Bermuda: You´ve Got Mail Bombs

Advances in technology, especially over the last decade, have made communication with business peers, friends or even strangers as easy, literally, as the push of a button. But this convergence of computers and telecommunications technology has not been without its drawbacks. Businesses worldwide are quickly discovering that ease of communication is only beneficial if the messages being sent don’t come back to haunt them.

Microsoft founder Bill Gates, widely considered the father of the information age, discovered that home truth when mail sent electronically by him and other members of his organisation was introduced as evidence in the recent suit brought by the United States Justice Department. The messages in those e-mails went some way toward assisting the Justice Department to make its case in the Microsoft anti trust litigation that the company’s Internet Explorer web browser is so integrally built into the Windows operating system that it can’t be removed.

Business leaders worldwide should have been aghast at the prospect of Microsoft’s e-mail communications being used to make a case against the Seattle-based computer software giant. The reason is simple - if it can happen to Bill Gates and Microsoft, it can happen to anyone.

The hapless Mr. Gates isn’t alone, of course. In legal circles worldwide, the newest buzzword is "cyberliability", which covers liability for any internet, e-mail or e-commerce issues. The potential liabilities - defamation, sexual or racial harassment, copyright infringement and breach of confidentiality, for example - are not new. But what is new is the ease by which liability can occur.

It is becoming increasingly clear that many computer users simply do not appreciate the dangers fraught with the use of e-mail, the downloading of material from the internet, or the posting of material on the same medium. A letter that is sent in the post to another person is not likely to be photocopied and sent to hundreds or even thousands of other people. But e-mails are routinely passed along various electronic mailing lists. As an example, we have probably all sent a message - perhaps a joke - via the internet locally, only to have someone in say, Vancouver, send it back to us a week or two later, not aware that we started the message on its intercontinental path.

Most computer users now understand that even when the ‘delete’ button is pressed, that does not mean that the message has been deleted. But fewer appreciate that even deleting the ‘delete box’ does not permanently remove evidence of e-mail or its attached document. Similarly, e-commerce - a method of doing business that is ideally suited to benefit Bermuda - is fraught with danger.

The most common danger for businesses involves the prospect of an employee acting in a way that attracts liability, thereby dragging the employer into court as being vicariously liable for the actions of its employee. Traditional causes of action - liability for a negligent misstatement, for example - can be based on information contained on a web site. And there is also the danger that an employee may contract on-line on behalf of his employer.

Below, I summarise some of the dangers to businesses posed by the widespread use of computers in the telecommunications age.

Because the use of e-mail is spontaneous and informal, users rarely consider before pressing the ‘send’ button whether anything contained in the message is defamatory or may cause offence. That same user, when speaking with someone or writing a letter or memorandum, would no doubt think twice before saying or writing anything that might be defaming or false. But ease of communication, to friends and to business peers, to strangers in interactive forum discussions and bulletin boards on the internet, and to co-workers on an organisation’s intranet, has increased the likelihood of defamatory or false statements being made.

Defamation, at law, is a statement published to a third party that would make ordinary people think worse of the person being discussed. The statement need not be explicit - it may have an implied meaning that is defamatory. The Court will consider whether a reasonable person would think that the words referred to the victim. Whereas only authors, and publishers of the printed word, once feared a defamation action, "publication" today includes transmission by e-mail, inclusion on a web site or posting to a news group/bulletin board.

Liability for such an "internet libel" could be far-reaching. The author (employee) could be liable, of course, but the publisher (employer) might also be liable if the statement was made during the course of the employee’s business on an internet and e-mail system, which was provided by the employer. Further, the internet service provider, the web site host, the content provider, the access provider and the web site lessee may also be liable for any defamatory statements made by the author (employee).

Of course, there is also the issue of where the publication occurred. Where the internet is concerned, publication can occur simultaneously in many jurisdictions. It is open to the victim to commence proceedings in any of those jurisdictions, but ultimately he may prefer to issue proceedings in the jurisdiction in which the author or other defendant has assets. An e-mail sent to Texas or California may, if found by a court to be defamatory, result in a huge damages award.

Executives at English insurance giants Norwich Union discovered to their detriment the danger of sending an internal e-mail that contained false and defamatory information that a rival organisation was in severe financial difficulties and was being investigated by UK Government authorities. The rival, Western Provident Association, which had built a client base of some 500,000 policy holders since its inception in 1901, noted a significant drop in business after the e-mail was sent, and also received telephone calls from business associates who asked whether the rumours on the street were true.

