Loose lips sink ships
Loose lips sink ships
Brendan Scott explores the problems caused by the explosion in email use in the workplace.
In today's world, if someone wishes to export information from a company they have a variety of means available to them to do so. They can email the relevant documents to an address outside of the company - either an address of their own or of some third party. They can upload the information across the Internet to their own Web site or to one of the many free Internet storage companies which have been offering their storage solutions to the public for some time now. If they have access to a CD burner within the organisation they can burn CDs for themselves and take the CDs out of the building. If they have a laptop they can download all the information they need off the central server onto the laptop and simply walk out the door with it. In doing any one of these things the person exporting the data can do so in such a way that the data is not identifiable (or readily identifiable) as belonging to the company. For example, the data itself can be archived in some manner, compressed and even encrypted to prevent third parties from identifying or recognising the nature of the information. In short, it is extremely easy to export data from a company in a manner which is completely undetectable.
It is extremely easy to export data from a company in a manner which is completely undetectable.
The risks are out there. Should managers within the company run screaming from the room and suffer irrecoverable nervous breakdowns? Probably not. Fortunately human honesty does most of the job for us. Requiring employees to routinely abide by confidentiality arrangements at the time they enter employment is something that all businesses should have in place whether or not they have Internet access - even whether or not they have any computers in their business. Such an agreement should be in writing and should be brought to the attention of the employee at the time that they are being offered the employment, noting the obligations as a condition of that employee's employment. However, there is only so far that such an agreement can go, and it is of little comfort to a business whose most important confidential information has been emailed to the account managers of its number one competitor. In relation to confidential information in particular, an ounce of prevention is certainly worth at least a pound of cure. These "ounces of prevention" are unfortunately (for me at least) usually not strictly legal ones. They can include, for example, such things as an appropriate and identifiable audit trail in relation to all electronic documents of the business which permit the identification of all accesses and modifications to the documents and to identify the persons responsible for those accesses. The system could also be subject to access control requirements, where users must have a legitimate interest in a document before being able to access the document. For example, should the programming staff be permitted to have access to the accounting records? Another means of prevention that can be employed is to put a "choke" on the passage of documents. For example, people may only be able to copy one document at a time (on the assumption that a person can only work on a handful of documents at any one time).
FLAME BAIT
It is not only the deliberate thief that needs to be accommodated in planning for maintaining the security of electronic information. Where a person makes a statement about another person which may tend to enter the character or reputation of that other person, the first person has committed a defamation - even if the statement is true! Where the first person is acting in the course of their employment, their employer is likely to be vicariously liable for such a defamation.
The prohibition should be backed by a punishment.
By and large, electronic communications are not treasured by their creators with the same degree of reverence that the equivalent paper communication would be. Nowadays people bash out an email in response to a query in next to no time. Had they written the equivalent response by way of memo or letter, they would often find that they would reflect more on the consequences of sending the letter than the email - and reword it before sent. This has different effects depending upon whether the email is being sent internally or externally. If it is sent externally there is the risk that by speaking unguardedly, an employee may in fact be defaming a person or be engaging in some form of misleading or deceptive conduct in a manner prescribed by the Trade Practices Act (defamation can still happen internally, but is less likely to be as damaging because fewer people are exposed to it). For example, the honesty (and guilelessness) of most engineers is close to legendary. Should they be cruising a newsgroup and see a question about a competitor's product, they may take it upon themselves to respond directly to that question either to the person posting the question or to the newsgroup as a whole. If they do not hold the competitor's product in high esteem, this is a recipe for liability nightmare.
Internally, the problems can actually be as bad, if not worse. Whenever legal proceedings are commenced, the parties to the litigation are permitted to have access to all documents of the other party which are relevant to the issues in the litigation - and this includes email. Email and other electronic documents can provide a wealth of material for a litigator in that they may contain admissions which will be difficult to qualify after the event. Even if the person writing the email internally is completely wrong and unjustified when they write their email which says "I wish Tom hadn't done that, it is engaging in resale price maintenance in breach of the Trade Practices Act," the email will nevertheless be extremely embarrassing and very difficult to counter. In this respect, the practical way in which email increasingly replaces spoken communication exacerbates this problem.
One answer to these issues is to create an email policy for employees to comply with. However, in doing so, I cannot stress too highly the importance of a measured response to these issues. An "overenthusiastic" approach to such a policy, in which draconian and unjustified restrictions are placed on the use of email will result not only in plummeting morale and skyrocketing cynicism (you are stating quite openly that you do not trust your employees and intend to monitor their communications), but it is also questionable whether the risks which are being addressed by the restrictions outweigh the benefits. For example, if the policy has not been enforced in other instances, the company is placed in a difficult position when it later attempts to enforce a particular provision because that enforcement then appears to be a victimisation of the single employee.
BROWN PAPER BAG
One place in which this has been particularly the case is that "brown paper bag" material (BPBM) which seems to attract so many headlines in the Internet world. For example, before the Internet it was unheard of for a person to have been sacked or even counselled for receiving BPBM through the mail at their work address. However, in recent years there have been a handful of incidents in which companies have purported to sack or suspend their employees for receiving the same material through email (and those companies have subsequently been the subject of wrongful dismissal actions). Even the Federal Government has effectively sanctioned sending pornography and other BPBM through email by specifically excluding ordinary email from the compass of its recent Internet censorship law. Of course, this must be distinguished from those cases where the BPBM, is used to harass. There is no reason to doubt why this shouldn't constitute a sackable offence.
Ultimately what is an appropriate response? In no particular order, you should place a lot of faith in the intelligence and honesty of your employees, educate them, respect them, get them to agree to confidentiality agreements, make them subject to a well crafted email policy but also think about structuring their access to documents. This access should be structured in a such way as to minimise the chance of a person exporting information en masse, to minimise the disruption to the way your employees work, but also to maximise the ability to identify the source of any leak after the fact.
Your email policy should be drafted with a view to not only proscribing certain actions, but also explaining the reasons for that proscription.
In this regard, the policy should not distinguish between a virtual event and a reality event unless there is some real, practical difference which will distinguish them. Finally, the email policy should be drafted with a view to moderation. Nothing should be prohibited unless several key criteria are met. In particular, the prohibition should be backed by a punishment commensurate with the prohibition and the punishment should be one that you seriously intend to enforce in every instance.
Brendan Scott is the senior legal dot.com specialist with law firm Gilbert & Tobin.