Click here to skip to main content.
scenic picture from Washington state
SUBJECTSIS › Municipal Policies on Internet Usage and E-Mail Document Retention by Isabel R. Safora
Municipal Policies on Internet Usage and E-Mail Document Retention

Municipal Policies on Internet Usage and E-Mail Document Retention

Reprinted with permission of author
by
Isabel R. Safora
Senior Port Counsel
Port of Seattle

From Legal Notes, MRSC Information Bulletin No. 497
April 1997

I. INTRODUCTION

Many of us rely on computer technology at the workplace, such as internal e-mail systems and Internet access. Unfortunately, our comfort with the technology has created new, fertile areas of litigation. Because legal precedents in this area are still evolving, there’s no clear understanding of liability. To protect against litigation, municipalities need to be proactive and develop policies for employee use of e-mail, the Internet and e-mail retention. Following are considerations for municipalities in developing such policies.

II. Overview

A. Ninety percent of all U.S. companies with more than 1,000 employees use e-mail, (internal or internal/Internet).

B. A 1994 survey of American business and industry conducted by MacWorld magazine suggests that approximately twenty million employees in the U.S. are subject to electronic monitoring through their on-the-job computers.

C. Over 40% of the companies responding to the MacWorld survey have engaged in some form of electronic monitoring. Yet only 19% ofsuch companies have a written policy on electronic monitoring.

D. Failure to have guidelines or policies in place for use of e-mail and the Internet can result in inappropriate use of the system by employees. Recent litigation in the areas of sexual harassment, race and religious discrimination, privacy rights, defamation and copyright violation are illustrative of the potential for employer liability.

E. Employer interest in monitoring employee e-mail for quality control, detection of illegal conduct, etc, must be weighed against potential liability for invading employees’ privacy rights.

F. Attorney-client communications over the Internet create inherent concerns regarding waiver of the attorney-client privilege.

III. Privacy Issues

A. Litigation in the privacy rights area arises in the context of employer monitoring of technology systems, particularly e-mail.

B. Under the Fourth Amendment to the U.S Constitution, public employees may be able to claim protection for privacy interest in e-mail messages. The employee must have a subjective expectation of privacy that is objectively reasonable under the test enunciated in Katz v. United States, 389 U.S. 347 (1967). Only the existence of a valid workplace regulation can defeat the employee’s otherwise reasonable expectation of workplace privacy. See: United States v. Taketa, 923 F. 2d 665 (9th Cir. 1991).

C. Chapter 9.73 RCW, Washington’s Privacy Act, may provide more protection for employees than the federal law.

  1. Chapter 9.73 RCW makes it "unlawful for any individual, partnership, corporation, association, or the State of Washington, its agencies, andpolitical subdivisions to intercept, or record any "[p]rivate communication[s] transmitted by telephone, telegraph, radio, or other device between two or more individuals between points within or without the state by any device electronic or otherwise designed to record and/or transmit said communication regardless how such device is powered or actuated, without first obtaining the consent of all the participants in the communication." RCW 9.73.030.

  2. Consent of all participants to a private communication is considered obtained "whenever one party has announced to all other parties engaged in the communication . . ., in any reasonably effective manner, that such communication . . . is about to be recorded or transmitted. RCW 9.73.030.

  3. RCW 9.73.060 provides for a private civil cause of action, for actual or liquidated damages, including mental pain and suffering and recovery of attorneys’ fees, for injury to a business, person, or person’s reputation.

  4. In addition to a civil cause of action, Chapter 9.73 RCW provides criminal penalties for violators ranging from misdemeanor to gross misdemeanor.

  5. No case in point has been decided as of this writing regarding the applicability of Chapter 9.73 RCW to e-mail. However, in holding that there is a reasonable expectation of privacy in cordless telephone conversations protected by Chapter 9.73 RCW, the court in State v. Faford, 128 Wn. 2d 476 (1996), noted that "the mere possibility that intrusion on otherwise private activities is technologically feasiblewill not strip citizens of their privacy rights," and "[t]he sustainability of our broad privacy act depends on its flexibility in the face of a constantly changing technological landscape." See: State v. Young, 123 Wn. 2d 173 (1994).

