VOLUME 1, NUMBER 3 | FALL 1998



WATCH WHAT YOU WRITE
and
WHERE YOU WRITE IT

As if we didn't have enough to worry about as Year 2000 thunders down on us, now the e-mail we discuss it in is a potential cause for trouble. A legal opinion tells us what to watch — and watch out — for.

By Stephen F. Brock with Tom Inglesby


There is a high-tech double jeopardy many people are playing, but this isn't a game. Everyone involved in solving your company's Year 2000 (Y2K) computer problems has an additional concern: confidentiality of their correspondence — specifically, the security and legal issues surrounding the discussion of Year 2000 remediation in electronic forms such as e-mail and Internet news groups. If something goes wrong and your product or your systems aren't compliant when the clock rolls into 2000, those discussions can come back as evidence of negligence. If your suppliers are not compliant and you decide to sue for damages, their e-mail might hold clues to what they were doing (or not doing) to prevent trouble.

Stephen Brock is senior litigation associate with the law firm of Christie, Pabarue, Mortensen and Young in Philadelphia. Brock has been doing a lot of thinking about the issue of e-mail confidentiality as it relates to internal discussions on the Year 2000 problem, and we picked his brain for some warnings and legal problem-prevention techniques.

"The background is really very simple," Brock says. "Every company must address the Y2K situation and, in doing that, they don't want to create another problem or potential liability for the company. The Y2K problem is unique because everyone knows it's coming and there is debate about the extent of the potential liability. Some figures go into the trillions of dollars. While no one can really know what the true cost of fixing the computer systems will be, it's projected that the legal issues, the product and corporate liability litigation, will be an even larger potential expense.

"If your company gets caught up in a liability lawsuit, there are several areas that can cause additional problems for you. One of them is the availability of correspondence among your company's employees and executives that discusses what your company did to fix the Y2K problems and when it started. In this regard, e-mail has become an issue that must be addressed — quickly.

"E-mail is unique in that just about everyone uses it today. Equally unique is the way people use it. While it is essentially a written form of correspondence — just like any other official report, document, memorandum or letter — people forget that and use it in a different way. E-mail has been described as unfiltered, sloppy, careless, casual and flippant. People tend to put things in e-mail that they would tell their best friends on the telephone, things that you'd never put in a formal memo or report. But remember, e-mail is preserved just like those other, traditional means of business communications.

"Put those two things together and you can see that we have a double whammy. With the liability of Y2K and the casual nature of e-mail, companies can face serious threats to their viability. Executives must take steps to be sure their employees at all levels treat e-mail correctly and keep them confidential."

There have been many cases in the press lately where a long forgotten memo came back to haunt the sender and the company the sender worked for. Perhaps the biggest finding was during the discovery phase of the recent tobacco litigation. Memos from scientists and others going back 30 years and more were found and used to show a pattern that tobacco companies knew the damaging effects of their products on users. More in line with Brock's comments, however, are various e-mails that have surfaced in litigation involving Microsoft, Novell, Sun Microsystems and other high-tech companies.

Even the government is not immune as Col. Oliver North found out when e-mail documents were found in the IBM PROFS system that pointed to his involvement in the Iran-Contra proceedings. Shredding documents eliminated some of the damaging evidence but no one thought to "shred" the e-mail. And this case also shows the preservation of e-mail goes well beyond the desktop. Think about all the stages an e-mail goes through from writer to recipient(s). Each step, each server, each desktop computer has the potential for storing, indefinitely, the incriminating evidence.

Brock makes these suggestions: "Employees need to be taught to be careful in what they write in e-mail, what they do with the e-mail, where they send it and who has copies of it. It must be treated like other documents. What people do in e-mail indicates that most regard it as an instantaneous communication, like a telephone call, and use it to reveal their innermost thoughts. That is precisely what you don't want if you are facing a potential liability, particularly one that has the tremendous implications of Y2K. The company does not want its employees putting something in writing that may make the company red-faced later on.

"Regular documents, those people put on paper or machines such as official memoranda, reports, correspondence and letters, should be carefully analyzed as to their confidentiality requirements. Executives must be ready to articulate their company's policy: Why do you want some documents confidential and others not? You should have such a policy, official and formal, that all employees know. Your best bet is to involve the company's legal staff or attorney in defining this policy. Have them coordinate the policy for documents, have them articulate the policy and have them specify the protections that are available for company documents such as the attorney-client privilege, the work product doctrine and certain other privileges accorded to internal documents.

"Don't co-mingle reports or information that you want to be kept confidential with other non-confidential information. This is very important for the attorney-client privilege. The rule is: Don't mingle attorney-client information with business advice.

"Train your employees how to write carefully. Make sure they understand that all correspondence, especially e-mails, must be written without hyperbole; they shouldn't be written carelessly; they shouldn't be written in a flippant manner.

"Those are the basic steps for all documents. E-mail requires some additional concerns. First and foremost, train all employees to treat e-mail as they would any other corporate document. Don't put into writing anything that you would not want to come back in writing. I recall that one of the officers in the Rodney King case sent out an e-mail shortly after King was beaten making the flippant statement that he hadn't beaten anyone so badly in a long time. That obviously was used against him.

"Write as if the document will be preserved forever and ultimately disclosed. Always write e-mails with the mindset that they will be archived. In the case of Oliver North, the e-mails were found on a back-up drive or tape when they had thought to have been erased from the system.

"Again, I reiterate, train your people what kinds of documents can be kept confidential, including e-mail. Teach them what protections are applicable to your business — attorney-client privilege, work product relating to specific litigation, trade secrets, proprietary information. And train them continually. E-mail is not going away, and we must be alerted to the protections on a continuing basis.

