E-Mail and the Internet
E-mail has become an increasingly important factor in litigation--as Bill Gates, Oliver
North and others have found out to their sorrow in the past few years. With e-mail
becoming more and more prevalent as a primary means of transmitting information and
documents, what are the real dangers in using e-mail and how can you protect your firm
against them? Some small firms are avoiding e-mail altogether because of the perceived
problems: does this make sense?
E-mail has become a basic business component. Employees, and certainly young attorneys
fresh out of law school where they have been accustomed to using e-mail and high-speed
Internet access, view e-mail on a par with the fax machine and telephone. Firms who try to
ignore e-mail do so at the peril of becoming non-competitive. It is not just large
corporate clients who are requiring e-mail: individual clients may choose a firm with
e-mail capabilities over one without for a variety of reasons (e.g., clients who
are deaf or have other disabilities).
Potential Dangers of E-mail
Courts currently view e-mail as discoverable in litigation--ranging from the Department
of Justice's investigation of Microsoft to discrimination and sexual harassment suits.
This can go as far as evidentiary seizure of entire computer systems (the FBI showed up on
the doorstep of one client demanding the hard drive of their server, which would have
prevented the entire firm from doing any work at all!).
The problem with e-mail is that people regard it on a par with the spoken word, not the
written word. They feel free to make comments or statements in an e-mail that would
certainly be revised or excised entirely if they were drafting a printed memo. When
portrayed in court as "policy," such casual formulations can be very damning and
literally cost a company millions of dollars.
Create a Company Policy
While a variety of admonitions concerning the use of e-mail are possible and necessary,
their effectiveness is likely to be about nil. At one firm, for example, despite
admonitions concerning personal e-mail, disk space on the server dwindled alarmingly just
before Christmas due to a large number of 10Mb files with names such as
"tree.exe." Some firms are adding legal disclaimers to every e-mail that goes
out akin to the ubiquitous disclaimers on faxes (see box, over). The legal efficacy of
such disclaimers has yet to be fully tested in the courts.
As a first line of defense, it is important to have a clearly stated firm and company
policy concerning the acceptable use of e-mail. Insist that all employees sign the e-mail
policy statement before being allowed to use it (see box, right).
The second line of protection is to limit the retention of e-mail. This has the
advantage of reducing storage requirements for e-mail (which can be substantial: 10-15 Mb
per user or more) as well as limiting the time period during which e-mail is exposed to
discovery in litigation. Many firms limit the retention of e-mail to 30-60 days.
A third, more drastic, option is to not back up any e-mail at all. This means that if
you have an unrecoverable server crash, all e-mail will be destroyed. However, if
you do back up e-mail and have, say, a 30-day e-mail retention policy and keep 6
months of backups, then the time-frame of your exposure to discovery demands is 6 months
plus 30 days, not just 30 days. In addition, the process of producing e-mail that has been
backed up for a significant amount of time will be extremely time-consuming and expensive.
What about the danger of someone stealing your information? There are two levels to
this concern: targeted attacks and random hackers.
Realistically, the likelihood that e-mail will be hi-jacked in a targeted fashion is
very small, with the possible exception of transactions involving very large dollar
amounts. However, the possibility that some random hacker will discover a potentially
"juicy" morsel and circulate it to the world at large should not be dismissed
(think of the IBM TV ad of the hacker e-mailing the salary structure for an entire company
to all employees).
On a small scale, the only way to protect against this is to use encryption software.
There are several products available and they are getting easier to use (at least in the
most recent versions of e-mail software). However, as with any type of security, the more
security you require, the more you inconvenience users. Encryption is still fairly clumsy,
and requires that the recipient use it as well as the sender.
On a larger scale, there are a variety of Virtual Private Networks services that
provide enhanced security for both small and larger companies. Again, these require both
recipient and sender to subscribe.
Lastly, there are a variety of programs that will analyze your e-mail and can be used
to spot potential problems. While these are not inexpensive, they can be a useful adjunct
as part of an overall e-mail security program. Mimesweeper is one of the best known of
these programs (www.mimesweeper.com).
Viruses are a major concern for many, especially for Word users ( WordPerfect is much
less susceptible to attack than is Word). However, aggressive use of anti-virus software
and end-user education can reduce this risk to acceptable levels.
Do You Need E-Mail At All?
With all the potential problems, a small firm with primarily individual clients might
ask: do we need e-mail at all? One answer to this question is that having e-mail is
becoming part of the basic requirements and cost of doing business, like fax machines and
photocopiers. There really isn't any choice in the matter if a firm is to remain
The better answer is that selective implementation of technology options such as e-mail
enables a small firm to compete successfully with much larger firms. E-mail levels the
playing field and gives smaller firms competitive equality or even an advantage. While
America On Line and other small ISP's appear amateurish and are a telltale sign of very
limited resources, there is no way for anyone to guess the size of a firm with its own
domain name: "myfirm.com."
Furthermore, there are several vendors who offer e-mail services aimed at smaller firms
such that a firm can offer all employees e-mail for a minimal cost. Services such as
DotOne (www.dotone.com) or AllegroNet (www.allegronet.com) integrate Internet e-mail with
your regular in-house e-mail system. This allows you to extend to the Internet without
necessarily providing Internet browsing to the entire firm and without the sometimes
substantial costs of Internet infrastructure (firewalls, anti-virus scanning, etc.). An
additional advantage of separating e-mail from Web browsing is that it tends to
substantially reduce spam and unwanted solicitations, since you are using e-mail mainly
for business purposes. The web browsing ID (spam is typically based on this ID) is totally
separate from your e-mail ID.
There is, however, one caveat. E-mail is not like a fax, where when you feed it
through the fax machine it is already being delivered at the other end. E-mails can be
delayed or even lost, and there is no way to predict when that will happen. Further, it is
very difficult to obtain proof of delivery for e-mail. Therefore, e-mail should not be
used to send time-sensitive materials or anything requiring proof of delivery.
E-mail allows you to communicate with clients, other firms, etc. with even greater ease
than voice mail (there is no such thing as "e-mail tag"). It can cut down
turnaround time and improve communication with clients. It makes it easier for clients and
others to do business with you. You may not need a Web Site yet, but you definitely need
Sample E-mail Policy
You will want to include:
- Explicit statement that the computer and e-mail system belong to the company, not the
employee, who can use it only for authorized purposes.
- Explicit statement that employees can expect no e-mail privacy.
- The firm has the right (not a duty) to monitor e-mail.
- A warning to exercise care in drafting e-mail, as the firm may be liable for the content
under the Electronic Communications Privacy Act.
- An explanation of what content is impermissible.
- A requirement that the employee sign the policy statement in order to use e-mail, and
that the employee understands that disciplinary action, including termination, may result
from infraction of the e-mail policy.
No Attorney/Client Privilege
This message is not intended as legal advice. Therefore no Attorney/Client relationship
is intended, implied, or created by this message.
This electronic mail from _______ may contain information or advice which is
confidential or privileged and is solely for the use of the intended recipient. All
proprietary rights, including copyright, are specifically reserved. If you are not the
intended recipient, be aware that any disclosure, copying, distribution, or other use of
the contents of this message is prohibited. If you have received this in error, please
notify us immediately by phone or email at __________.