8

COMPLIANCE

The current buzzword bandied about byvendors and members of the media in afree and easy way is ‘compliance.’Although the use of the word has somerelevance, there are two highly pertinentquestions that should be answered beforerushing out and buying the next mostexciting product on the shelves:

• With what are you required to comply?• Why is it necessary?

If you can answer these questions, youare on your way to getting to grips withhow to resolve some of the problems youmay be facing with email. In essence, thereare three main forces that cause organiza-tions to consider how they deal with their :

• Responding to the retention periodsset out in laws and regulations.

• Retaining s because of best practice,including principles of good governanceand for the purposes of litigation, suchas defending cases taken by employeesbefore employment tribunals.

• The practical problems of storage.

This article will only consider an out-line of some of the laws and regulationsthat apply to the use of email. The aimis to give the reader an indication ofsome, but not all, of the issues that affectthe way an organization should deal withemail.

General considerations:corporate liability When an employer hires employees, theauthority vested in the employer is dele-gated to the employee in varyingdegrees, depending on their positionwithin the organization. The employer

becomes liable for the activities of itsemployees whilst they act within thescope of their employment, known asvicarious liability. For this reason, it ispossible for the employer to be liablewhether employees use emails from theoffice or from any other location, such asa home computer. To reduce risk to theorganization, the employer should takereasonable care to prevent improper orillegal activities taking place. Even if theliability of an organization is limited forthe acts of its employees, it still has totake into account other issues, such as itsreputation and the way the press andmedia reports adverse news.

There is always a fine dividing linebetween encouraging a high level of cama-raderie between employees, the quality ofwhich can be beneficial to every organiza-tion, and instances where individuals over-step the parameters of what is judged tobe acceptable behaviour. Employeesshould be aware of these boundaries, andtheir conduct within the scope of theiremployment must reflect this awareness,especially where they hold a senior posi-tion within the organization, as demon-strated by Mike Soden, the ChiefExecutive of the Bank of Ireland and adirector of the Post Office. In May 2004,he resigned from his posts after a regularinternal audit of email traffic showed thathe broke the terms of the policy relatingto the use of the Internet. It was reportedthat he might have accidentally visited aweb site selling pornographic images as hewas browsing through a series of escortagencies in Las Vegas before visiting theUnited States. Where an employee fails toobserve this requirement, the organizationmust take action, because all organizations

have reputations to uphold, and it is nec-essary to have appropriate systems in placeto protect reputation and reduce risk.

The range of risks that an organizationis exposed to when permitting employeesto use email is wide and varied. The issuesset out in the next section illustrate someof the risks, which in turn demonstratethe need for every organization to have apolicy and to provide adequate training.Training should be more than merelysending a copy of the relevant policy tothe employee and asking them toacknowledge receipt. The policy should bewritten in such a way that it covers therisks to both the employer and employee.This is because where an employee fails toadhere to the policy, they face the possibil-ity of dismissal, and employees should bemade fully aware of the risks they face ifthey fail to abide by the policy.

The email policy It is crucial to have an appropriate policyin place with employees, otherwise, theemployer will have difficulty in persuad-ing a court that dismissing an employeefor misuse of the email facilities, forinstance, was fair. Employers must setthe standards expected of employees.Failure to do so can mean the employeemay have a case against the employer forwrongful dismissal.

The intention behind the developmentand implementation of a suitable policy istwo-fold: to reduce risk to both the orga-nization and the individual employee. Itprotects the righteous. The aim should beto reduce the wasted time and the costs ofdealing with the misuse of the corporateemail system by employees. Undoubtedly,some employees may consider the imposi-tion of such a policy illustrates a tendencyby the employer to be over protectivetowards its employees, or demonstrates theinability of the employer to trust theiremployees to be sensible when using theemail system. Whilst it is correct to saythat most employees can be trusted to useemail sensibly, nevertheless the provisionof rules, guidance and linking the policyto the disciplinary code is essential ifemployers are to control those employeesthat persist in acting recklessly.

