® InfoJur.ccj.ufsc.br

EMERGING ISSUES RELATING TO ELECTRONIC MAIL
Michael J. Patrick, Esq.
copyrite 1993
FENWICK & WEST
Palo Alto, CA @ Washington D.C. - Tysons Comer, VA
Two Palo Alto, Suite 800
Palo Alto, California
(415)494-0600
Telefax (415) 494-1417
Internet Address: mjp@fwpa.com

I. Introduction
A. E-mail represents a revolution, equivalent to saving every scrap of paper, voice mail and discussion in company records.
Imagine if every informal phone conversation, voice mail message, face-to-face discussion, and scrap of handwritten notes generated in your company was recorded, verbatim.
Imagine the volume of information saved and the odds that it contains all kinds of confidential, ill-considered, damaging comments that could expose the company to liability.
Now imagine that all of that information can effortlessly be reproduced and distributed to innumerable recipients both inside and outside the company.
And imagine that all of this information was to be subject to discovery in any litigation involving the company.
That scenario is here. It's called e-mail.
B. Background
1. E-mail issues increasingly prominent.
a) Retention of Information
Sun Microsystems securities action - Settlement of securities action brought by Milberg Weiss Specthrie & Lerach in which Sun reportedly agreed to new document retention policy to preserve e-mails.
Armstrong v. Executive Office - Executive branch ordered not to destroy e-mail records, which were held to be subject to the retention rules of the Federal Records Act.
Borland v. Symantec/People v. Wang & Eubanks - Alleged trade secrets misappropriation based on retained e-mails of departing employee.
Siemens v. Arco - Siemens brought $146 million lawsuit against Arco in connection with Siemens' 1990 purchase of Arco's solar energy subsidiary. Suit based, in part, on internal Arco employee e-mails allegedly avowing that Arco withheld critical information.
b) Privacy
July 1993 Macworld - Survey showing that 20%-30% of companies engage surveillance of employee computer and e-mail files.
Privacy for Consumers and Workers Act - introduced by Senator Simons to regulate and severely restrict employer surveillance.
Shoars v. Epson - wrongful termination claim brought by former e-mail administrator who was fired after complaining about fact that Epson was reading e-mail messages sent by its employees.
Class Action against Epson - On behalf of employees at Epson whose e-mail was read by the company claiming invasion of privacy
c) Security Repeated illegal break-ins by hackers through touch Internet force New York City on-line service ("Panix Public Access") to shut down for three days. Hackers found to have obtained passwords allowing them access to hundreds or thousands of computers linked to the internet system. (NY Times, l/l/93.)
d) Other Issues
Medphone v. Denegris - Corporation sues Prodigy user for defamation and securities fraud based on negative comments he made about the company on Prodigy's "Money Talk" electronic bulletin board.
Steve Jackson Games v. Secret Service - Damages awarded to electronic bulletin board provider and some of its users for illegal search and seizure by Secret Service.
2. Growth of e-mail use
a) Number of users: (Source: BYTE magazine (3/93) citing the market research firm The Yankee Group in Boston, Ma.)
(1) LAN based e-mail users in United States alone estimated to have grown 60% in 1992 from 5.9 to 9.4 Million
(2) Expected to grow another 60% in 1993 to 15.1 million users.
(3) Estimated that the number could rise to 38 million by 1995.
b) Number of messages: (Source: BYTE magazine (3/93) citing the Electronic Mail ASSN. in Arlington, Va.)
(1) E-mail messages transmitted within Fortune 2000 firms in North America (both LAN and public providers) estimated 6.1 billion in 1993.
(2) Estimated 14.3 billion in 1995
c) Interconnectivity between LANs and different e-mail systems expected to expand dramatically, allowing more and more e-mail users to communicate with each other, both inside and outside of their companies.
3. Inundation of e-mail users
a) The average e-mail user probably receives, sends or forwards at least 20 to 70 messages a day. A busy executive may have as many as a hundred messages pass through his/her PC in a day.
b) Indeed, the statistics on numbers of users and messages cited above suggest that the average user engages in over 400 e-mail transactions per day.
c) Inundation with e-mail messages is leading to development of special screening programs that attempt to screen out less important messages.
