White Papers
Indecent images on email? Offensive or distasteful websites? The rise of social networking and blogging? Just some of the challenges facing IT Mangers today, but what action should you take to ensure safe internet and email use by employees?
LegaL Risks: empLoyee Use of the inteRnet and emaiL Access to Email and the Internet is a business critical application for most organisations, but the attributes that make such resources so essential inevitably generate significant risks for employers. WhitepapeRwww.messagelabs.com info@messagelabs.comUntitled DocumentAbout thE Author Jonathan Naylor is an Employed barrister, handles both contentious and non-contentious employment issues ranging from advising clients on actual and potential claims to representing them at tribunal hearings. Jonathan also advises clients on all aspects of the employment relationship including contracts of employment, transfers of undertakings, equality and discrimination law and termination of employment. Another aspect of Jonathan s role is to present training for clients, which he does on a regular basis. recent topics for training have included the statutory disciplinary and grievance procedures, managing sickness absence, avoiding tribunal claims and the legal issues involved in monitoring employee use of email and the Internet. thE IssuEAccess to email and the Internet is a business critical application for most organisations, but the attributes that make such resources so essential inevitably generate significant risks for employers. This short summary considers some of the main risks, but it should be noted that this is not a comprehensive study of the topic and detailed legal advice should always be sought in specific situations. thE LEgAL CoNtExt The principle that underpins this area is a legal concept known as vicarious liability . In short, this means that an employer will usually be liable for the wrongful acts committed by their employees in the course of their employment; a principle that may also cover the acts of an employee that are incidental to their employment. There are strong policy reasons why courts generally wish to find an employer liable for the acts of any employee (the most obvious being that someone who has been injured by an employee may not be able to recover adequate financial compensation if their only claim is against an individual rather than an organisation). In recent case law, such as mattis v. pollock (t/a flamingos nightclub), courts have been willing to extend the boundaries of this principle. In mattis, a nightclub doorman who had been angered by an incident that occurred while at work, left the nightclub, went to his home which was nearby, took a knife and returned to the club, later stabbing an individual who had been involved in the earlier incident and causing the victim serious injuries. Dismissing the nightclub s arguments that the doorman had acted entirely independently of his usual employed role, the Court held that the owner of the nightclub was liable for the attack. This type of case demonstrates that, with a sufficient link to the employment (even if indirect) employers may be liable even for extreme acts committed by employees. www.messagelabs.com info@messagelabs.comWhitepapeRUntitled Documentwww.messagelabs.com info@messagelabs.comWhitepapeRKEy ArEAs of rIsK All employers will be well aware that there is a risk of cyber slacking whenever an employee has access to email or to the Internet, but there are other risks which are perhaps less obvious. Some of these are considered below. Blogging " In recent years many employers have developed either specific blogging policies, or alternatively dedicated sections of Acceptable use Policies ( AuPs ) to set down guidance as to what is acceptable in this area. There are examples of employees of companies such as Waterstones and Delta Airlines being dismissed in relation to material on their blogs which the employers viewed as bringing the companies into disrepute. The trend for a growing number of employees to produce similar blogs seems set to continue, meaning that similar challenges will be faced by other employers. social networking sites " Comments made by employees on social networking sites can have a significant impact on their employers, particularly as the line between work and home life becomes increasingly blurred. A recent example was a senior police officer with the British Transport Police who posted personal information about his gay lifestyle on the social networking website, facebook, and (crucially in this case) added photographs of him posing in his police uniform outside a London underground station. these pictures, alongside explicit comments about his lifestyle, caused his employers to take disciplinary action against him and meant that he was denied a promotion to Chief Inspector. harassment " barely a month seems to go by without a further example of employees accessing inappropriate material, such as pornography, through work computers, leading to disciplinary action by the employer (possibly including dismissal). Employers also need to be aware