Devising Network Use Policies
Disclosure by an employer of its e-mail monitoring practices creates at least two positive effects. First, employees are put on notice that monitoring might occur. If an employee does not agree with the monitoring practices, he or she can leave the job. Second, there will be no ambiguity about whether there will be monitoring and employees are put on notice that any e-mail might be read by others. This provides a sense of clarity over what the employer s expectations are of the employees . If an employee knows that the employer could read any e-mail written or received at work, the employee is less likely to engage in activity that could subject himself or herself to reprimand or termination.
A network administrator should know that in some jurisdictions, any privacy policy adopted as part of an employee manual might be enforceable as an express contract against the employer. Intrusions into privacy in violation of provisions in an employee handbook could rise to a breach of contract claim. However, in states where employee manuals do not constitute contractual terms, employers can ignore their own policy, at will, with no recourse to the employee.
Using and Monitoring E-Mail
As the use of networks and communications channels expands, it is as critical to establish basic policies and guidelines for the use of e-mail systems by trusted users as it is to adequately secure these same systems from external and internal intruders. Items of concern to businesses include management review of employee e-mail, the alteration by unauthorized users of current or archived e-mail, protection of client lists or outgoing e-mail addresses, elimination of unwanted e-mail messages including those with offensive or criminally actionable file attachments, harassment , stalking, and development of redundant systems to restore corrupted data in case of intrusion and discovery demands in litigation.
The failure to implement policies on the use of e-mail and network security could have serious consequences. Objections by network users might include claims of invasions of privacy, loss of attorney “client privilege, harassment, theft of crucial information, and other torts. For the network owner, there are concerns about secondary or vicarious liability arising from loss of unprotected trade secrets, theft of intellectual property, discrimination and harassment of employees, and other forms of criminal misuse of communications channels.
An Employer s Right to Monitor Employee E-Mail
Network users who are employees typically use e-mail for personal communication as well as work- related correspondence. These communications are stored electronically until deleted and can be monitored , either intentionally by employers or surreptitiously by coworkers. A private network owner can monitor the e-mail, whether stored or in transit, of its employees because it owns the servers, the wires, and the client.
Generally , even if a public employee had a reasonable expectation of privacy in his or her e-mail transmissions, a company s need to deter unprofessional and potentially illegal conduct has been found to outweigh an employee s privacy interests. In California, a state with a constitutional right to privacy that is enforceable against private employers, state trial courts have repeatedly authorized an employer s entitlement to monitor employee e-mail.
When Is E-Mail Private?
Network users who are employees possess some small zone of privacy in the workplace. First, the protected information includes and is generally limited to information protected by other statutes, like medical information, or in states where a general right to privacy is codified. Second, private employees are protected by the ECPA, which authorizes criminal sanctions for those who intentionally access e-mail services, including archived e-mail, without or in excess of authorization. If the network s connection point to the public Internet is protected by a firewall to block intruders, and the policies for use, retention, and destruction of e-mail implemented by the network are well settled and known to all users, and users do not routinely have access to e-mail that is not addressed to them and access is determined by a password, the confidentiality of the content of e-mail is likely to be maintained against third parties. Employers, however, can access their own network and its e-mail systems without violating the ECPA, provided the terms of access and monitoring are provided in advance to the employee.
Employees in the public sector enjoy a degree of privacy, protected by the Fourth and Fourteenth Amendments protections against unreasonable searches and seizures. In general, however, a public employee must establish first that his or her expectation of privacy in the space or materials that were invaded was reasonable. The courts typically look at the particular employment relationship, and the degree of privacy that each particular environment can afford is evaluated on a case-by-case basis.
Absent a policy to the contrary, courts have held that e-mail sent from or received on a home computer using AOL, which is then stored on AOL s servers for retrieval by the network user utilizing a password, is private and subject to privacy protections, at least against government seizure. However, if the e-mail has been shared or otherwise accessed by a person other than the sender or the recipient, the privacy interest might dissipate. Of course this applies only because AOL e-mail is privately stored for retrieval on AOL computers and AOL maintains a strict policy of not reading or disclosing subscriber e-mail. Courts have considered this a type of contractual privacy protection, so even though this specific case law deals with AOL, it extends to any service provider who stores e-mail privately and maintains the same kind of policy.