C. The adoption of e-mail as one of the principal means of internal (and increasingly external) communications presents a variety of unique and significant problems for the employer because of the three primary features:
1. Broadscale broadcasting
2. Perpetual retention and corporate loss of control of retention
3. Employee use for improper or personal purposes.
D. These features give rise to a host of legal concerns.
1. Preserving the confidentiality of company information;
2. Protecting the company from liability for receiving someone else's confidential information;
3. Protecting attorney-client communications between the company and its lawyers;
4. The impact of e-mail messages and their storage on litigations;
5. Protecting the company from liability for employees misuse of the e-mail system;
6. Employee privacy claims.
II. Protecting the company's confidential information
A. Introduction
1. E-mail is designed to make communicating quickly and to many people much easier. It has been wildly successful..
2. Confidential information is sent and stored all of the time on e-mail. It includes:
a) Technical information
b) Business planning
c) Marketing strategies
d) Competitive analyses
e) Release dates
f) Personnel information
g) Pricing or cost strategies
B. There are four primary features of e-mails broadscale broadcasting ability that make it a threat to the company-Is ability to protect the confidentiality of it's information.
Scope of addressees;
Easy to send message to wrong addressee;
Forwarding messages; and
Remote access.
1. Scope of Addressees A User Can Communicate With
a) Every user in the company can send messages to anyone else inside the company.
b) Every user can transmit messages instantaneously to whole distribution lists (some as long as 200 addressees).
c) E-mail gives many users access to addressees outside of the company.
d) Some distribution lists will include addressees outside the company.
e) Because of e-mail's capability to be sent by the push of a button to outsiders just as well as insiders , the lines between internal and external communications get blurred
f) Users develop long distribution lists and may not check each time to think whether a particular message, or part of what user is forwarding, really should go to everyone on that list.
g) Employees may lose sight of who is on their distribution lists.
2. Easy to Send Messages To Wrong Addressee
a) It is just as easy to send an e-mail to the wrong person as sending a fax to the wrong number or dialing the wrong phone number.
b) Example - An employee at Oracle used e-mail to "bare her feelings in a scathing message to her boyfriend, also an Oracle employee." She hit the wrong transmit key and sent the message intended for her boyfriend to everyone in the company. (1/14/91 Computerworld)
3. Forwarding Messages
a) E-mail lets users endlessly forward messages, with every person first appending their comment. Users find it easier to forward a message with their comment than to originate a new message that summarizes or just refers to the prior message.
b) Even if it is appropriate for everyone on a given list to see a certain message, the proliferation prospects are extraordinary.
4. Remote Access from outside
a) One of the most significant features of many e-mail systems is their ability to permit employees to access e-mail boxes remotely, via their home or laptop computers.
b) Hackers can access the company's whole computer network if it is connected to outside services. Illegal accessing of hundreds or thousands of computers over Internet via insertion of programs that cause system to disclose passwords has come to light showing that security of e-mail systems linked to Internet is easily defeated.
C. Another threat comes not from the broadcasting of information, but from the storage of e-mail messages
1. Access to messages stored on central (host) computer
a) In e-mail systems that are on a LAN, messages that have been sent but not yet retrieved are stored in the file server.
b) In some systems received messages that the recipient asks to save will also be saved on the file server.
c) They are usually stored in unencrypted plain text files. (However, cc:Mail encripts.)
d) These plain text files reveal the subsidence of the communication to:
(1) Third party service providers,
(2) Computer technicians,
(3) E-mail administrators, and,
(4) Electronic snoopers who can break into the system.
2. Most companies run backup procedures daily, weekly, monthly and annually and store the backup tapes in archives, some of which are not systematically purged.
3. Many users also store dozens to hundreds of e-mail messages on their personal hard cask.
4. Messages may also be stored on the systems of public e-mail providers to the company such as MCI, CompuServe, or Novell Inc.'s Nhub.
D. Reasonable efforts to reduce the risks of confidential information leaking out.
1. Security is necessary for the obvious reason that leaks may hurt the company and help competitors with regard to the specific information leaked.
2. A failure to make "reasonable efforts" to protect security of company information may damage the company's overall ability to pursue a trade secret claim at some later date over other information.
a) Under trade secret law, the company must make "reasonable efforts" to protect the security of company confidential information
b) Reasoning is, if the company hasn't made reasonable efforts to protect information in the past, the Court will be less inclined take company seriously when it claims:
(1) That the information in question truly is a valuable company secret.
