Canadian employers should prepare themselves for laws that more closely resemble America’s lawsuit-inspiring regulations, according to the group behind a study of coporate e-mail policies.
Fourteen per cent of the 1,100 respondents to the 2002 E-Mail Survey said their organization’s
employee e-mail had been subpoenaed by a court or regulatory agency, up from nine per cent two years ago. The survey results were released from the American Management Association, secure-message software vendor Clearswift Ltd. and the ePolicy Institute,
Nancy Flynn, executive director of the Columbus, Ohio-based ePolicy Institute, a global e-policy lecturer and author of several books on the subject, said the thinking among cyberlaw experts on both sides of the border is that Canada is not far behind the U.S. on e-mail law and catching up fast.
“”I think it’s a safe assumption the findings (of the survey) are applicable to Canada as well,”” she said.
Flynn said e-mail correspondence can trigger a lawsuit or be its smoking gun. In the case of a lawsuit, it’s those email messages that have been retained or should have been retained that are going to be used to support or hurt a case, she said. The easiest way to control the risk is to control the written content.
According to Flynn, Canadian companies have essentially the same powers as their U.S. counterparts under that America’s federal Electronic Communications Privacy Act. The law””pretty much states the computer system is the property of the employer,”” said Flynn. “”The employer has the right to monitor and the employee has no reasonable expectation of privacy.”” This stands in sharp contrast to France, Flynn added, which does not allow any monitoring by employers of employee e-mail.
Despite these powers, Flynn said companies in the U.S. are not doing all they can to protect themselves from lawsuits and limit their vicarious liability, a principle which states employers are responsible for the actions of their employees.
Todd Hutchings, a program planner with the Ontario Hospital Association who organized a recent workshop with Flynn and OHA members agreed the issues of e-policy and email policy are becoming pressing.
“”It’s not as frontline here in Canada as in the U.S. but we’re starting to see some examples,”” he said, estimating Canada is one or two years behind U.S. when it comes to e-policy. “”I think where it will become an issue is where electronic health records come into play.””
A little more than half of survey respondents (52 per cent) said they practice some form of employee e-mail monitoring. While 75 per cent of organizations have written e-mail policies in place, only 48 per cent offer e-policy education to employees, and just 27 per cent feature e-mail retention/deletion training. Though the number of companies offering education has doubled since the 2001 survey, Flynn said this is still dangerously low, given that a combination of an established policy and training can serve as a defense in cases where an employee has used company resources to distribute e-mail that could, for example, constitute sexual harassment.
“”My observation through our research is that business has been very slow to learn the lessons of effective email management,”” Flynn said.
Perhaps the most startling statistic from the survey is that while 90 per cent of monitoring employers are using software to monitor incoming and outgoing e-mail, only 19 per cent are using this technology to monitor employees’ internal e-mail. Flynn said she understands the focus on incoming mail, given the increasing prevalence of spam but said companies are “”overlooking the fact that their biggest liability might be sitting right in front of them at the computer, typing messages. It’s extremely shortsighted to disregard your internal (outbound) e-mail.””
Flynn said this is partly the result of employers’ reluctance to be too intrusive, and notes that while Canadian companies have largely the same ability as those in the U.S. to monitor employees, they have shown themselves thus far to be more sensitive to employee privacy.
“”I do think employers are somewhat hesitant to take action that could be seen by employees as being too intrusive,”” she said. “”Employers are walking a fine line.””
John Young, president of Ottawa’s Nemx Software, which on Monday released an internal e-mail-monitoring option to its anti-spam software, said the reason Canadian companies have on the whole been slower than their American counterparts to address the issue of e-mail policy comes down to culture.
“”The States have this whole legal umbrella over everything they do; I don’t see this so much in Canada,”” he said, noting U.S. companies were the first to put disclaimers on their e-mail. “”Americans sue at the drop of a hat. Canadians are a little more reserved.””
However, Young does predict email policy and associated litigation will become a bigger issue in Canada, particularly in the health care and financial sectors, which have been the early adopters in the United States.
Flynn suggests employers on both sides of the border establish and distribute policies, which notes consequences for violations as well as the ownership of email data by employers so long as its creation or retrieval involves the employers’ resources, and ensure employees sign and date them.
“”Whether you’re in Canada or the US, I strongly urge employers to have written e-mail policies that are as comprehensive as possible,”” she said.