White PapersThe starting point is that employers will generally be held responsible for the acts of their employees; the principle of vicarious liability. An employer is vicariously liable for the wrongful acts committed by employees in the course of their employment, and this principle may cover acts of the employee that are incidental to the employment.
The potentially wide scope of this is highlighted by the case of Mattis v Pollock (t/a Flamingos Nightclub) in which a nightclub doorman, angered by an incident that occurred while at work, went to his home nearby, armed himself with a knife and returned to the vicinity of the club. The doorman then stabbed an individual involved in the earlier incident, causing serious injuries. In the subsequent claim by the victim of the attack, the nightclub’s owner was held liable for the actions of the doorman. This is an obvious warning to employers as to how widely the courts will construe acts as being “incidental” to the employment.
The Legal Risks of Uncontrolled Web Use & Email Content A White Paper by Morgan Cole Solicitors for MessageLabs Untitled Document 2 Table of Contents The Problem 3 The Risks 3 Harassment 3 Obscenity 4 Defamation 4 Third Party Intellectual Property Rights ( IPR ) Infringement 4 Contract Formation 4 Confidentiality 5 Blogging 5 Dealing with the risks 5 Summary 6 Untitled Document 3 The Problem Email and Internet access is critical to many businesses. The ease of use and scale of information that can be obtained or distributed swiftly makes these business tools invaluable. However, the same attributes can also cause severe difficulties to employers if employee use is not controlled adequately. This short summary considers some of the main risks that employers face in dealing with employee use of email and the Internet. It is not a comprehensive study of the topic and detailed legal advice should always be sought in specific situations. The Risks The starting point is that employers will generally be held responsible for the acts of their employees; the principle of vicarious liability. An employer is vicariously liable for the wrongful acts committed by employees in the course of their employment, and this principle may cover acts of the employee that are incidental to the employment. The potentially wide scope of this is highlighted by the case of Mattis v Pollock (t/a Flamingos Nightclub) in which a nightclub doorman, angered by an incident that occurred while at work, went to his home nearby, armed himself with a knife and returned to the vicinity of the club. The doorman then stabbed an individual involved in the earlier incident, causing serious injuries. In the subsequent claim by the victim of the attack, the nightclub s owner was held liable for the actions of the doorman. This is an obvious warning to employers as to how widely the courts will construe acts as being incidental to the employment. Aside from the obvious risk that an employee who spends significant periods of the day engaged in personal email correspondence or Internet use may have a reduced level of productivity and drain IT resources, there are other, more subtle, risks. We consider some of these below. Harassment Despite many highly publicised cases, employees persist in accessing inappropriate material, such as pornography, through work PC s. On occasion such material is distributed around the workplace by attachments to emails. This may lead to claims that the employer has failed to provide a safe working environment and/or that the conduct of the employees concerned amounts to discrimination against other colleagues. Such activity may also cause any employees who feel harassed by such behaviour to resign and claim unfair constructive dismissal. Damages awards in discrimination claims are potentially unlimited. Relevant employment tribunal cases include a woman who was awarded 100,000 after succeeding in a sex discrimination claim against a major IT company, exposing what was described as a boys club culture. The woman was subjected to sexist emails and sexist behaviour from her male bosses and was demoted after she brought a formal complaint. Even if the inappropriate material is not specifically aimed at a particular employee, the case of Moonsar v- Fiveways Express Transport demonstrates that an employer can still be liable. In that case, the fact that pornographic material was being viewed by others in the room in which the employee had to work created a degrading and offensive environment for the employee, eventually leading to a successful claim of sex discrimination. The starting point is that employers will generally be held responsible for the acts of their employees. Untitled Document 4 Obscenity The publication by email of material that is likely to deprave and corrupt may constitute a criminal offence under the Obscene Publications Act. In addition, the police operations against child pornography, such as Operation Ore, have highlighted the fact that indecent photographs or pseudo-photographs of children have been stored on employers computer systems; demonstrating that employees have used their employer s computer systems to access material that constitutes a criminal offence. The consequences for an organisation could be serious, as computers may be seized and held by the police and criminal prosecutions may follow, resulting in severe negative publicity for the employer. Defamation While the legal definition of defamation contains rather antiquated language such as to lower a person in the estimation of right thinking members of society , the use of the modern application of email can lead to expensive claims for employers. A well known supermarket chain paid 10,000 in an out of court settlement to a police officer who claimed he had been libelled by the supermarket. While off-duty, the officer had received a refund after complaining about the quality of some produce he had purchased. Staff at the supermarket believed wrongly that the man was engaged in a scam and, via the internal email system, warned other branches to beware. The warning message gave a full physical description of the officer. While visiting a local store a few weeks later in his professional capacity, the officer was alerted to the existence of the email. The availability of email in this case meant that the libel was more widespread than it might otherwise have been, demonstrating the possible risk involved. The scale of the potential distribution of email, combined with its ease of use and informality of tone, can increase the danger. Third Party Intellectual Property Rights ( IPR ) Infringement Information on the web, created by others, is frequently downloaded from the Internet and may be attached to email communications. This could be in breach of the terms of the author of the material. Copyright protected material can be widely circulated by employees who are adept at cutting and pasting . Employers may then face breach of copyright actions, resulting in expensive litigation