  6. Based on the current state of the law, Washington state employers who monitor e-mail messages without a written policy, without notice and without consent of all participants, may risk potential liability under Chapter 9.73 RCW. In addition, municipalities must balance the potential for liability under the Privacy Act with the public records retention requirements under Chapter 40.14 RCW applicable to e-mail. (See Section VII). Appropriate policies clarifying the public ownership and nature of e-mail should go a long way towards reducing a municipality’s potential liability in the privacy rights area.

D. Several right to privacy cases have been brought in California, where the right to privacy statute expressly grants private sector employees the right to seek damages:

  1. Bourke v. Nissan Motor Co., CA. Super. Ct., Los Angeles County, 1991, Docket No. YC 003979, affirmed by California Court of Appeal, Second Appellate District in October 1993. In Bourke, two system administrators were eventually terminated after their supervisor monitored their e-mail and found it to contain inappropriate jokes and language. The employees brought an invasion of privacy action against Nissan alleging that their privacy had been violated when the supervisor read their e-mail. The California Superior Court found that the employee plaintiffs had no reasonable expectation of privacyin their e-mail messages and that, since Nissan owned the e-mail system, its management had a right to read anything created in it. The plaintiffs had signed a company certification explaining the company policy restricting use of company owned hardware and software to company business, and knew that their messages were being monitored.

  2. In Smyth v. The Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996), a Pennsylvania court held that an employee could not base a wrongful discharge claim on right to privacy because he had no reasonable expectation of privacy in e-mail communication over a company system.

E. The Electronics Communications Privacy Act ("ECPA"), 18 U.S.C. §2510 et. seq., was enacted by Congress in 1986 to protect electronic communications from interception by and disclosure to third parties.

  1. Section 2701 of the ECPA creates both civil and criminal liability for the intentional interception and disclosure of any wire, oral or electronic communication.

  2. As a federal statute, the ECPA applies to activities impacting interstate or foreign commerce. It applies to Internet communications, including e-mail, but probably does not apply to interception of internal e-mail systems.

  3. The ECPA defines a "person" subject to its prohibitions as " . . . any employee, or agent of the United States or any State or political subdivision thereof, and any individual, partnership, association, joint stock company, trust , or corporation." Whilethe ECPA’s prohibitions extend to public employees, they do not extend to municipalities or other governmental bodies. See: PBA Local No. 38 v. Woodridge Police Dept., 832 F. Supp. 808 (D.N.J. 1993); Amati v. City of Woodstock, Ill., 829 F. Supp. 998 (N.D.Ill. 1993).

Practice Tips:

  • Discuss appropriate e-mail use when training new employees on the e-mail system.

  • Develop e-mail policy notifying employees that system is property of the municipality and made available for business purposes, and employees should have no reasonable expectation of privacy in e-mail transmitted, received and stored on and/or through the municipality’s system.

  • Obtain employees’ signed acknowledgment of policy.

  • If you must monitor employee e-mail messages, don’t do it without a policy in place. Make sure policy indicates that the municipality reserves the right to monitor employee e-mail and, if possible, explain circumstances under which monitoring will take place (i.e. records retention/destruction; investigation of illegal activity).

IV. Employee Misuse

A. Employee misuse of the Internet ranging from downloading of pornography to sending e-mails including racist remarks or sexual remarks can present serious liability concerns for municipalities in the areas of sexual harassment and race discrimination. Liability is attributed to the municipality for "allowing" the behavior. Two recent incidents are illustrative.

  1. Six employees of the New York brokerage firm, Morgan Stanley, were disciplined for distributing racist jokes over the company’s Internet network. Morgan Stanley was subsequently sued for thirty million dollars. See: Greg B. Smith, "A Mess-age on Wall St. Blacks’ Suit Charges Racist E-Mail at Firm." Daily News, Jan. 13, 1997 at 19.

  2. Compaq Computer fired twenty employees for distributing pornographic images downloaded from the Internet through the company’s e-mail system. See: Stuart Rosove, "Employee Internet Use: Big Brother Gets Involved." The New York Law Journal, March 17, 1997 (www.ljx.com/internet/index.html).