"Put notices on your e-mail system. For example, at our firm we have a notice each time we log onto the e-mail system telling us that the e-mail is to be regarded as confidential and should be used only for business purposes. Companies can put a notice like that on their systems, and then reiterate the consequences of violating the policy.

"The final step is to update, audit and evaluate. Update your process to take into account developments that have taken place. If you find gaps, correct them. Audit your systems on a periodic basis to see whether problems have arisen or if there are new things you should be doing. It's not a one-time thing where you set a policy and expect everything to be perfect."

Many companies have or are experimenting with encryption methods to prevent unauthorized access to the information in their e-mail and other electronic documents. Brock knows of no prohibition against internal documents being encrypted, but making the document hard to read is not a protection against it being subpoenaed should litigation result in files being requested.

Encryption protects the electronic version but most of us have seen e-mails printed out for various reasons and that breaks the code, as it were.

In addition, there have been several government attempts to require public and private encryption keys be made available to investigative agencies such as the FBI, the Secret Service and DEA. The intent is to allow a "wire tap" of e-mail in cases of national security, drug law enforcement and other situations where the courts have, in the past, allowed telephone and other communications to be intercepted.

The government is one thing; corporate espionage is something else. As more companies seek a competitive advantage through high technology, electronic commerce and the Internet, computers will become vulnerable to prying eyes. Hackers already tempt the security community to come up with newer, more secure computers and servers. And don't forget the media. As investigative reporting takes on a new meaning, newspapers, magazines and television networks are looking for juicy tidbits for a scoop. Just think about Linda Tripp and Monica Lewinsky corresponding via e-mail, and the voice mail recordings purloined from Chiquita by a writer seeking evidence of wrong-doing. Those recent incidents of electronic correspondence ending up in the media should make any company executive concerned. No corporate president wants to see "60 Minutes" pulling up in the company parking lot.

If the Y2K problem places a liability on your company, information of the famous "what did you know and when did you know it" kind will be valuable evidence against it. "E-mails will be one of the first things potential plaintiffs look for," Brock believes. "They may also be one of the first things the defendant looks for, depending on their content. The reasons are simple: E-mails will be recent and current; they will be written so you can refer to them over and over again; and the way people presently treat e-mail, as I've said, makes it unfiltered. In any liability litigation, especially one as large as Y2K, claimants will look for those 'smoking guns' in every electronic form they can think of."

Besides the many copies that are circulated intentionally, remember the back-up copies, often on many tapes or discs, that can be archived for years and then recalled. Should you need those e-mails for a defense, be aware that there are ways, in some cases, to determine the specific date and time the e-mail was created and sent, whether it was changed, edited or modified, and what, if anything, was changed at any step along the way.

Brock notes, "Our firm has a system that tracks when a document was created, everybody who has been in it since the time of its creation, and the time of any revisions. There is probably no technical reason any e-mail can't be audited in the same way. It just takes an understanding of what you are looking for and the technology to find it."

In the days of typewriters and carbon paper, changing a document was more difficult and the original showed obvious signs of tampering in most cases. Word processors and e-mail programs make changing the original easy and harder to recognize. But, as in all things technical, there are those who know the ways to find the hidden evidence, the secrets that you might want to keep buried if Y2K — or any other liability — causes you to head for the courts.

Helping to Take E-mail Out of Litigation
Theresa E. Loscalzo, a partner in the Internet and Computer Networking Practice Group of the law firm Schnader Harrison Segal & Lewis LLP in Philadelphia, has developed five core principles to help corporations develop sound e-mail policies and greatly reduce legal liabilities.


Develop a Written E-mail Policy — Immediately

The best insurance policy to avoid e-mail litigation is to establish a corporate-wide policy. Whether or not a company intends to monitor corporate e-mails, it should have a written policy in place. Clearly defined rules and guidelines have been shown to reduce e-mail confusion and legal liabilities before problems can occur.


Enforce and Reinforce the Written Policy

Once in place, the written policy must be actively enforced. More and more frequently, litigation arises as a result of both an employer's failure to develop an appropriate e-mail policy and the failure to communicate to employees the appropriate and permissible use of the e-mail system. Employees must be educated about the policy and aware of the consequences for breaking company e-mail rules. Employees must also be "refreshed" periodically to avoid misunderstandings even after the written policy is in place. Changes or updates to the policy must always be addressed immediately.


Designate Who Owns and Controls the Content on the System

Personalized IDs, PIN numbers and desktop arrangements tend to create a false sense of employee ownership of messages and documents on their system. Make it clear that messages saved and transmitted privately by employees may be accessed by people other than the intended recipient. Specifically, issues of e-mail access, privacy, and confidentiality should be clarified.


Clarify Where the "Forgotten Mail" Will Go

Most employees don't understand exactly how a computer stores information and who has access to information on the system. Make it clear that "deleted" mail is rarely gone. Explain what the company's archive and back-up policies are and establish time limits for messages to remain on the desktop. Clearly define employee privacy rights as well as company privileges to information.


Teach E-mail Etiquette — Lessons in Appropriate Conduct

Employees must be properly sensitized concerning the appropriate etiquette for e-mail transmissions. Make it clear that e-mail is taken just as seriously as other forms of office communication and that the content of e-mail messages can constitute grounds for discrimination, harassment or other forms of corporate misconduct. A complete e-mail policy should explain for what offenses individual employees are liable.

— From a presentation at the 1998 Pennsylvania Electronic Commerce Conference



ABOUT THE AUTHOR
Stephen Brock is an attorney with Christie, Pabarue, Mortensen and Young in Philadelphia. He frequently addresses Year 2000 problem, confidentiality, and e-mail issues. You can reach him at 215.587.1682, or by email at [email protected]