of the potential for claims from other employees not involved in accessing or distributing such material, but who nevertheless may take action based around the employer s failure to provide a safe working environment or perhaps that the conduct of the other employees amounts to discrimination. Such behaviour may lead to claims of unfair (constructive) dismissal and/or complaints such as sex discrimination. one example of such conduct occurred when the It company, oracle, found itself on the wrong end of a claim brought by a Miss Carlucci, who received 100,000 after succeeding in her sex discrimination complaint. The Tribunal accepted that she had been subjected to sexist emails and behaviour from her male bosses and that she was demoted after she brought a formal complaint. Employers should be particularly wary of discrimination complaints as there is no limit on the possible awards of compensation that may be made. Employers should also be aware that it is no defence to suggest that the inappropriate material or behaviour is not aimed specifically at the employee who brings a complaint. In moonsar v. fiveways express transport, the fact that pornographic material was being circulated amongst a predominantly male team and that a female member of the team was aware of this behaviour, was held by a tribunal to have created an atmosphere of obscenity following which the employee was ultimately successful in her claim for sex discrimination. Untitled Documentwww.messagelabs.com info@messagelabs.comWhitepapeRobscenity " Material that is likely to deprave and corrupt , if published, may constitute a criminal offence under the Obscene Publications Act. Police investigations reveal that, unbelievably, employees may choose to use work computers in order to store material that goes beyond merely inappropriate material and may involve the commission of a criminal offence. Even if the employer was not prosecuted, the resulting negative publicity in being associated with an offence committed by an employee could be substantial. defamation" Employers should not fall into the trap of assuming that defamation is the preserve of celebrities and national newspapers. A well known supermarket chain paid 10,000 as part of an out of court settlement to a police officer who had alleged a libel. This had arisen because the police officer had been accused by supermarket staff of being involved in a scam to defraud the supermarket and circulated a warning email to other branches. The ease and speed of distribution of email meant that the libel was more widespread in this case than it might otherwise have been and this highlights both the strength and weakness of email as a method of communication. formation of contracts " the law in the uK requires very little formality in order to create a binding contract and there is no reason that a relatively brief email may not have this effect. An Employment Tribunal case, hall v. Cognos Limited, demonstrated that a brief email from a line manager to an employee was enough to vary the contract of employment; the email clearly identifying the parties and carrying a signature by way of the name of the sender and recipient being visible from the email. Such legal liability stemming from a relatively brief and informal communication can cause difficulty for employers, particularly if involved in commercial transactions. For example, an employee without authority might commit a company to a particular payment without fully appreciating what they had done. A further problem is often the difficulty of establishing an audit trail to determine the terms of any contract if any emails that would assist an organisation in this respect have been destroyed or deleted. Copyright infringement " The author of any particular material generally has copyright in the content. The ease with which information can be obtained from the Internet and distributed by employees increases the risk of a breach of such intellectual property rights. Confidentiality" Confidential information can be the life blood of a business and yet it may be very easy for employees to access it. If an employee is disgruntled or intends to leave the employment in the near future, they may seek to use the email system to remove confidential information from the business to be used for their own purposes at a later date. Untitled Documentwww.messagelabs.com info@messagelabs.comWhitepapeRThE LEgAL FrAmEWOrk this is an area in which the law has traditionally lagged behind developments in technology and has attempted to catch up over the last decade. As such, there is now a framework of legislation such as the human rights Act, the Data Protection Act, the regulation of Investigatory Powers Act and the Lawful business Practice regulations which all impinge on what an employer should and should not do in terms of monitoring their employees use of email and Internet systems. In summary, an employer needs to have lawful authority to undertake monitoring of employees. The Lawful Business Practice regulations provide for such lawful authority as long as the monitoring is for a number of specific