection Directive.The development of global and international business makes it increasingly likely that data will be transferred abroad through the use of e-mail. Under Principle Eight, there is a restriction upon the transfer of data to any country outside the European Economic Area. Until recently, the US was included among these. Negotiations have now resulted in the Safe Harbor Principles, under which data may be transferred to an organisation in the US. defamation act 1996: Defamation can easily arise from the casual use of e-mail, and may therefore expose the employer to action. Even if an employer attempts to avoid liability by showing that the employee concerned was acting on his own, he may be caught by the provision that a publisher and editor may be liable for defamatory material. However, the Defamation Act 1996 may provide a defence in internet cases. In broad terms, the defence is available where it can be shown that the defendant is not an author, editor or publisher, but:
  • operator only of equipment or services that disseminate the libel and not the author, editor or publisher of the defamatory material
  • an operator who has no effective control over the disseminator (factors to be considered will be the extent of the operator's responsibility for publishing, the nature and circumstances of the publication, and the previous conduct or character of the author)
  • that the defendant took reasonable care
  • that the defendant has no reason to believe that he had caused or contributed to publication.Organisations whose employees send or post defamatory material over the internet are likely to be 'publishers' and may therefore have difficulty raising this defence. Evidence that an employer took reasonable care might include some provision regarding such conduct in an e-mail use policy.Two recent cases highlight the difficulties in this area. In Western Provident Association v Norwich Union Assurance Co (1997), the defendant settled the complainant's claim in the sum of £450,000 for an allegation in a defamatory e-mail suggesting that the complainant was in financial difficulties. An interesting feature was that the internal e-mail of the defendant company was subject to discovery.In Godfrey v Demon Internet (1999), the complainant successfully sued the defendant, an internet service provider (ISP), for failing to remove defamatory comments about the complainant posted on a bulletin board by another party. The 'internet defence' was not available to the ISP, which was considered to have had power to remove the offending material, and therefore control over its dissemination.telecommunications act 1984 It is an offence under this Act for any person or corporate body to send a message that is grossly offensive, indecent or obscene by means of a telecommunications system. There seems no reason why this should not apply to e-mail but there have been no decided cases on the subject so far.sex discrimination act 1975 Sexual harassment includes sending e-mail of an unacceptable nature, or with explicit references to an individual. By section 41 (1): 'anything done by a person in the course of his employment shall be treated for the purpose of this Act as done by his employer as well as by him, whether or not it was done with the employer's knowledge or approval.' It is a defence to show that reasonable steps were actively taken to prevent the harassment. Evidence may be demonstrated by its inclusion in any e-mail use policy implemented by the employer.race relations act 1976 Racially discriminatory behaviour is governed by similar provisions to those in the Sex Discrimination Act 1975. Liability can rest upon an employer when it can be shown that the situation was sufficiently within his control.regulation of investigatory powers act 2000 Employee e-mail activity can be monitored. This Act controls the monitoring of encrypted messages and came into effect on 24 October 2000. It has a number of implications for the use of secure e-mail communications.
  • Unauthorised interception of communications on a public telecommunications system is a criminal offence.
  • Operators of a private telecommunications system who carry out interception of any communication on a business's own system can be liable in tort and may be the subject of civil proceedings.
  • Where the interceptor has reasonable grounds to believe that both the sender and recipient have consented to the interception, the Act permits the interception of communications.
  • The Secretary of State has power to make regulations authorising businesses to intercept communications on their own systems without consent for certain purposes.the telecommunications (lawful business practice) (interception of communications) regulations 2000 These Regulations came into force on 24 October 2000.
    They govern an employer's right to monitor employee behaviour. In broad terms, the regulations permit the monitoring of (e-mail) communications to:
  • establish factual evidence
  • monitor compliance with office practice and protocol
  • monitor service and training compliance
  • safeguard national security
  • detect or prevent crime (for example fraud)
  • detect or prevent misuse or unauthorised use of telecommunications systems - for example, e-mail
  • maintain the safe and secure operation of the system
  • maintain voluntary and charitable helplines.The regulations state that monitoring is authorised inter alia only if there have been 'all reasonable efforts to inform every person who may use the telecommunications system in question that communications transmitted by means thereof may be intercepted'. Communications must take place in, and on a system provided for, the course of business, so monitoring of private e-mail is not permitted. If an employer decides to permit and monitor personal use, consent must be obtained.human rights act 1998 This Act came into force on 2 October 2000, and incorporates the European Convention on Human Rights. Article 8 of the Convention conveys a right to privacy, which includes correspondence. Arguably, this includes correspondence (and therefore e-mail) in the workplace. In Halford v United Kingdom (1997) IRLR 471, the European Court of Human Rights found that interception of the claimant's calls (to her lawyer) from the office was a breach of her rights under Article 8.the information commissioner's draft code of practice -the use of personal data in employer/employee relationships
    is designed to promote best practice in the handling of personal data. Responses to the consultation paper are now being considered with a view to publication of a final Code this year.The draft suggests that monitoring must be lawful and proportionate to the employer's risk, with minimum intrusion, and supported by a published policy. As yet, there is no definitive solution. The following steps are suggested:
  • put any policy or protocol in writing and communicate it to all staff
  • clearly state the rights and obligations in respect of use of e-mail
  • specifically state prohibited uses and applications
  • clearly define any steps to be taken to monitor staff
  • clearly state any privacy rules to be observed
  • specify any disciplinary sanctions for failing to comply with the established policy or protocol.ec directive on privacy and electronic communications This Directive is to be implemented by all member states by 30 October 2003. Save for excepted circumstances, it requires that unsolicited e-mail ('spam') shall be sent only to organisations which have opted to receive it.Management solutions
    A sensible organisation will put in place an e-mail policy which clearly sets out its approach on the use of e-mail. This should contain guidance on business and personal use, e-mail security and the legal implications.A final word of warning - the practice has recently developed of attaching notices to e-mails referring to the condition(s) under which the e-mail has been sent. E-mail notices do not warrant their legal validity. This is ultimately a matter of interpretation by the courts, and there may well be instances in which they are found not to be binding. Most notices of this type are subject to the test of reasonableness.Rupert Kendrick is a solicitor and author of Managing Cyber-Risks (Law Society Publishing, June 2002), E-mail: RupertKendrick@aol.com POLICY CHECKLIST
    Your company's e-mail policy should contain guidance on the following.Business use