(2) that is entitled to protection from the Court.
E. Special security problems with MIS personnel.
1. A serious threat to security can come from MIS personnel. They are the ones with the ability to access the entire system, review/delete files, change passwords, etc.
2. They have to be screened carefully before hiring and then given clear guidelines for their code of conduct at the company re system security, privacy, and confidentiality.
3. Security issues are presented most starkly when company has to terminate someone on MIS staff.
a) They know all of the system passwords
b) They have capability to access system remotely.
(1) Can copy/modify/damage/delete large quantities of data
(2) Can change system passwords to deny company access.
c) They may feel motivated to take revenge on company by attempting such acts.
4. Each change in passwords must be recorded by MIS personnel in a secure document that others know about
5. Before MIS employee is notified of termination company should:
a) Inventory projects he/she involved in and take steps to protect integrity and continuity of project, and
b) Consider changing passwords he/she knew.
III. Protecting the company from liability for receiving someone else's confidential information
A. Broadscale broadcasting problems run two ways.
1. Just as it threatens to let company information escape,
2. It also threatens to let third party confidential information come in, thus giving rise to a trade secret misappropriating claim by that third party.
B. If a company employee receives e-mail from an outsider that contains confidential information about a competitor, the company may be held liable for misappropriating that information.
C. The e-mail will probably be saved, thus putting a time bomb into corporate files that the company not learn about until litigation is brought.
IV. Loss of Attorney-Client Privilege
A. Elements of Attorney-Client Privileged Communications:
1. Communication;
2. Between client and attorney, where attorney acting in that capacity;
3. For purpose of seeking legal advice;
4. Communication related to advice sought, or the advice itself;
5. In confidence;
6. Privilege has not been waived.
B. Communications between counsel and non-"control group" employees
Communications between employees of company and company counsel may be privileged even where employee is not part of the management group. Factors court looked to include:
1. Communication made to council acting as such in order to secure legal advice for company;
2 . Communication made by employee at the direction of corporate superiors;
3. Communication concerned matters within the scope of the employee's corporate duties;
4. Employees were aware that they were being questioned in order that the company could obtain legal advice;
5. The company treated the communications from the employees as confidential.
(Upjohn v. United States, 449 U.S. 383 (1981))
C. Broadscale broadcasting is a threat to the protection of the attorney-client privilege.
If any elements required for privilege are eliminated in course of e-mail transmission and forwarding, privilege is lost.
Example - Attorney-client privileged communication on e-mail could start with in-house or outside counsel communicating with in-house or outside counsel communicating with someone in company on e-mail on confidential basis for purpose of rendering legal advise. Message clearly labeled "Attorney-client communication".
>Then, message is forwarded to person who doesn't need to know, or for purposes other than assisting counsel in rendering legal advice, destroying confidentiality.
V. The impact of e-mail messages and their storage on litigations
A. Introduction
1. Users generally treat e-mail as an informal communication medium, just like a phone conversation, based on the incorrect assumptions that (1) their communications are private; (2) their communications will not be saved, (3) their communications will never be seen by outsiders, or others who were not addressees of original message.
2. Users frequently send messages that, later on, can be taken out of context, or engage in "flaming" (i.e., sending rude, angry, highly opinionated, or ill considered messages) and say things that they would not say to another person's face, nor say in a formal memorandum. E-mail engenders some of the same behavior that automobiles do - users and drivers do and say things on e-mail and in cars that they would never do face-to-face.
a) Example - Los Angeles Police Department officer Lawrence Powell sent internal e-mail message "Oops, I haven't beaten anyone so bad in a long time." (Boston Globe, 3/20/93.)
b) Example - "Deleted" e-mail from company president to head of personnel department re female employee that company had claimed was good performer who was laid off only for financial reasons - "Get rid of that tight-assed bitch (Hemispheres, 6/93)
c) Example - Six employees of William Morris talent agency were fired after their "flaming" e-mail comments about their bosses were accidentally sent to an administrator at the company. (Boston Globe, 3/20/93.)
d) Example - Arco employee sent e-mail message two weeks before Arco's solar products subsidiary was sold to Siemens saying we will attempt to finesse past Siemens the fact that we have had a great amount of trouble in successfully transitioning technology from the laboratory to the manufacturing floor. (Computerworld 3/29/93.)
