By the end of 2006, worldwide volume of business e-mail sent will likely reach some 84 billion messages daily. E-mail, in fact, has become an ever-present business communications tool, outweighing traditional paper mail services 75-to-1.
Nearly a quarter of all that corporate e-mail, however, is personal in nature, with nearly two-thirds of workers sending business e-mail from Web-based personal accounts such as MSN, Hotmail, Yahoo! and AOL.
It’s easy to see why Web-based e-mail is so popular. It offers access from any Internet-connected computer, frees up hard-drive space, and is handy as a backup business e-mail account. As an added bonus, most Web-based e-mail services are free.
While Web mail has its benefits, it also has its risks to a corporate network–even with security controls in place to prevent the spread of malware (the term commonly used for malicious software). Web mail can serve as an entry point for attachments to bypass these measures, and while many sites that offer Web-based e-mail provide virus scanning on their end, malware and spyware can slip through the net on occasion.
As a result, employees accessing personal e-mail accounts at work via the Web could unwittingly introduce these viruses to the company network. Third-party personal e-mail systems could cause an increase in the frequency of the introduction of Trojan horses, viruses, worms and malware into the company’s system as these sites may not have the same protective firewalls, encryption, intrusion detection, password management, spam filters, anti-virus software and other technological security.
Unauthorized content is an even greater concern. Since Web mail bypasses password controls and filters, users can transfer confidential information into and out of the organization through the Web, with no record of the fact being retained. In certain circumstances there may even be commercial, personal, regulatory, legal and even national security implications.
The liabilities of employees and employers of Web-based e-mail are still being defined by the courts. Specifically, what are the exposures that companies face when they allow their employees to access personal e-mail accounts at work?
It’s important to note that many of these exposures are not unique to Web mail, but may also apply to personal e-mail use within a corporate e-mail system. Forwarding jokes, photos, music files and other personal information to co-workers can expose employers to lawsuits.
Transmission of confidential company information, vicarious liability for copyright infringement, invasion of privacy and creation of a hostile work environment are all potential legal minefields.
What’s more, if a company has knowledge of inappropriate or illegal use, and damage occurs, the company could be liable. Furthermore, companies that fail to make reasonable efforts to find and police such prohibited behavior also might be liable.
E-mail is generally discoverable in litigation. Therefore, it is not surprising that 21 percent of businesses have had employee e-mail and instant messaging subpoenaed in the course of a lawsuit or regulatory investigation.
Even so, there may be legitimate reasons to use these Web e-mail systems. One such scenario might be a flexible work arrangement involving telecommuting (although large entities could employ virtual private networks that obviate this need).
If employees use the company’s corporate account for personal use, the personal e-mail could contaminate corporate archives–not to mention waste valuable resources, including storage space. This is a productivity risk, as it adds to the amount of time the Information Technology department spends managing the messaging system. In fact, some IT managers encourage all employees to use a Web-based account for personal communications.
Employers might lawfully prohibit employees from accessing Web-based e-mail from work or set policies to regulate its use. A comprehensive policy might also govern employee blogging, instant messaging, mobile/wireless communications, Web surfing, peer-to-peer use, VoIP, the use of iPods, MP3s and camera phones as well as emerging technologies.
The policy should be firmly supported by senior management, widespread user awareness and routine compliance checking.
Loss control steps an organization might consider include limiting employee access to Web-based e-mail at work, regardless of subject matter.
In addition, employees should be strictly prohibited from transmitting trade secrets or other confidential information about the employer’s business. Such information might include upcoming new products or projects that have not been publicly announced, information about discounts offered to certain customers, or employee salary or pay information.
Employees also should be prohibited from using e-mail to harass or attack any employee, contractor, customer or vendor based on gender, sexual orientation, race, national origin, religion, age, disability or any other protected category.
Employees need to be advised that laws against defamation and libel apply to e-mail, and that they may be subject to legal action for spreading disparaging and untrue information about the company or defaming another person.
Laws against invasion of privacy also apply to e-mail. Employees should be warned that e-mailing private information about another person’s medical, financial or sexual affairs may expose them to a lawsuit. Users need to have the risks explained to them and be given practical guidance on how to avoid the risks.
Compliance is key, and should be monitored. For example, any information-security incidents traced back to the use of Web mail must be addressed promptly.
Furthermore, employees need to be advised that they will be subject to disciplinary action, up to and including termination, for violation of the company’s e-mail policy.
While an employer may, under certain circumstances, be held liable for employee e-mail, it might also be able to claim immunity under the Good Samaritan provisions of the Telecommunications Act of 1996 if some actions are taken to regulate its computer network.
Specifically, an employer who actively commits to monitoring e-mail as part of “any action voluntarily taken in good faith to restrict access to or [the] availability of material that the provider or user considers to be…harassing, or otherwise objectionable” might immunize the firm from certain torts and other state law claims based on employee use of a company’s e-mail system or intranet.
Overall, it is crucial for companies to stay flexible, as the uses of Web-based personal e-mail systems are dynamic and new technologies are emerging on a regular basis.