and damaging publicity. Contract Formation Employers are often under the misapprehension that, for a contract to be legally binding, many formal requirements or procedures need to be met or followed. In fact, English law requires very little for the formation of a valid and binding contract. The briefest of emails, written informally and in haste, has been held to constitute a valid variation of a detailed contract. An example of this was the case of Hall v- Cognos Ltd where an employee had missed the deadline to claim expenses as specified in the company policy. He emailed his manager, requesting permission to enter a late claim. The manager replied via email stating yes, it is okay . The employee then submitted a late claim but his employers refused to pay it. A clause in the employee s contract stated that any amendment or modification of this contract will be in writing and signed by the parties or it will have no effect . Due to the line manager s position of authority it was The use of the modern application of email can lead to expensive claims for employers. Untitled Document 5 held that he had apparent authority to authorise a variation of the terms. It was held that the email was in a written form and signed by the parties as each message contained the printed name of the sender. The employers were therefore bound by the variation sanctioned by the email. A further problem can be that the disposable quality of email frequently means that important documents may be destroyed, making it hard to establish exactly what the terms of any contract were in the event of a dispute. Confidentiality Email can be used as a tool to send confidential data outside of the organisation, particularly in the case of a disgruntled employee, or one who intends to leave to set up a competing business. This can be highly damaging to an employer, as it may lose sensitive and commercially important information. Aside from the commercial impact, there is also the risk of a potential breach of contract or Data Protection Act claim in the event that the information refers to a third party. Blogging The phenomenon of blogging continues to develop and demonstrates neatly how increased employee access to the Internet can cause employers embarrassment. In recent years, employees at companies such as Waterstones and Delta Airlines have been dismissed for material on their blogs that the respective employers felt brought the companies into disrepute. Dealing with the risks The Regulation of Investigatory Powers Act does not allow the interception of communications by an employer unless the employer has lawful authority . The Lawful Business Practice Regulations authorise monitoring for a number of purposes, including establishing the existence of facts, investigating unauthorised use of the system and ensuring the effective operation of the system. The employer must make all reasonable efforts to inform employees that communications may be intercepted. It is therefore crucial that an employer develops and distributes an Acceptable Use Policy ( AUP ) so that all workers are aware of the employer s policy. The employer should consider what risks it is trying to avoid and assess what impact any monitoring may have on its employees. The employer should adopt the least intrusive method of monitoring possible to achieve its legitimate aims. For example, if the problem is excessive use of email or the Internet by staff, monitoring the level of email traffic or the level of web use by individual users, rather than monitoring of the content of emails or the specific sites visited, may be sufficient to address the issue. Clear communication to employees and the protection of a good AUP is vital to reducing the risk of claims by employees. An employee succeeded in a claim of unfair dismissal against the Royal Bank of Scotland (Goudie v Royal Bank of Scotland plc) after his employment was terminated for a breach of the bank s AUP. It was held that the bank s failure to explain to the employee, as part of the disciplinary process, how the bank graded the offensive nature of the material involved and what sanctions would apply to each grade rendered the dismissal unfair. The employer must make all reasonable efforts to inform employees that communications may be intercepted. Untitled Document 6 Further guidance on the issue of monitoring can be obtained from the Information Commissioner s Code on monitoring at work. This advises that employers should not rely simply on an employee s consent to a particular AUP, but should be able to justify the level of monitoring by way of an impact assessment , to demonstrate that the employer has balanced the risk of intrusion caused by the monitoring of employees against the risk of not monitoring at all. The employer should also have considered possible alternatives to the monitoring proposed. Employers should use automated monitoring wherever possible as this is less intrusive to the employee, but the Commissioner warns that while an employer may use technical solutions, the ultimate responsibility for ensuring compliance rests with the employer, not the supplier of any technical solution. Summary All employers should have a clear AUP covering employee use of email and the web and ensure that the policy is enforced consistently. The AUP should explain the risks, indicate what monitoring is to be conducted and why, offer alternatives to employees if they do not wish to use email communication and set out penalties for any breach of the AUP, linking this to the employer s disciplinary policy. The AUP can be supported by appropriate technical solutions, but the employer must ensure that the level of monitoring is proportionate to the risks involved. Untitled Document 7 www.messagelabs.com info@messagelabs.com Freephone UK 0800 917 7733 Toll free US 1-866-460-0000 Europe HEADQUARTERS 1270 Lansdowne Court Gloucester Business Park Gloucester, GL3 4AB United Kingdom T +44 (0) 1452 627 627 F +44 (0) 1452 627 628 LONDON 3rd Floor 40 Whitfield Street London, W1T 2RH United Kingdom T +44 (0) 207 291 1960 F +44 (0) 207 291 1937 NETHERLANDS Teleport Towers Kingsfordweg 151 1043 GR Amsterdam Netherlands T +31 (0) 20 491 9600 F +31 (0) 20 491 7354 BELGIUM / LUXEMBOURG Cullinganlaan 1B B-1831 Diegem Belgium T +32 (0) 2 403 12 61 F +32 (0) 2 403 12 12 DACH Feringastra e 9 85774 Unterf hring Munich Germany T +49 (0) 89 189 43 990 F +49 (0) 89 189 43 999 MessageLabs 2006 All rights reserved Americas AMERICAS HEADQUARTERS 512 Seventh Avenue 6th Floor New York, NY 10018 USA T +1 646 519 8100 F +1 646 452 6570 CENTRAL REGION 7760 France Avenue South Suite 1100 Bloomington, MN 55435 USA T +1 952 886 7541 F +1 952 886 7498 Asia Pacific HONG KONG 1601 Tower II 89 Queensway Admiralty Hong Kong T +852 2111 3650 F +852 2111 9061 AUSTRALIA Level 6 107 Mount Street, North Sydney NSW 2060 Australia T +61 2 8208 7100 F +61 2 9954 9500 SINGAPORE Level 14 Prudential Tower 30 Cecil Street Singapore 049712 T +65 62 32 2855 F +65 6232 2300