3. Users forget that, depending on their system and document retention policies, every single one of these e-mails may be preserved.
a) All its takes is for one of the recipients to save it,
b) or for the e-mail to have been saved in a system backup.
4. Some users don't delete their messages regularly.
5. An average user of e-mail may end un with several hundred messages stored on his/her hard disk. (For a company with a thousand employees, that quickly gets the company up to 100,000 - 200,000 saved messages.)
6. if a litigation is initiated, the company finds that it has a huge body of casual conversation preserved, some of which may be misconstrued.
B. What happens in a litigation?
1. Opposing counsel asks for all documents, including all magnetically stored information.
a) Counsel today (and increasingly courts) know that most of the damaging information they will find is in e-mail.
b) They know that many employees speak far more casually in e-mail than elsewhere.
c) Counsel's advice not to discuss the litigation must be understood to mean that e-mails about the litigation should not be exchanged without counsel's instructions and participation.
2. Example of how document production in company using e-mail can impose significant burdens
a) The E-mail system and document retention
(1) Internal - cc:Mail
(a) Assume a company with a small to mid-size e-mail system. cc:Mail with about 1,500 users spread across a number of separate offices, some of which are abroad.
(b) Each office is a separate LAN ("node"), with separate cc:Mail running on its server. Designated users can communicate across nodes.
(c) Two places where messages are saved
i) All messages are automatically saved on the server for the node where the sender and recipient is. If message is sent across nodes, it will be saved on all servers involved.
ii) Sender(s) or recipient(s) also have option to save the message onto their PC hard disks.
These messages can be saved indefinitely and can accumulate to the storage limits of the hard disk or backup disks/tapes.
(d) How many messages are saved
i) On the servers alone, expect that the average number of messages saved by each of the 1,500 users ranges from 200 to 1,000.
ii) Number of Messages saved onto hard disks impossible to calculate. However, many users have hundreds of saved messages on their hard disk at any given time, often spread among many separate files.
(2) External - MCI mail
(a) Company also has many users who have access to MCI mail.
(b) Two places where MCI mail is saved.
i) On MCI mail's servers. MCI claims that messages are saved on server for five days from date of receipts
ii) sender or recipients also have option to save the message onto their PC hard disks.
b) Ensuring that messages are not destroyed once litigation begins
(1) First duty of counsel when litigation begins (or litigation is anticipated) is to ensure that no potentially relevant e-mail messages are destroyed.
Company should seek to preserve records that it knows or reasonably should know are revellent to the litigation, (or potential litigation) or that are reasonably likely to lead to discovery of admissible evidence.
Mere fact that records are destroyed pursuant to regular and reasonable document retention policy put in place before litigation was anticipated does not necessarily excuse their destruction once company is on notice. Reasonableness of company's actions will be weighed by court in determining whether sanctions. should be applied for destruction of records.
Penalties for destruction of evidence include:
i) Criminal spoliation charges,
ii) issue preclusion, and
iii) judgment
(2) Company may have to instruct all employees (or at least those who might have relevant messages) not to delete any saved e-mail messages.
(a) This ties up hard disk space.
(b) One solution is to backup all of their saved e-mail messages to tape backup to be preserved by the company
(3) Company may have to stop deleting messages automatically saved on the servers (at least until it identifies those potentially relevant to litigation).
(a) All messages previously saved must be kept
(b) All new messages (if they might relate to litigation at issue) must be saved.
(c) Weekly tape backups solve storage limitation problems but create expensive discovery problems.
c) Carrying out document searches
Note: Privacy issues may be significant there unless company has employee consent to search or has already addressed employee expectations of privacy.
(1) Searching Servers
(a) Accessing the contents of servers
Servers located abroad may be subject to laws that limit the company's right to run searches.
(b) Saved messages must be transferred to a PC that counsel can use to run searches (expect hundreds of megabytes)
(c) Running searches
i) On cc:Mail, searches can only be run one "mailbox" (i.e., user) at a time. We have 1,500 mailboxes in our example.
ii) Within a mailbox, cc:Mail permits only simple searches for strings of letters of either title of e-mail or full text.