Computer Fraud & Security December 2005

Email and complianceStephen Mason

Responsible use of email should be taken more seri-ously than it is. An employer is liable for the emailuses of its employees. The liability means that it isessential that a corporate email policy is devisedso dismissal of an employee for email misuse canbe proven in a tribunal. This article will discuss the many issues that anemployer must be aware of to ensure email compliance.

Stephen Mason

9

Some reasons for havinga policy

Breach of confidential information The attributes of email make it very easyfor employees to send trade secrets andother information of a confidentialnature to third parties. Whilst it is possi-ble for confidential information to besent innocently, a significant risk is fromdisgruntled employees. Even before theorganization is aware that an employeewill leave their employment, it is proba-ble that a dissatisfied employee will sendinformation out of the company by wayof email before they leave. Ideally, allemployees will have confidentiality claus-es in their employment contracts,although where there is no express con-tractual obligation of confidentiality, aduty may well arise as between employerand employees in certain circumstances.

The case of Winder v TheCommissioners of Inland Revenue(Ashford employment tribunal 20 April1998, Case No1101770/97/SM) illus-trates that where an employer fears anemployee has broken the contractualduty of confidentiality, action can betaken. Mr Winder was employed by theInland Revenue as a ValuationReferencer. It came to the notice of hissuperiors that he offered confidentialinformation to the National SocialistAlliance. Mr Winder was subsequentlydismissed, because it was considered thatthere had been a fundamental break-down of confidence and trust betweenemployer and employee, and that therewas a risk that the rules of confidentiali-ty would be broken if he remained inthe employment of the Inland Revenue.The members of the tribunal consideredthe Inland Revenue was reasonably enti-tled to take the view that the letter writ-ten by Mr Winder amounted to seriousmisconduct, and dismissal was theappropriate penalty in the circumstances.

Formation of contract It is very easy for two parties to enter acontract. It only takes employees of twoorganizations to exchange emails betweeneach other to commit each organization to

duties and obligations under a contract. Itwill not always follow that the employeesentered the contract without authority.The point is, where an employee is usingthe employer’s email system, it is probablyreasonable for the recipient to assume thatthe employee has the authority to enter acontract on behalf of their employer. It isperfectly possible for two parties to agreethe terms of a commercial arrangement byway of an exchange of emails. Even if theyintend to enter into a legally binding con-tract, it does not follow that a contractexists. This could be because the exactterms of the contract have not beenagreed, or one or both parties intendedthe exchange of emails to settle the termsof the contract before entering into a sepa-rate, written agreement, as in the case ofPretty Pictures Sarl v Quixote Films Ltd[2003] All ER (D) 303 (Jan). In thisinstance, James Velaise, through his com-pany, Pretty Pictures Sarl, wanted therights to distribute a film produced byPretty Pictures to French speaking coun-tries. Quixote Films appointed Rosa Boschto conduct the negotiations for the distrib-ution of the film in France. DuringFebruary and April 2002 Mr Velaise andRosa Bosch conducted negotiations, main-ly by email. After a number of emails hadpassed between them, Mr Velaise sent thefollowing text to Rosa Bosch on 26 April2002:

“Dear Rosa, Further to our today’sconversation, here is my revised offer.Licence fee: MG 80,000 Euros; 20,000upon signature, 80,000 upon delivery.Term: 15 years. Territory: France, Frenchspeaking Switzerland, video and paid TVonly, Monaco, Domtom, Mauritius, ex-French speaking African colonies. Rights:All rights, all cinema, all video, all TV.Split cinema 50:50, cost off top. Video, 70us 30 you; TV, 70 us 30 you. All rightscrossed. MG deducted from your share.”

He ended the email:“I hope we now have a deal, and I

look forward to your confirmation andreceiving a deal memo by fax.”