purposes and the employer has made all reasonable efforts to inform the employees concerned that their communications may be intercepted. the starting point for any employer grappling with this area is therefore to ensure that their AuP is clear and covers all of the areas required by the employer. As advised by the Information Commissioner in his Employment Practices Code (which is not law but which is useful guidance and will be followed by Courts and tribunals in dealing with this area) the employer should conduct an impact assessment to demonstrate that the organisation has identified the goal that it is trying to achieve and that it is implementing the least intrusive method of monitoring required in order to meet that goal. for example, if you are concerned about excessive Internet usage by a particular employee, you may be able to deal with the problem simply by monitoring the overall time that the employee spends on the Internet rather than identifying the specific websites which the employee is visiting. the AuP must be linked to the employer s disciplinary policy in order to ensure that the employer can take adequate disciplinary action when required. The importance of communicating the AUP to employees was highlighted by the case of Copland v. United kingdom (2007) when an employee successfully argued that their human rights had been infringed by their employer covertly monitoring their telephone, email and Internet usage. While this case predated the introduction of the regulations of Investigatory Powers Act, the employer s lack of any relevant policy or procedure clearly undermined their defence to the claim. Where possible, automated monitoring should be used as this less intrusive to the employee, but all employers must remember that it is their responsibility to implement the appropriate level of monitoring and advise their employees accordingly. Third party service providers can help but, ultimately, any claim would inevitably be brought against the employer. Untitled Documentwww.messagelabs.com info@messagelabs.comWhitepapeRCoNCLusIoN Most employers will have implemented an AuP some time ago, but this should be regularly reviewed and updated to meet any new threats. Such reviews can ensure that the policy remains relevant to what the employer is trying to do and the risks that they are facing. the AuP should set out why the employer is monitoring (and partially this will be to protect the employee themselves against risks that might occur in the event of any misuse) and also set out penalties for any breach of the AUP, linking this to the disciplinary policy. Clarity of thought is absolutely essential. The employer must have identified what they are trying to do and why and then frame the AuP and the monitoring that takes place in support of that policy to meet its specific needs. ABOUT SymAnTEC hOSTED SErvICESMessageLabs, now symantec hosted services, is a leading provider of hosted messaging and web security services, with over 29,000 clients ranging from small businesses to the fortune 500, located in 99 countries. Symantec hosted Services protect, control, encrypt and archive communications across email, web and instant messaging. These services are delivered by a globally distributed infrastructure and supported 24/7 by our security experts. This gives a convenient and cost-effective solution for managing and reducing risk and providing certainty in the exchange of business information. for more information or to request a free trial of symantec hosted services, please visit www.messagelabs.co.uk/solutionsUntitled Documentwww.messagelabs.com info@messagelabs.comWhitepapeRonfidence in a connected world.>eURope>headQUaRteRs1270 Lansdowne Courtgloucester business Parkgloucester, gL3 4Abunited Kingdomtel +44 (0) 1452 627 627fax +44 (0) 1452 627 628freephone 0800 917 7733support: +44 (0) 1452 627 766>London3rd floor40 Whitfield StreetLondon, W1T 2rhunited Kingdomtel +44 (0) 203 009 6500fax +44 (0) 203 009 6552support +44 (0) 1452 627 766>netheRLandsWTC AmsterdamZuidplein 36/h-towernL-1077 Xv AmsterdamNetherlands tel +31 (0) 20 799 7929fax +31 (0) 20 799 7801support +44 (0) 1452 627 766>BeLgiUm/LUXemBoURgsymantec belgiumAstrid business CenterIs. meyskensstraat 2241780 Wemmel, belgium tel: +32 2 531 11 40fax: +32 531 11 41>daChhumboldtstrasse 6gewerbegebiet DornachMunich, Aschheim 85609germanytel +49 (0) 89 94320 120support :+44 (0)870 850 3014>ameRiCas >United states512 seventh Avenue6th floorNew york, Ny 10018 usAtoll-free +1 866 460 0000>Canada170 university Avenuetoronto, oN M5h 3b3 Canadatoll-free :1 866 460 0000>asia paCifiC>hong kongroom 3006, Central Plaza18 harbour roadtower II Wanchaihong Kong Main: +852 2528 6206fax: +852 2526 2646support: + 852 6902 1130>aUstRaLiaLevel 13207 Kent street, Sydney nSW 2000Main: +61 2 8220 7000fax: +61 2 8220 7075support: 1 800 088 099>singapoRe6 temasek boulevard#11-01 suntec tower 4singapore 038986 Main: +65 6333 6366fax: +65 6235 8885support: 800 120 4415>JapanAkasaka Intercity1-11-44 AkasakaMinato-ku, tokyo 107-0052Main: + 81 3 5114 4540 fax: + 81 3 5114 4020 support: + 852 6902 1130