(1) No mass searching capability. Can only search for one word, part of a word, at a time.
(2) Cannot limit searches by date field, author or recipient.
iv) Run searches
One search, per key term, per mailbox. Even running a 486 based PC, cc:Mail search capability takes about two minutes to search 200 documents in full text for one key term.
(d) Attorney time spent searching
i) Company can safely assume hundreds of hours of search time and document review time by junior associates and paralegals.
ii) Junior associates typically cost a hundred dollars/hour. Paralegals roughly half that.
(2) Searching individual hard disks
(a) In addition to searching servers a complete search may also require a search of individual hard disks.
(b) Searching hard disks
i) First, identify the individuals who are likely to have revellent documents on their hard disk that would not also be on the server.
ii) Then, download all e-mail messages from their PC onto tape and upload to attoreys' PC (time consuming and interferes with employees, work).
iii) Run searches with same limitations as described above.
iv) Note: Privacy issues most prominent when searching hard disks.
d) Special issues re searching for deleted files
(1) Opposing counsel may also demand production of deleted files that have not yet been written over. This poses additional difficulties for the company and counsel.
(2) Typically, "deletion" of a file does not mean it is permanently lost. Absent the use of special utility programs, a "deleted" file is not lost until, through the passage of time and continued use of the hard disk or floppy in question, it is written over by new material.
(3) Only way to save "deleted" files from being destroyed is:
(a) Stop further use of the hard disk in question;
(b) Create a bitmap backup of entire contents;
(c) Run recovery programs in attempt to retrieve.
(4) Problems with recovery programs
(a) A single file is typically stored in several different "clusters" (i.e., locations) on the hard disk.
(b) Recovery programs will, under many circumstances, only be able to recover some of the clusters, or mistakenly patch together clusters of information from one deleted file into information from another deleted file, creating hybrid "Frankenstein" files that never existed originally.
e) Special problems with protecting attorney-client privileged communications from production
(1) Inclusion of attorney-client communications from production
(a) In house counsel is typically included in numerous e-mail messages about day to day business matters.
(b) Usually, e-mail messages are not addressed to in house counsel alone. Counsel is just one of several recipients about a particular business issue.
(2) Difficulty of identifying privileged communications
(a) Counsel reviewing such e-mails for possible production must make difficult decisions about whether or not the privilege can be claimed for all parts of such messages.
i) Context of each part of the message must be closely studied to determine whether or not it can be claimed to be privileged.
ii) Some parts of e-mail may be specifically directed at counsel, others may be unclear.
(b) Additional problems arise with identification of responses from in house counsel to an e-mail where the responses are incorporated back into the text of the original message and no indication is given of what part of the text is counsel's response.
Color coding of response text that appeared on screen is not preserved on printouts that outside counsel will most likely be reviewing for possible production.
(3) Waiver Problems
(a) Even 'inadvertent' production of an e-mail message that includes a privileged communication may lead court to find a waiver.
(b) Waiver may be held to extend far beyond the scope of the text that was produced.
(4) The search for potentially privileged communications in e-mails subject to production greatly increases cost of the document review.
3. End result of document production
a) Significant expense from attorney review of e-mail;
b) Significant disruption of company operations; and
c) Possibility of having to produce large quantities of e-mails that needlessly harm company's position.
VI. Protecting the company from liability for employees use of the e-mail system
A. Some companies permit employees to use e-mail to send/receive personal messages, including setting up distribution lists that are intended to be "bulletin boards". Examples include:
1. Special interests,
2. Classified ads, and
3. Jokes/Limericks.
B. With or without authorization, employees also use e-mail for other non-business purposes, including:
1. Betting pools,
2. Running personal businesses, and
3. Personal communications - gossip.
C. The contents of messages sent by employees can give rise to potential liability for the company for:
1. sexual discrimination/harassment,
2. racial discrimination,
3. libel,
4. invasion of privacy, and
5. insider trading.
D. Common use of e-mail for "flaming" messages a special concern here
Example - E-mail circulated by subordinates about their former manager re reasons why supervisor was "fired". Searing personal comments made re supervisor's appearance, honesty, and competence, as well as the integrity and competence of supervisors superiors.
This e-mail was circulated to numerous employees via e-mail, at least one of whom also communicated defamatory remarks outside of the company.