A number of further emails passedbetween the two, discussing the finerpoints of the deal. In each of his emails,Mr Velaise continued to refer to the

“deal memo”, which he expected wouldbe exchanged and signed between theparties to confirm the contract. Finally,on 7 May 2002, Rosa Bosch sent anemail as follows:

“The deal is approved. Apologies forthe delay. You will be receiving the con-tract by before commence tomorrow.”

A contract was never signed betweenthe parties, and it was claimed by MrVelaise that this final email sent by RosaBosch constituted an unconditionalacceptance of his earlier offer. Newman Jheld that the exchange of the emails didnot show there was a binding contractbetween the parties. While the exchangeof emails helped to formulate the basisfor an agreement, nevertheless it wasabundantly clear that both parties antici-pated a legally binding contract wouldonly be formed once a formal documentwas signed between them.

Every organization should pay particularattention to ensuring employees aretrained in the formation of contracts, andinternal procedures are adopted to pre-vent employees from entering contractsunwittingly. For instance, internal emailsbetween employees and relevant linesupervisors can lead to a variation of anemployment contract, as demonstrated inthe case of Hall v Cognos Limited (Hullindustrial tribunal 10 December 1997,Case No 1803325/97), which also illus-trates the use of an electronic signature,because typing a name into an email is aform of electronic signature. In this case,Cognos Limited employed Mr Hall as asales executive, and he was reimbursedfor all reasonable expenses in accordancewith the relevant policy. The policy stat-ed that all expenses over six months oldwould not be paid. Mr Hall failed tosubmit any travel expenses between 1December 1995 and 3 June 1996. ByJanuary 1997 Mr Hall wanted hisexpenses paying. A series of emails wereexchanged on 15 January between MrHall, Sarah McGoun and KeithSchroeder, Mr Hall’s line manager. MrHall asked if the late submission was“OK with you?” and his line manager

COMPLIANCE

December 2005 Computer Fraud & Security

10

COMPLIANCE

said, “Yes, it is OK.” Mr Hall subsequent-ly submitted an inflated claim, as a resultof which his employers refused to makeany payment. It was held that theexchange of emails between Mr Hall andhis line manager varied the contract ofemployment. The chairman of the tri-bunal accepted that the printed copies ofthe emails were in writing and signed (theemails were signed “Sarah” and “Keith”).As a result, the employer was required topay Mr Hall his reasonable expenses.

It is important to ensure that employeesunderstand the basic elements of enteringa contract, especially whose terms apply tothe contract and what, if any, misrepresen-tations were made in emails before thecontract was concluded. If suitable train-ing for all members of staff is not consid-ered necessary, this issue should beaddressed by establishing a method bywhich only certain employees have theauthority to enter a contract.

Criminal offences In all probability, criminal offences werecommitted by way of email as soon as thefacility became available. However, exam-ples that exist in the public domain of suchactivity are rare, because organizations tendto deal with such matters in confidencewithout reporting the offence. In the caseof Miseroy v Barclays Bank plc (Bedfordemployment tribunal 18 March 2003,Case No 1201894/2002), there is norecord of the police taking any actionagainst the employee concerned. However,the case illustrates how employees can mis-use email. In this case, Mr Hilary Miseroywas employed by Barclaycard in the FraudPrevention Department. It transpired thatan individual appeared to be receiving adisproportionate number of emails duringthe day. A formal investigation was subse-quently initiated, and an audit indicatedthat Mr Miseroy sent a significant numberof emails. After a series of investigatorymeetings, it was concluded that MrMiseroy had abused the email facilities byselling cannabis, amongst other improperactions. For instance, in an email dated 15February, Mr Miseroy wrote to a manger:“I’ve brought it in with me. Fag-breakabout 10.30?”, and in a further email sent

on 18 February, Mr Miseroy asked “qualityok?” The members of the tribunal acceptedthat the dismissal of Mr Miseroy was with-in the range of reasonable responses of areasonable employer in relation to the cir-cumstances of the case.