B. Discovery of employee misuse of the Internet or e-mail, inevitably leads to employer disciplinary measures. Municipalities need to consider how such infractions will be treated under existing disciplinary policies and make necessary policy changes to avoid future legal challenges.

  1. A more proactive approach could include a written policy describing process for monitoring actual Internet usage, such as tracking Web sites visited and amount of time spent at each site using software available for such purposes.

V. Attorney - Client Privilege

A. The Internet consists of a series of connected networks or servers ("intersections") transferring communications throughout the world. Attorney - client communications over the Internet typically pass through several of these "intersections" before reaching the intended recipient. In addition, messages over the Internet may be subject to review by those maintaining or monitoring the system. Unless encrypted, such communications risk intentional or inadvertent interference at each of the intersections. As a result, there’s an on-going debate over whether unencrypted e-mail on the Internet is sufficiently secure to preserve the privilege.

B. Many argue that, realistically, the majority of e-mail messages sent over the Internet are not intercepted and, therefore, the privilege is not waived unless the presence of an unintended recipient is known.

C. Others point out that interception of e-mail messages over the Internet is a criminal violation under the ECPA (See: Section III above). Section 2517(4) of the ECPA provides that "[n]o otherwise privileged wire, oral or electronic communication intercepted in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character." Under this analysis, interception of attorney - client communications over the Internet should not result in waiver of the privilege. [ Informative articles on attorney - client e-mail communications are available on the Internet. Several are included at the end of this document. ]

D. Encrypted e-mail between attorney -client is probably secure enough to preserve the privilege. However, both the sender andthe recipient must have encryption software, such as PGP, in order for the communication to go through. In addition, encryption programs are still somewhat cumbersome and complicated to use.

E. Whether using the Internet or internal e-mail systems, attorney - client e-mail communications may also be subject to loss of the privilege if disseminated beyond those employees that "need to know" the information.

F. In-house attorney communications may not be privileged if the attorney is performing a business function, rather than acting in the capacity of a legal advisor. See: National Employment Service Corporation v. Liberty Mutual Insurance Co., 3 Mass. L. Rptr. 221 (1994).

G. The value of adding disclaimer/confidentiality notices to your Internet template in an attempt to secure the communication and preserve the privilege is somewhat questionable. Since interception on the Internet is a crime under the ECPA, it is doubtful that such notices would deter potential interception not deterred by the prospect of criminal sanctions. Others argue that, in the event of litigation arising from the interception, the use of disclaimer/confidentiality notices may impute knowledge on the creator of the notice that the system was not secure, and that the use of the notice was an ineffectual method to improve security.

Practice Tips:

  • If you must send substantive e-mail communications to your clients, use good judgment when deciding what to send, emphasize the legal nature of the communication (contains your mental impressions, conclusions, opinions and legal theories), avoid any appearance ofroutine business communications and take care not to misdirect e-mail.

  • Attorneys should explain to their clients the risk of interception in the Internet, discuss the potential for waiver of the privilege, and recommend other means of communicating sensitive information.

VI. Public Disclosure and E-Mail

A. The Washington State Public Disclosure Act, Chapter 42.17 RCW applies to electronic records.

B. In responding to requests for disclosure of public records, municipalities must determine whether e-mail associated with the request constitutes a "public record." Inquiry is whether the e-mail relates to the transaction of agency business. If the e-mail is informational, i.e. meeting notice, it is probably not a public record subject to disclosure.

C. To avoid potential liability for failure to disclose electronic public records, municipalities must train employees thoroughly on all aspects of the e-mail system, i.e., storage, deletion, retention/destruction.

D. E-mail previously deleted can generally be retrieved by computer forensic experts.

  1. Computer data consists of three types: active, backup/archival and residual.

      (i) Active files are readily seen and available to the user and reside on disk drives, PCs, Local Area Networks ("LANs"), etc.

      (ii) Backup files are copied to diskettes, tapes, etc., and generally created to preserve files in the event active files are destroyed. Archival files aregenerally used to free up computer space and preserve files no longer in use.

