Private words for global audience - the ill-advised email

By VICKI JAYNE

How secure and confidential is your email system and database? If a disgruntled employee or unhappy customer airs a grievance online, it has the potential to sweep the globe within an hour. The damage to reputations can be huge.

When British Secretary of Transport Stephen Byers fell on his sword last month, his demise was quickly traced to what was, by then, an infamous September 11 email from his spin doctor, Jo Moore.

Her advice to Byers - that the day the twin towers fell was "a good day to bury bad news" - was revealed publicly.

Byers initially stood by her, but eventually the damage to both their reputations proved terminal.

Byers' departure is the latest in a lengthening line of email-fuelled crises.

One of the first British companies to feel the liability backlash of email misuse was Norwich Union.

It had to pay £750,000 ($2.24 million) in damages to health insurer Western Provident Association in 1997 after its staff had circulated libellous comments about the insurer on internal email.

That companies are vicariously liable for information disseminated via their email systems is just one risk. Email comments intended for internal consumption can quickly knock share value or undermine business reputation once they escape and proliferate.

British legal firm Norton Rose, which specialises in e-commerce and employment law, found the wrong sort of publicity when a saucy email exchange about oral sex between one of its lawyers, Bradley Chait, and his lover, Claire Swire, went swiftly global.

The message is still posted in various places on the internet, and reactions are split between amusement and horror at the embarrassment Swires was to suffer. Chait and Swires were disciplined, but kept their jobs.

The paradox is that although email seems as intimate and ephemeral as a phone call, it carries the same legal liability as any published document.

It is hard to contain and very difficult to erase.

All of which should cause people to think twice before hitting the send button, says Graeme Sinclair, partner in charge of information risk management at KPMG.

"The trouble with email is that you don't know where it will end up," he says.

Once written, it is also extraordinarily hard to get rid of.

"Deleting an email doesn't erase it. It only means the space has been released to be overwritten. The original is still there and can be recovered.

"Given that we in the risk-management business encourage IT folk to back up everything, then it's also likely to be duplicated somewhere in the system, anyway."

And email does leave traceable electronic tracks - as one disgruntled employee in Britain discovered.

He thought he was being smart when he sent abusive and defamatory emails to his former employer under a pseudonym through a Hotmail account.

But despite protestations of innocence, he ended up paying £26,000 ($77,000) in damages plus £100,000 ($299,000) in legal costs when the messages were traced back to him.

The past couple of years have brought a rash of dismissals relating to email misuse.

In 1999, 23 staff at the New York Times lost their jobs after disseminating smutty email, including jokes about their bosses.

More recently, Royal & SunAlliance sacked 10 employees at its Liverpool branch after doctored pictures depicting TV character Bart Simpson and others in sexual clinches did the email rounds.

Employees are fighting back with claims that such cyber-sackings represent unfair dismissal.

Already rife in the United States, email abuse cases are also starting to appear in New Zealand case law, says Lisa Shadgett, a solicitor with Russell McVeagh's technology group.

The courts backed Methanex and the former New Zealand Employment Service after they sacked staff for offensive use of company email.

One company successfully took out an injunction against a former employee who sent emails highly critical of the company to its customers.

"If anyone sends out a defamatory email, then the usual laws of defamation apply," says Shadgett.

"All you need is evidence of publication, and you can claim for each instance of publication."

The former chief executive on internet registry Domainz, Patrick O'Brien, got $42,000 in damages from Alan Brown, who made defamatory remarks to a newsgroup, an email list and a website.

Given that the email genie is already loose, how can its potential for damage be contained or controlled?

Encryption technology is available, but it makes email a clunky tool because all regular contacts in and outside a company need the decoding software. And Big Brother-style email monitoring raises a raft of legal issues around privacy.

What companies need, says Sinclair, is a strategy around email use and policies that help protect risks to reputation and damage to business.

His five-step process to managing email risk is:

* Establish an email strategy to identify its purpose within the organisation;

* Identify risks to the business arising from this and amend the strategy if the risk cannot be managed to an acceptable level;

* Prepare policies and procedures defining what is acceptable use of email within the business;

* Educate employees to be aware of email risks and understand the need for policies and procedures;

* Monitor compliance through peers - encourage each employee to look out for the welfare of the whole organisation by monitoring team members' compliance.

* vjayne@iconz.co.nz