Is your e-mail safe?
|January 7, 2004
IN-BOX INSIGHTS BY CHRISTINA CAVANAGH
Report on Business: Globe Careers, The Globe and Mail
After a substandard performance review, an employee was asked to take an alternate position within the firm at a lower pay rate. The employee decides to contest the forced demotion and manages to obtain copies of e-mail messages about him that were sent between his boss and his boss'smanager.
The question is: Is the employee's action in obtaining co-worker e-mails inappropriate?
While this situation involves a number of human resource complexities, the issues relating to workplace e-mail are:
Has the employee broken the law?
Has the employee violated a corporate code of conduct?
Is this act considered grounds for dismissal and/or legal action?
First, we need to know how the employee obtained the e-mails.
If they were printed and left exposed or, worse, retrieved from the trash, then they could be considered a lucky find. If, on the other hand, the employee was bent on retrieving this information from the two e-mail accounts, can this be considered unauthorized use?
A lot depends on how access to information is regulated in the workplace.Let's look at two issues: theft and confidentiality.
Rob Hyndman, a technology lawyer at Ogilvy Renault in Toronto, says an employee cannot generally be convicted of criminal theft of confidential company information.
The deciding case involved an employee taking a copy of the employer's list of employees for use in a union organizing effort.
The Supreme Court of Canada decided that taking this confidential information was not considered a theft under the Criminal Code, partly because taking a copy of the list did not deprive the owner (the employer) of the data.
"It's therefore safe to presume," Mr. Hyndman says, "that, barring any other potentially illegal circumstances, such as damaging property or destroying business records in the process of getting to the e-mail accounts, and depending on how the employee obtained the information, the main effect on the employee in this situation would range from no action to some form of discipline taken by the organization, including termination. There is a new offence under the Criminal Code that criminalizes the unauthorized access or use of computer systems, but it's too early to say whether it could be applied in this type of situation. It's also worth noting that if the employee in this story had not taken the e-mail, but had litigated the demotion, he would likely have been entitled to a copy of the e-mail in any event."
So, we can rule out e-mail theft as an issue. That leaves us with considering a co-workers' e-mails as confidential information.
We know that companies own their e-mail systems, and all the information they contain. We can infer that individuals acting under the direction of their company have the authority to access a variety of information based on request or need. In our story, the employee has acted on his own accord, taking on a level of authority that he might or might not have had. Now the issue becomes one of regulation -- is there anything in writing that specifically safeguards workplace e-mail privacy?
According to Mr. Hyndman: "This case raises a very troublesome aspect of e-mail and of our use of computer technology in business generally. Businesses often do not take due care to manage the creation, protection and destruction of electronically initiated confidential information. Whether the information is customer lists, business plans, source code, correspondence, or anything else that is secret and important, businesses often find out too late that they are not doing enough to manage their electronic information.
"E-mail is particularly vulnerable -- it is easy to copy, easy to forward, easy to forget and even if deleted is often easy for forensic investigators to recover. Recent U.S. securities fraud, insolvency and antitrust cases are perfect examples of this vulnerability: In the indictment of investment banker Frank Quattrone, for example, one of the key pieces of evidence was an e-mail message that concerned his knowledge about a grand jury investigation."So, not only do we have overload issues to grapple with at work, we now also have e-mail content and security issues to manage.
One way to begin this process is to develop e-mail policies that identify the types of information that should not appear on the system and how it should be handled.
Policies reinforce a culture of care that is so important in today's transparent work environment; they can also act as a protection mechanism. For instance, organizations that don't have any formal procedures on the secure use of computer resources and their outputs will find it more difficult to control the actions of their employees who may be unknowingly lax about information security.
Using our example, if e-mails were obtained through a co-worker who had ready access to the messages in these two accounts, then that person becomes culpable. She may have put herself in a very vulnerable position as a key party to employment misconduct, without understanding the potential consequences. A policy can serve to guide and protect employee actions.
Another key benefit of an e-mail policy is to bring attention to what types of information should be committed to the system.
"It is becoming more difficult for organizations to defend themselves in lawsuits," says Mr. Hyndman, "because of the types of information that can be found in e-mails. Further, businesses that don't actively manage the regular destruction of old and obsolete electronic information may later find the information being used against them, without the benefit of the context and background in which it was originally prepared."
Once a policy is established, the next step is to make sure the staff understands. Discussions should take place among employee groups using explicit examples of the types of information that should be kept off e-mail systems and how requests for copies of messages by other parties should be handled. This will help to create greater awareness of the risks, and more respect for the long-range power of electronic communication.
Information committed to e-mail can become much more accessible than we ever envisioned and therefore should be treated almost as public material. When asked what types of information they won't put in e-mail, research respondents consistently cite human resources matters first.
As we have seen, it's becoming commonplace to investigate e-mails during legal proceedings, many of which can end up as headline news. Lawyers have discovered that workplace e-mail accounts can be a treasure trove of information for both the situation they are directly investigating and also to get a sense of a company's actual conduct in general matters. If there was ever a good reason to reduce e-mail traffic at work, this may be it.
Keeping your e-mails safe today may mean that you won't be sorry tomorrow.
« Return to Articles
Christina Cavanagh is a professor at the University of Western Ontario and the author of Managing Your E-mail: Thinking Outside the Inbox.