E. Employees romantically involved with others who have access to the e-mail system may communicate by e-mail.
1. Lawsuits for invasion of privacy in accessing romantic e-mail
Example - An employee used company e-mail to transmit company trade secrets to her boyfriend outside of the company.
In the course of downloading all of the employee's messages to look for misappropriation, company inadvertently stumbled upon a dozen or so passionate, romantic exchanges between the two.
Company fired the employee for misappropriating confidential information. She sued for wrongful termination and invasion of privacy.
2. Every company's e-mail system is likely to contain highly personal, often romantic communications between users.
F. E-mail may also be a major transmission vehicle for software programs - giving rise to liability of company for copyright infringement.
VII. E-mail and privacy claims
A. Employee-employer privacy issues
1. Employee expectations of privacy
a) How employees view e-mail
(1) Employees generally view e-mail as private messages between themselves. Most e-mail systems require the use of one or more individual user IDs and passwords. User IDs and passwords suggest to users that their messages are secure and private. Most companies recommend against using easily guessed passwords , and suggest frequently changing passwords. See e.g., Epson E-mail: Private or Company Information, INFOWORLD, Oct. 22, 1990, at 66 (quoting electronic mail user as saying, "Did I have the expectation of privacy? With three passwords, you bet I did.").
(2) The similarity between e-mail and regular mail suggests to users that they share similar protections. Mail is provided a high level of protection against unauthorized opening. See, United States v. Van Leeuwen, 397 U.S. 249, 251, 25 L.Ed.2d 282 (1970) (mail protected from unreasonable searches and seizures); 18 U.S.C. 1703 (prohibiting the unauthorized opening of mail). Both e-mail and regular mail are protected against warrantless searches by the government. See, 18 U.S.C. 2703(a). Both regular and e-mail involve written communications; the sender specifically identifies by name and "addresses" the recipient and "sends" the e-mail. This process reinforces the belief that the message is directed and limited to the recipient. E-mail also resembles telephone conversations, as both rely on the electronic transmission of information. While telephones can be legally monitored under many circumstances, most employees feel their telephone conversations are private.
(3) Whatever privacy employees have in e-mail messages can he breached in several ways. First e-mail can he intercepted at the senders computer as a message is being sent from one user to another. Second, a message can be read or printed out by accessing the recipient's e-mail box through master passwords or during administrative functions; in addition, e-mail messages stored on a user's own computer could he accessed. Third, during system backup is often necessary to verify business transactions, by recovering e-mail messages, including both business and personal messages.
2. The need for company monitoring
a) Accessing employee's e-mail if he/she falls ill or is terminated and supervisor needs to find out status of what was being worked on.
b) Investigating whether an employee is disclosing trade secrets, or engaging in other impermissible conduct using e-mail.
c) Making sure that employee is not spending time on non-business matters
d) Searching for unauthorized or copied software in company audit process
e) Reviewing stored e-mail in connection with litigations or potential litigations
f) If e-mail is used for communicating with customers, vendors, or other outsiders, reviewing on spot check basis to ensure communications are proper, complete and satisfactory.
g) Reviewing messages to determine what can/should be deleted
B. Overview of legal regimes applicable to e-mail privacy
1. Electronic Communications Privacy Act ("ECPA")
a) The Electronic Communications Privacy Act, 18 U.S.C. 2510-21, 2701-08 (1986) is intended to protect electronic communication systems from outside intruders ("hackers") making unauthorized attempts to break into e-mail systems to intercept information, to eavesdrop on e-mail users, to alter data, or to cause any damage. While the act mainly focuses on "hackers," it also protects the privacy of messages sent over public service e-mail systems.
b) Generally, the ECPA prohibits the interception, accessing, or disclosure of electronic communications.
(1) Interception of messages in transit (Section 2511)
(a) The ECPA prohibits the intentional, unauthorized interception (or the disclosure or use of such messages by one who knows or has reason to know they were illegally intercepted) of electronic communications in transit.