The rumours were traced to Norwich Union’s e-mail system, and the plaintiffs secured a search and preservation injunction order in respect of the defendants’ computer records. Those records offered conclusive proof that Norwich Union had been the source of the rumour and defamation, and that publication had occurred numerous times by the copying and re-sending of the defamatory messages throughout the organisation.

After two years of litigation, Norwich Union agreed to settle the matter by making a public apology in court and paying damages and costs to Western Provident in the amount of £450,000 (about $738,000). Executives of the plaintiff later said that there was no certain way to evaluate the losses that the company suffered as a result of being defamed. The losses to Norwich Union were far greater than the amount of the settlement, however. Sources close to the case estimate that the defendants spent more than £750,000 (about $1.23 million) on the matter, much of it in lost management time when the Court made an injunction order requiring Norwich Union to produce, in a short period of time, documents relevant to the case. The defendants, to comply with the order, spent more than 79 man-hour days. To that cost must be added the typical forensic computer scientist’s fee to retrieve the information on an urgent basis, which can be up to $200,000. Finally, lawyer’s fees must be added. Of course, Norwich Union doubtless suffered a loss of reputation as well.

I spoke with Julian Stainton, the chief executive and managing director of Western Provident Association, at a recent conference in London. He identified some early warning and identification processes that any organisation can adopt in an attempt to stop the spread of false and/or defamatory rumours and to minimise the damage caused thereby. They include:

• Stay in constant communication with the organisation’s customers;
• Discount no information, however seemingly trivial;
• Know your business intimately and be aware of the risk of attack from competitors and others at all times;
• Be aware of the technology and use your own networks to full capacity;
• Always be on your guard; and
• Enlist top advisors.

Prudent organisations will also have in place a proper and effective e-mail policy - and will make its staff aware of the importance of proper e-mail etiquette. There must be consequences to the employees for non-compliance with the policy, and the employees must be made to understand that the policy is in place for the benefit of the employees as well as the organisation concerned. No employee would wish to be caught up in litigation, even in instances where the employer would ultimately indemnify that employee for any loss or damage that may be found against him. Similarly, no employee would wish to be dismissed for violation of company policy.

On a happier note, there are defences to claims based on defamation.

For example, if the statement was true and can be proven so. Other defences are that the statement was fair comment on a matter of public interest, or that the dissemination was innocent, that the statement was privileged (i.e. in Parliament or in a privileged situation where there is common and corresponding interest) or that the statement was made with the consent of the victim.

In some jurisdictions, there has arisen an "internet defence" that is available provided that the defendant was not the author, editor or commercial publisher of the defamation and took reasonable care and did not know (and had no reason to believe) that his actions caused or contributed to the publication of a defamatory statement. This provision is not available in Bermuda.

Misuse of e-mail or the internet can give rise to a suit for damages for either sexual or racial harassment. Bermuda’s Human Rights Act 1981 defines sexual harassment as "…a course of sexual comment or sexual conduct towards [another] which is vexatious and which he knows, or ought reasonably to know, is unwelcome". That is very much a subjective test and can include verbal and non-verbal conduct by an offender.

Racial harassment is not specifically defined in the Act but an amendment made in 1995 in the form of Section 6B states "No person who is an employee shall be harassed in the work place by the employer or agent of the employer or by another employee, whether such harassment is based on race, colour, ancestry or place of origin." Section 9 of the Act makes it unlawful for an employer to sexually harass employees or to prevent freedom from sexual harassment in the workplace.

Sexual harassment, which can be defined as the unwanted conduct of a sexual nature that is unacceptable, unreasonable and offensive to the victim, can be perpetrated with the use of a computer. Harassing e-mail would fit the definition, as would indirectly creating a hostile workplace from the victim’s perspective by the distribution of lurid material or the downloading and distribution of sexually explicit material. If the offending items are sent by computer, it is easy for the prospective plaintiff to prove the sexual harassment by printing off the offending message or obtaining a court order allowing the plaintiff to search the computer system for the offending messages.

The employer will be liable for the vicarious discriminatory acts of employees and may also be liable for the acts of contractors if the contractor is within the employer’s control. The employer may be able to mitigate its liability by proving that he took reasonable and practical steps to prevent the employee or contractor from committing the harassment or if the employer can show that it attempted to prevent the particular act or that kind of act in general. The existence of an e-mail policy will minimise the level of damage, if not in court, then by reducing the potential for harassment in the workplace.