Monitoring email The privacy aspects of monitoring net-worked communications in the EuropeanUnion is partly governed by Directive95/46 of 24 October 1995 on the protec-tion of individuals with regard to the pro-cessing of personal data and on the freemovement of such data (23.11.95 OJL281/31). In the United Kingdom, it canbe stated with a reasonable degree of cer-tainty, that it is generally unlawful forcommunications to be intercepted. TheRegulation of Investigatory Powers Act 2000makes it unlawful for communications tobe intercepted, unless:

• A warrant has been authorized by anapproved authority.

• An existing statutory power is used toobtain stored communications.

• The reason is governed by theTelecommunications (Lawful BusinessPractice)(Interception ofCommunications) Regulations 2000(S.I. 2000 No. 2699).

• Both the sender and recipient (or theintended recipient) explicitly consentto the interception.

“Communications” include telephones,email, Internet and instant messaging facili-ties in the workplace, provided they areconnected to the public telecommunica-tions system. The Telecommunications(Lawful Business Practice)(Interception ofCommunications) Regulations 2000, whichcame into force on 24 October 2000, per-mits employers to intercept communica-tions on their telecoms systems. However,if an employer decides to monitor orrecord communications, it must do so inline with the requirements of the regula-tions. To monitor communications, usersmust be informed, and there must be abusiness purpose. It is necessary to ensurethe employee is aware of the employer’smonitoring activity, because an employeecould have a right to object under the pro-visions of the European Convention on

Human Rights and the Human Rights Act1998. In the United Kingdom, theInformation Commissioner has set outgood practice recommendations that areexpected to be enforced in relation to themonitoring of networked communications.

Retention and disposal of documentsIt has not taken long for email to becomethe most prominent form of communica-tion. However, failing to provide for theproper retention and disposal of appropri-ate emails can cause added expense to theorganization to such an extent that the costof resolving problems may be significantlymore than the savings of using email. Thecase of Rolah Ann McCabe v BritishAmerican Tobacco Australia Services Ltd[2002] VSC 73; British American TobaccoAustralia Services Ltd v Roxanne Joy Cowell,as representing the estate of Rolah AnnMcCabe deceased [2002] VSCA 197 illus-trates that even when the organization hasan appropriate document retention anddisposal policy in place, defending theterms of the policy in legal proceedingsmay well prove to be an expensive exercise.British American was reluctant to deliverup certain documents to the other side atthe trial stage of this case. As a result, thelawyers for Mrs McCabe applied to thejudge for British American’s defence to bestruck out and judgment be entered forher because it was argued that there was nopossibility of a fair trial taking place.Having heard the evidence, the judge con-cluded that British American subverted theprocess of discovery with the deliberateintention of denying a fair trial to MrsMcCabe, in that most of the relevant doc-uments were no longer available, becausethey had been destroyed as part of theretention and disposal policy. He orderedtheir defence to be struck out and judg-ment was entered for Mrs McCabe.Damages were later assessed at A$700,000.

British American appealed, and themembers of the court of appeal conclud-ed the evidence did not support the viewof the trial judge that the documentretention and disposal policy representeda deliberate attempt to destroy docu-ments. Every effort had been made to

Computer Fraud & Security December 2005

11

COMPLIANCE

devise a policy that was appropriate.Also, there was no evidence to show thatthe destruction of documents was carriedout in the knowledge that legal actionmay be taken against British AmericanTobacco at some time in the future.Proper enquiries were made before dis-posing of documents. It was held thatstriking out the defence was out of pro-portion to the issues brought before thejudge. The members of the Court ofAppeal allowed the appeal by BritishAmerican Tobacco. The order strikingout the defence was set aide, and thejudgment given for damages was also setaside. The proceedings as a whole wereremitted for a new trial. This case illus-trates the need to ensure the organiza-tion can justify the retention and dispos-al policy. Whilst the policy will takeshape around operational needs, the vari-ous legal requirements must be takeninto account to ensure the policy is rea-sonable, measured and appropriate.