(b) The main exceptions are:
i) The provider of the electronic communication service needs to intercept a communication for the purpose of protecting it's business property from damage, or as necessary to provide the e-mail service. (2511(2)(a)(i))
ii) Either party to a communication may intercept such a communication, and a party to a communication may give prior consent to interception of communication, except where communication is intercepted for criminal or tortious purpose. (2511(2)(d))
(2) Accessing of stored messages (Section 2701)
(a) The ECPA prohibits the intentional, unauthorized accessing of stored electronic communications where the intruder also "obtains, alters, or prevents authorized access to ... an electronic communication while it is in storage ..."
(b) The main exceptions are:
i) The provider of the electronic communication service is free to access stored messages. (2701(c) (1)) In the case of a purely internal e-mail system provided by the company, this would mean that the company is free to access all stored messages.
ii) The user may authorize access to his/her messages (sent or received). (2701(c)(2))
(3) Disclosing of messages
(a) The ECPA prohibits providers of electronic communication Services to the public from disclosing stored messages.
(b) The main exceptions are:
i) Disclosure may be made to recipients of messages or their agents (2702(b)(1));
ii) Disclosure may be made to third parties with the consent of the sender or recipient of the message (2702(b)(3));
iii) Disclosure may be made as necessary to forward the message to its destination (2702 (b) (4));
iv) Disclosure may be made as necessary to render the communication service or to protect the rights or property of the service provider (2702(b)(5)).
c) Violations of the act create civil liability for damages, and criminal liability for fines or imprisonment.
d) The privacy provisions of the ECPA apply, for the most part, only to providers of public electronic communication services (such as MCI Mail). Providers of purely internal systems are generally free to access, use or disclose all messages on their systems. For them, the main impact of the ECPA is to protect them from outside intruders.
e) Defenses based on "Good Faith"
(1) The ECPA expressly provides defenses to violations of its provisions based upon a "good faith" belief that the conduct constituting a violation was authorized, warranted or proper.
(a) Defense to disclosure claim against public provider of electronic communication provider
i) 2520(d)(3) provides that the a "good faith determination" by the public provider that disclosure was permitted under 2511(3) "is a complete defense against any civil or criminal action brought under this chapter or any other law."
ii) Good faith reliance on a court order, subpoena, "legislative authorization, or a statutory authorization" is also a complete defense (2520(d)(1))
f) Preemption
(1) Section 2708 provides that "[t]he remedies and sanctions described in this chapter are the only judicial remedies and sanctions for nonconstitutional violations of this chapter."
2. California Constitutional Right of Privacy
a) Article I of the California Constitution guarantees the right to privacy as an inalienable right. This right is applicable to both public and private employees. Luck v. Southern Pacific Transportation Co. (1990) 218 Cal.App.3d 1, 19; Semore v. Pool (1990) 217 Cal.App.3d 1087. This provision can provide the basis for employee claims that their rights of privacy have been invaded when employers (or others) intercept, access or disclose their e-mail messages.
b) To date, no appellate court has specifically declared whether an employer's review of its employees e-mail constitutes an invasion of privacy. Indeed, a superior court has ruled that employees in the case before it had no claim for invasion of their privacy in their business related e-mail messages. Flanigan v. Epson America, Inc. (1992) Los Angeles County Superior Court (Case No. EC 007 036)
c) However, other cases suggest that absent a clear statement to the employees that e-mail messages are not private, employees may have a reasonable expectation of privacy in their e-mail messages, at least to the extent that personal messages are involved.
d) if employees are found to have a reasonable expectation of privacy in their e-mail messages, then the employer must demonstrate a compelling (or in according to some cases only "reasonable") business justification for any intrusion.
e) The employer"s need to protect corporate information from unauthorized use, and to prevent improper use of the e-mail system in a particular instance will probably satisfy this test. However, an employer should still limit its accessing of employee e-mail to those instances where there is specific cause for concern over the employee in question.