      (iii) Residual files are those deleted files that have not been overwritten by other saved files, or open file space that has not been wiped out by special programs. These files can be found on the disk surface. Some systems first look for empty disk surface before overwriting deleted files. LANs with heavy traffic will overwrite open space left by deleted files with greater frequency, thus making it more difficult to find residual files.

Practice Tip:

  • Develop system to facilitate accessing e-mail when responding to disclosure requests. One mechanism would be to include hard copy of e-mail that constitutes public record in appropriate file, or save it as a word processing document.

VII. Retention of E-Mail

A. Electronic records, including e-mail, are subject to the public records retention requirements of Chapter 40.14 RCW. Chapter 434-610 WAC implements Chapter 40.14 RCW and defines public records as ". . . any paper, correspondence, completed form, record book, photograph, map, or drawing, regardless of physical form or characteristics, and including records stored on magnetic, electronic, or optical media, and including all copies thereof, that have been made by any agency or received by it in connection with the transaction of public business. And includes any writing containing information relating to the conduct of government or theperformance of government or proprietary function prepared, owned, used, or retained by the . . . local agency regardless of physical form or characteristics." WAC 434-610-020.

B. Based on current law:

  1. E-mail messages that contain significant information relating to the transaction of business by the municipality are public records subject to the records retention requirements.

  2. E-mail messages that are informational (i.e. meeting schedules, phone messages) are probably not public records.

C. E-mail messages that are public records can be included in a municipality’s request to the Local Records Committee ("LRC") of the State Archivist’s Office for approval of the destruction of public records, pursuant to one of the following procedures:

  1. Submit request to destroy noncurrent public records having no further administrative or legal value; or
  2. Establish a records control program based on recurring disposition schedules recommended by the municipality for approval by the LRC. RCW 40.14.070.

Practice Tips:

  • Municipalities should submit for LRC approval a retention schedule that includes and defines e-mail messages that are public records. • Informational e-mail messages, i.e. not public records, should be deleted when no longer needed.

VIII. Copyright Issues

A. The major trap resulting in copyright infringement is in the downloading of illegal software and copyrighted information from the Internet.

B. Copyright laws do not exempt violations occurring on-line. See: Alan J. Hartnick, Copyright & Trademark on the Internet, www.ljx.com/internet/02cptmint.html.C. In Religious Technology Center v. Netcom On-Line Comm. Servs., Inc., 923 F. Supp. 1231 (N.D. Cal. 1995), the court granted a preliminary injunction to copyright holders of works by L. Ron Hubbard (late founder of Church of Scientology), against a private citizen that had been downloading and posting portions of Hubbard’s works on an electronic bulletin board. Notice of the infringing postings allowed plaintiffs to proceed against Netcom on a contributory infringement claim. The case was ultimately settled.

Practice Tips:

  • Internet policy should include procedures for handling information downloaded from the Internet, and should caution against or prohibit the downloading and distribution of substantial portions of copyrighted works.

  • Employees with access to the Internet should receive training in appropriate use of copyrighted materials.

VIIII. Guidelines for Municipal Policies

The following guidelines are recommended as important components of a municipality’s policies on e-mail, the Internet and e-mail retention. For greater protection, these policies should be given to new employees at orientation and before training on use of the system. Municipalities should periodically circulate a memorandum or e-mail reminding employees of policy requirements.

A. E-mail Policy:

  • Indicate policy is applicable to internal and Internet e-mail.
  • Explain e-mail system and all e-mail documents are the property of themunicipality and not private employee communications (whether created or received).• Indicate that the municipality reserves the right to monitor e-mail messages, explain circumstances under which monitoring will occur and for what purpose.
  • Prohibit employees from sending discriminatory, harassing, or offensive e-mail messages.
  • Prohibit use of e-mail for religious or political activities, personal gain, solicitation, or in support of illegal activities.
  • Define the type of e-mails that should be considered public records, or indicate that e-mails are public records.
  • Remind employees that e-mails that are public records are subject to disclosure laws and records retention requirements.
  • Require that employees print e-mails that are public records and include them in the subject file, or retain them as word processing documents.
  • Instruct employees to delete e-mails that are not public records as soon as their administrative purpose has been served.
  • Explain that e-mail is subject to discovery in litigation, that deleting an e-mail does not guarantee it has been erased from the system. Recommend that employees use good judgment when creating e-mail and always assume that it is discoverable.
  • Prohibit employees from sending e-mails containing confidential information.
  • Remind employees that they should use good judgment when sending e-mail, that they are creating records, andthat e-mail should not be used as a substitute for face to face gossip.
  • Explain that e-mail is not a good form of communication with legal counsel when seeking legal advice or transmitting information concerning matters in litigation or disputes which are likely to result in litigation. Indicate that inadvertent disclosure or dissemination of the communication could waive the attorney-client privilege.
  • Indicate procedure for employees to report inappropriate e-mails. For reporting purposes, a specific individual or position title should be named in the policy.