It is neither practical nor necessary tokeep every document created in thecourse of running the business. With theintroduction of electronic storage meth-ods, it is possible to retain bulky docu-ments in a fraction of the space thathard copies will occupy. However, nowdocuments are created in electronic for-mat, it is important to ensure the docu-ment retention and disposal policyreflects the way in which employees cre-ate, alter and manipulate electronic doc-uments. It must be emphasised that anycommunication in electronic format,whatever form it takes, is considered tobe a document and must be retained inaccordance with the laws and regulationsthat apply to the particular document.

The types of document that have to beretained, and how long they need to beretained for, will partly depend on thenature of the business. Some documentscreated during the course of a business arecommon to all organizations, and provi-sions are made in the relevant legislationfor the retention of such documents.Further, public finance initiatives oftenhave contracts that require the organiza-tion to retain all documents for the lengthof the contract (say 30 years) plus sevenyears after the contract expires.

From the legal point of view, the contentof the email serves to determine its catego-ry as a document, the importance of whichis relevant for the length of time an emailshould be retained. For instance:• An email discussing official business

between employees internally is aninternal memorandum.

• A similar email sent out to a thirdparty relating to official business is anexternal communication, and shouldbe treated as official stationery, bybeing sent with the same corporateinformation that is contained on thestationery.

• An extension of a telephone conver-sation, confirming something, forinstance, is a note to be added to afile, whether it is sent to people with-in the organization or to externaladdressees, or a mix of internal andexternal addressees.

• A note to a friend to say you enjoyedthe party last night is an item of pri-vate correspondence using the orga-nization’s resources. The use of emailfor this purpose may or may not beauthorized by the organization.

In essence, document retention peri-ods are set against different criteria:

• Retention periods prescribed by law.• Rules issued by regulatory bodies.• Best practice.

It should be noted that some legislationalso creates an offence to destroy docu-ments before the time laid down haselapsed, and some industries (such asfinance, for instance), are subject to fairlystringent rules determined by a regulator.As an example, consider the use of emailfor matters relating to health and safety. Itappears that emails were exchangedbetween employees at NASA a few daysbefore the Columbia space shuttle disinte-grated in the sky in February 2003. Thetext of the emails included references tosafety matters, which serves to illustratethe uses to which email is put within theorganization (see http://www.jsc.nasa.gov/news/columbia/index.html).

Email and evidence Documents in electronic format can beadduced as evidence in court. As soon as

legal proceedings begin or the organizationis put on notice that legal proceedings arecontemplated, the organization has a dutyto the court to preserve every documentthat is relevant to the claim. The obliga-tion includes documents upon which theorganization may rely and any documentsthat adversely affect their case. Where oneparty fears the other party may delete rele-vant communications, they can make anapplication to a judge for an order that allelectronic records, including correspon-dence conducted by email and instantmessaging, be preserved and copies behanded over to the other side.

Should an organization inadvertentlydestroy any document (whether electronicor otherwise), such an act may adverselyaffect their legal position. Where docu-ments are deliberately destroyed, proceed-ings can be taken for contempt of court.

ConclusionMost IT departments are struggling tocope with the storage of vast quantitiesof email generated every day. However,few have been given any guidance aboutwhat emails should be retained and howlong they should be retained for. It ispertinent to note that the IT departmentis only the custodian of the records. Theresponsibility for dealing with therecords lies with the company secretaryor chief executive. Consideration shouldbe made to ensure care is taken to estab-lish why email communications have tobe retained before deciding on a long-term solution. It is only then that theorganization can begin to determine howto plan for a long-term solution.

© Stephen Mason, 2005

About the authorStephen Mason is the author of Networkedcommunications and compliance with thelaw (xpl publishing, 5th edn, 2005),Electronic Signatures in Law (LexisNexisButterworths, 2003) and editor of the e-Signature Law Journal (www.e-signa-turelawjournal.co.uk).

Contact the author:stephenmason@stephenmason.co.uk

December 2005 Computer Fraud & Security