3. California Tort of Invasion of Privacy
a) California law also provides a common law right of privacy. This right is more limited than the constitutional right, and requires the employee to show that the employer's conduct was unreasonable, in addition to establishing the private circumstances of the e-mail message. As the employees conduct does not have to serve a compelling interest, it is quite likely that intrusion into an employee's e-mail for specific business reasons will be permissible.
b) California recognizes four types of invasion of privacy claims: (1) intrusion into one's physical solitude and seclusion or private affairs; (2) public disclosure of private facts; (3) false light disclosure in the public's eye; and (4) appropriation of identify. Miller v. National Broadcasting Co. (1986) 187 Cal.App.3d 1463. These various torts protect different privacy interests. The first three of these tort appear applicable to e-mail communications in the workplace; all require showing the reasonableness of the privacy expectation and the unreasonableness of the employer's conduct in assessing the employee's e-mail messages
4. California Invasion of Privacy Act
California's Invasion of Privacy Act, Cal. Penal Code 630-37.2, was designed to "protect the right of privacy" by preventing the wiretapping of telephone and telegraph communications, and the disclosure of their contents. This statute probably would not apply to employers who access stored e-mail messages on an internal system. At least one California court has ruled that the stature has no application to e-mail. See Lee, Judge Dismisses Some E-Mail Privacy Claims Against Epson, INFOWORLD, Jan. 21, 1991, at 85. However, one commentator has strongly criticized this opinion and argued that the act should apply. Steven B. Winters, Do Not Fold, Spindle or Mutilate: An Examination of Workplace Privacy In Electronic Mail, 1.S. Cal. Interdisciplinary L.J. 85, 121-129 (1992).
VIII. Formulation of company policies re e-mail
A. Formulation of appropriate e-mail policies is a critical part of reducing the burdens and risks of e-mail.
Proper policies can address many of the risks and problems outlined here:
a) Protect confidential and privileged communications,
b) Reduce employee privacy claims,
c) Provide employer access to messages transmitted on public e-mail systems,
d) Reduce quantity of saved messages, and
e) Reduce quantity of potentially damaging e-mails.
B. Suggested policies
1. Must be part of overall trade secret protection policy.
a) Remind employees to exercise extra precautions in sending confidential information via e-mail.
b) Never send confidential information to outsiders.
c) Limit forwarding or use of distribution lists.
d) Use passwords.
e) Do not leave e-mail open on screen for others to see.
2. Personal use and employee expectations of privacy.
a) Inform employees that e-mail is for business purposes.
b) State that e-mail messages are NOT private, that company has capability to review and delete any and all messages and reserves the right to do so. If employee wants information kept private, do not use e-mail.
3. Document retention (Should be part of overall document retention plan)
a) Conduct frequent purges of saved messages on servers. (Consider magnetic shredding to avoid subsequent requests to produce "deleted" files).
b) Strongly discourage employees from saving e-mail messages. (Employees should only save e-mails that contain current action items)
c) Caveat: Document retention policy must be "reasonable" (i.e., based on legitimate company needs other than purely the elimination of potentially damaging evidence).
4. Distribution lists
a) Strongly discourage routine transmission of e-mails to distribution lists.
b) Update distribution lists currently.
c) Check to make sure that everyone on the list really needs that message.
5. Forwarding Discourage employees from routinely forwarding messages.
6. Attorney-client communications
a) Never intentionally forward messages from counsel without counsel's permission.
b) Never disclose message from counsel or the contents of that message to anyone outside the company.
c) Counsel should always clearly designate their communications on e-mail as coming from counsel, avoid responding to messages simply by entering answers into the body of another e-mail message, and append the legend CONFIDENTIAL ATTORNEY CLIENT PRIVILEGED COMMUNICATION" to all responses. Counsel should also note that such communications are "NOT TO BE FORWARDED WITHOUT PERMISSION OF COUNSEL."
7. Copyright
a) Do not copy software and transmit via e-mail
b) Could give rise to liability for infringement on part of both employee(s) and company.
8. E-mail etiquette
a) Remind employees that their messages may be read by people beyond the addressee, and may even be produced to outsiders or a court in connection with litigation.
b) Instruct employees to write accordingly and only use e-mail to send courteous, professional and businesslike messages. (Avoid "flaming")
9. Other prohibited uses
Prohibit use of the e-mail system to engage in any other communications that are in violation of company policy, including but not limited to transmission of defamatory, obscene, offensive or harassing messages, or messages that disclose personal information without authorization.
10. Consent
If company provides for and permits use of e-mail systems provided by public service vendors (e.g., MCI mail), obtain employee consent to messages sent and received by employee on that service being disclosed to employer.
11. Have all employees sign acknowledgment of receipt of the policies.
12. Give employees regular reminders of the company's e-mail policies.
http://www.orst.edu/Dept/archives/misc/wvemer.html