B. Internet Policy:

  • Unless all employees will have access to the Internet, explain job qualifications that justify Internet installation.
  • Outline appropriate usage of Internet in workplace, or prohibit its use for other than work related purposes.
  • Reserve right to occasionally monitor Internet transactions.
  • Explain applicability of copyright laws to material downloaded from the Internet. Prohibit excessive downloading and distribution of substantial portions of copyrighted works without the author’s permission.
  • Prohibit use of the Internet for unlawful purposes or solicitations

C. Retention Policy:

  • Define type of e-mails that should be considered public records.
  • Indicate e-mails are subject to records retention requirements under Chapter 40.14 RCW.
  • Describe your system of e-mail back-up, archival, etc., and explain that as a result of the schedule e-mail can remain on the system for X period of time after deletion by the user.
  • Indicate your e-mail retention schedule as approved by the LRC.

Additional Cases of Interest

  1. Sex Discrimination, Sexual Harassment

    • Strauss v. Microsoft Corp., 1995 WL 326492 (SDNY June 1, 1995); No. 91 Civ. 5928 (SWK).
    • Petersen v. Minneapolis Community Development Agency, 1994 WL 455699 (Minn. App. Aug. 23, 1994); No. C7-94-510.
    • Knox v. Indiana, 93 F. 3d 1327 (7th Cir. 1996); Nos. 95-1858, 95-1902.

  2. Race Discrimination

    • Donley v. Ameritech Services Inc., 1992 WL 678509 (E.D. Mich. Nov.16, 1992); No. 92-72236.

  3. Religious Discrimination

    • Sattar v. Motorola Inc., 1996 WL 432403 (N.D. Ill., July 26, 1996); No. 94 C 5341.

  4. Defamation

    • Meloff v. New York Life Insurance Co., 51 F.3d 372 (2d Cir. 1995).

  5. Privacy/Employment

    • Plymouth Police Brotherhood v. Labor Relations Commission, 630 N.E. 2d 599 (Mass. 1994).
    • In re Conneaut School District & Conneaut Education Association, 104 Lab. Arb. (BNA) 909 (Aug. 26, 1995).
    • Casey v. Zeneca Inc., 1995 WL 250429 (D.Del. Mar. 31, 1995); No. 93-514.

  6. Discovery/Public Disclosure

    • Brand Name Prescription Drugs Antitrust Litigation, 1995 WL 376682 (N.D. Ill. June 15, 1995); 94 C 897.
    • Star Publishing Co, v. Pima County Attorneys Office, 181 Ariz. 432, 891 P.2d 899 (1994).

  7. Records Retention

    • Armstrong v. Executive Office of the President, 810 F. Supp. 335 (D.D.C. 1993); 1 F. 3d 1274 (D.C. Cir. 1993).

Articles Available on the Internet

  1. ABA/BNA Lawyers Manual on Professional Conduct, March 6, 1996 issue, Joan C. Rogers, Legal Editor: http://www.bna.com/hub/bna/legal/adnew2.htm
  2. Robert L. Jones, Client Confidentiality: A Lawyer’s Duties with Regard to Internet E-Mail: http://www.kuesterlaw.com/netethics/bjones.htm
  3. Albert Gidari, Perkins Coie, Seattle, Privilege & Confidentiality in Cyberspace: http://www.perkinscoie.com/pracarea/internet/priv.htm

    For additional articles see the following Internet sites:

    • www.legalethics.com
    • www.ljx.com/internet/index.html