The same principles apply to harassment based on race.

Two recent American decisions demonstrate the danger to employers of employees who engage in such harassment. In 1995 Chevron Corporation paid an out-of-court settlement of $2.2 million in damages to four female employees who brought a sexual harassment suit after receiving abusive e-mails from other Chevron employees.

In 1997 Citibank faced a class action in the Second District of New York, later dismissed on technical grounds, that was launched on behalf of its African-American employees on the grounds of sexual and racial discrimination. Those employees claimed that Citibank allowed a hostile work environment to exist, based on a number of racially and sexually offensive e-mails that were distributed amongst Citibank employees.

Copyright protects the fruits of our creative ideas once they are produced in the form of music, art, literature or drama. Protection is also afforded to published editions of works, sound recordings, films and broadcasts.

If an employee downloads from the internet or prints without permission, any music, computer games or non-executable material from internet web sites, he may be liable for copyright infringement. His employer, meanwhile, may be directly or vicariously liable as well.

Aside from the dangers that arise when such offending material is published on an employer’s web site - in effect, advertising that such an infringement has taken place - there are other dangers. An employee authorised to download or transfer programmes from another web site may inadvertently allow a virus to infect an employer’s computer system. In addition to the loss of revenue and management time caused by a business interruption, an organisation may be liable if it passes the virus onto another organisation, particularly if it has not taken sufficient care to ensure that such transmissions are virus-free.

The ease of electronic communication has increased the risk that an employee will expose the employer to a loss of his confidential information or trade secrets. This can be done inadvertently, for example by mistakenly sending what is intended to be a ‘draft’ message or by forwarding an e-mail intended only for internal use to someone who should not have been included in the ‘forwarding’ list. Or it may be done intentionally by a disgruntled employee who uses his own organisation’s e-mail system to send trade- sensitive information outside the organisation.

The disclosure of trade secrets - a category of confidential information that protects, for example, the recipe for Coca-Cola - would be damaging to any organisation. But the dissemination of straightforward confidential information, such as an organisation’s client or marketing database or even personal information, can be damaging as well. The consequences to an organisation of these types of breaches can be far-reaching. They include loss of unique position in the marketplace, loss of revenue, and perhaps an action for breach of confidence if the information disclosed was held for a third party (i.e. in the case of lawyer and client, doctor and patient, or even insurer and insured).

An organisation can guard against exposure to such liability, of course. Of foremost importance is the education of staff, who must be told clearly what information is confidential, and the consequences to the company and to the employee of disclosure. Encryption of any sensitive and confidential information to ensure that any information sent by e-mail or the internet is sent in a scrambled form is another pro-active step. Finally, the addition of a confidentiality notice to a transmission may assist, although merely adding such a notice is insufficient to prevent further dissemination.

Organisations facing an action for wrongful disclosure and breach of confidence have few defences. The organisation may plead that the disclosure was in the national interest - for example, furthering the cause of national security - or the exposure of a fraud. Or the organisation may plead ‘just cause or excuse’ - the organisation was blowing the whistle on certain unethical practices. But the best defence, no doubt, is to take pro-active steps so that the necessity of a legal defence is unwarranted.

The perils attached to the speed of communication in today’s business world make it imperative that organisations educate their employees about the risks involved in electronic communication. Surveys undertaken by software houses make it clear that employees do not understand what defamation is, or what the legal liabilities are for the misuse of e-mail. So organisations must undertake education programmes themselves, and additionally must draw up computer usage policy guidelines that include very clear disciplinary sanctions for breaches of the policy. The prudent organisation will monitor the e-mails and systems use of its employees after first advising its workers that it plans to do so.

The wise organisation will also review its back-up and wiping procedures. It should also review its technical and legal audits on a regular basis, as well as the provision of notices and disclaimers, warranties and indemnities. Finally, because libel is a strict liability offence, the prudent organisation will consider libel insurance and/or a policy of insurance that would afford some protection if any of the cyberliabilities should come home to roost. At the very least, the purchase of business interruption insurance should be considered.

For, while advances in technology have helped many a business to prosper, danger lurks ahead for any organisation that doesn’t realise that business benefits worth enjoying do not come without a price.