Mid-Atlantic Health Law TOPICS
Adoption of a Formal Email Policy
It is undeniable that email has revolutionized modern business. Organizations have ceased filling their files with paper correspondence, and now conduct most of their business via email. While there is no escape from using this effective business tool, the ease, speed, and casual way in which people approach email can expose organizations to legal liability.
Anything sent from an organization's email address is effectively written on the organization's electronic letterhead. Thus, any message, quote, or text contained in a corporate email can arguably be legally binding on the organization.
For example, an investigation conducted by the Attorney General of New York discovered that analysts of Merrill Lynch derided certain stocks in internal emails, but promoted those same stocks to private customers. These emails described shares that were given a "buy" recommendation as "pieces of junk." Merrill Lynch was subsequently fined $100 million and was subject to an SEC complaint.
In addition, unlike written communication, employees tend to treat emails as an instant and innocuous means of communication, without regard to the content or substance of the message. This can result in messages containing sexist, racist or defamatory remarks, or pornographic material. These types of emails expose organizations to a variety of workplace lawsuits.
For example, in 1995, Chevron paid $2.2 million to settle a lawsuit in which four female employees claimed they were sexually harassed with email jokes. One of the offensive emails contained a "joke" titled "25 reasons why beer is better than women."
According to research performed by Peapod, an internet and security firm, an average of 55% of all emails that flow through an organization serve no business purpose. Thus, a majority of emails that are sent and received on a daily basis in the workplace are personal. This increases the potential for inappropriate use of email, and gives rise to the need for organizations to adopt a formal email policy. Such policies should address the following matters.
A. Prohibited Acts
Because of the potential for misuse, the policy should inform employees of the legal risks associated with email. Employees who are aware of these risks are more likely to follow the organization's rules and guidelines, and to protect the organization from potential liability by following those rules. In this regard, the policy should expressly prohibit users from engaging in the following conduct:
1. Sending or forwarding emails containing defamatory, offensive, racist, sexually explicit, or obscene remarks, images, or video;
2. Forwarding confidential or proprietary business information to unauthorized third-parties;
3. Forging or attempting to forge email messages or disguising or attempting to disguise the sender of the email;
4. Sending unsolicited email messages or chain mail; and
5. Sending an email that the user knows contains a virus.
B. Duty of Care
The policy should also counsel employees about email etiquette. Employees should exercise the same due care in preparing an email as they would in drafting a letter or any other written form of communication. At a minimum, this means:
1. Using proper spelling, punctuation, and grammar;
2. Proof reading and editing the email before sending it;
3. Not copying a message or attachment without permission;
4. Only sending emails containing content that is appropriate for posting on a public bulletin board;
5. Adding appropriate disclaimers.
C. Personal Usage
Depending on how risk averse an organization is, the organization may choose either to prohibit all personal email usage or to limit such usage. With that said, it is unrealistic for an organization to expect full compliance with a policy that prohibits use of the organization's email system for anything other than business purposes. A common and more realistic approach is to explain in the policy that, while the organization's email system is meant for business purposes only, employees are permitted to use email for non-work related matters so long as the usage is reasonable and does not interfere with work.
D. Privacy/Monitoring
The case law is relatively clear that employees enjoy no expectation of privacy for data stored on an employer's computer so long as the employer has warned the employee beforehand. For this reason and to avoid confusion on the issue, the policy should specify that employees have no right of privacy in anything they create, generate, receive, transmit or save on the organization's computer system. This also allows the organization to monitor and to examine an employee's email account at any time and without notice.
E. Retention
An organization's email policy should also include a statement explaining the retention schedules of business and non-business related emails.
F. Dissemination
Once an organization has decided on an email policy, it should be reduced to writing and made available to all employees.