Interception of E-Mail in Transit
The interception by unintended recipients of e-mail messages transmitted over public communication lines is unlawful under the ECPA. It is very difficult to intercept an e-mail while in transit over the Internet, but it s certainly possible to intercept it at various points (for example, at the exit point of your network or the entry point of the recipient s network).
Employer Liability for Employee E-Mail Transmissions
Although an employer can, under certain circumstances, be held liable for employee e-mail, it might also be able to claim immunity under the Good Samaritan provisions of the Telecommunications Act of 1996 if it took some action to regulate its computer network. Specifically, an employer who actively undertakes to monitor e-mail as part of a program to protect its network and network users might immunize itself from certain torts and other state law claims based on employee use of a company s e-mail system or intranet. However, if a network administrator is aware of illegal or discriminatory activity over its network and does nothing to stop it, liability can be imposed on the network owner.
E-Mail Archiving and Records Management Policies
There is no broad requirement that e-mail be maintained or archived, although (as you learned in Chapter 17, Discovery, Compliance, Archive, and Retrieval ) specific industries or fields may have more narrowly drawn requirements. Managing e- mail according to consistent policies is a key to effective network management as regards privacy and surveillance. A clear retention and archiving policy provides users with needed guidance on e-mail management. Generally speaking, it should be the administrator s policy to manage, retain, and delete electronic records by following the same rules that govern the organization s paper records. If the law requires records to be maintained for seven years because the record is an accounting record, a legal record, or for some other reason, then the same approach should be taken with electronic versions of those records.
A well-executed policy explains the tools for managing e-mail and makes them easily available. If designed together, good management of e-mail will inform the applicable record retention policies. Finally, good management means adverse publicity to many companies from e-mail and the difficulty and expense of searching for e-mail in response to discovery requests can be reduced.
Because there is no governing rule, it is up to the policymakers behind a particular network to decide the appropriate standard. Approaches can range from full retention to some kind of automatic deletion approach whereby e-mail is deleted automatically after a relatively short specified period of time unless the e-mail author or recipient makes the decision to maintain the e-mail as a business record. Of course, deleted can mean many different things, depending on the design of the network. The administrator might be able to recover what the user thought was gone forever, but this means the electronic records management policy could facilitate discovery in the litigation context.
Retention and Archiving of Government E-Mail and Business Records
E-mail sent to or received by the employees and officers of United States government agencies is subject to the Federal Records Act and therefore must be archived according to the Act. E-mail messages retained by the Executive Office of the President are presidential records subject to the President s Records Act.
Express Policies Retention
E-mail sent or received by a private employee might not be a business record and therefore inadmissible under the business records exception to the hearsay rule. However, if a network administrator has an express policy governing retention and deletion of e-mail messages, it is likely that the retained messages are business records, and therefore discoverable in litigation. It is increasingly clear that electronic records are no less subject to disclosure than paper records.
Monitoring Internet Use of Employees
Monitoring the searching and retrieving habits of network users for valid network maintenance or security reasons is permissible. Typically, an employee policy would alert the network user that there is no private use of the Internet access provided by the employer. Network administrators often conduct surveillance of their network, and surveillance rules must account for how providers can collect information about the communications within their network, and also when they can disclose that information to law enforcement. The rules regulating provider surveillance focus generally not on legal process, but rather on the factual circumstances in which the law prohibits provider surveillance and disclosure. The rules governing the providers regulate when the provider can conduct specific types of surveillance and when the provider can disclose that information to law enforcement.
If a court issues a search warrant seeking past Internet-related activity of a network user, it might not be executed by the network owner because federal law governing the execution of search warrants actually prohibits private parties from executing search warrants on behalf of law enforcement. In this circumstance, however, an accountable party must conduct the surveillance pursuant to a court order and turn over the results to law enforcement.
Courts generally are not willing to extend the right of privacy to include e-mail that is sent and received in the private workplace. E-mail, if transmitted in a way that a third party can intercept and read, carries with it no expectation of privacy. This is true even if the messages are subsequently hidden in password-protected folders. Other decisions have concluded that employers can monitor e-mail, regardless of any assurances that such monitoring would not occur.
Loading Software
Perhaps it is too mundane to review, but the network use policies should expressly set forth the conditions under which a network user can load software onto the network s servers (if at all), load software onto his or her desktop client, or download software from the network to a mobile device. Typically, the network owner has complete control over this aspect of its technology and can limit the access and use of its applications on the network in any way it chooses.
EAN: 2147483647
Pages: 189