  • breaches of confidentiality
  • negligent misstatement
  • unsupervised conclusion of online contracts
  • accepting instructions by e-mail
  • stating the sender's identity and position in the organisation
  • undertakings given by e-mail
  • the preferred style and content of e-mail communications
  • forwarding e-mails
  • checking e-mail in the recipient's absence
  • offensive, obscene, harassing, threatening or defamatory e-mail content including attachments
  • the despatch of unsolicited e-mail
  • unauthorised participation in discussion groups
  • interfering with others' e-mail without permission

    Personal use

  • acceptable personal use
  • prohibited personal use
  • use amounting to commission of a criminal offence
  • use causing loss or damage to the business
  • use infringing the rights of other employees
  • use on a reasonable scale
  • use for personal financial gain

    Security

  • the measures to ensure e-mail is secure from interference or corruption
  • use of encryption procedures and digital signatures
  • consulting recipients and reviewing encryption requirements
  • virus defence
  • scanning incoming e-mail
  • opening attached documents from unfamiliar sources
  • e-mail storage
  • ensuring that stored e-mails are secure from unauthorised access
  • ensuring e-mail is stored for an appropriate length of time
  • ensuring that data subjects have access to any information to which they might be entitled under the Data Protection Act 1998

    Legal implications

  • the admissibility of e-mail in evidence
  • the admissibility of computer records in legal proceedings
  • compliance with business or professional codes

    INCREASE IN E-MAIL BULLYING
    One-sixth of all staff are bullied by e-mail, according to recent research. Surprisingly, it is senior workers who are suffering the most; 28% of directors reported e-mail bullying compared to 15% of secretaries. Only 4% of workers admitted to being e-mail bullies themselves.

    The survey, published by internet job site reed. co.uk and polling 3,400 staff, also found regional variations. In the South West, one in five (21%) had been bullied by e-mail, compared to one in eight (12%) in East Anglia. Of those surveyed, 45% considered that e-mail bullying has increased over the past three years. ( www.reed.co.uk/surveys.asp )

    • Topics