The Brave New World Of e-Workplace Privacy Policies

Part One of this article, last month, examined the liability involved with social media and e-mail use. Part Two discusses implementing compliant and defensible workplace policies.

Introduction to Compliance

The Three Es ' Establish, Then Educate, Then Enforce

Employers should consider the “Three Es” theory when developing a compliance policy regarding e-mails: First, establish written policies with clear goals. Second, once the policies are written, educate employees on the content of the policy. Third, enforce the policies. Taming the three-headed compliance monster is not easy. See, Darrell Dunn, “E-mail is Exhibit A,” Information Week (citing ePolicy Institute), May 8, 2006.

Establish

To minimize risks associated with electronic communications and maximize employee compliance, start by creating well-crafted written policies. Prophylactic rules can cut off future protracted litigation disputes. When employers consider acts that might arguably violate employee privacy, two key applicable principles are notice and reasonableness.

As to notice, employers gain a valuable measure of legal protection by giving clear and specific notice to employees of the employer's legitimate business interests and its policies regarding monitoring and investigating employees' conduct. First and foremost, a Technology Acceptable Use Policy (“TAUP”) can greatly diminish the privacy expectations of employees, perhaps enough to permit an employer to prevail in any subsequent pertinent dispute. The author and other commentators even go as far as to co-brand a TAUP as a “No-Expectation-of-Privacy-Policy” (“NEoPP”). See, Cecil Lynn, “Public ESI or Privileged? Enforcement of Workplace Computer Privacy Policies,” BNA Privacy & Security Law Report, Nov. 17, 2008.

Typically, U.S. Federal and state courts have found that adequate TAUP/NEoPP notification vitiates any reasonable employee expectation of privacy, thus removing an invasion of privacy claim's key element in any or all of the following causes of action: the federal Electronic Communications Privacy Act (“ECPA”), comprised of the Wiretap Act (“Title I”) and the Stored Communications Act (Title II); state ECPA counterparts; state law statutory intrusion; common law invasion; and, in the public sector, constitutional theories premised on the First Amendment, Fourth Amendment, and/or a state constitutional right to privacy. See, Robert D. Brownstone, Workplace Privacy Policies (Aug. 2009), (hereafter “Brownstone eWorkplace“), at 16-30 (.pdf at 24-36), available at www.fenwick.com/docstore/publications/EIM/eWorkplace_Policies_Materials_Public_Sector_EEO_8-28-09.pdf.

In the unique context of an employer's examination of an employee's information that was protected by attorney-client privilege but was stored on a computer owned by the employer, the employee's invasion of privacy claims have survived judicial scrutiny sometimes, and sometimes they have not. Id. at 22-24 (.pdf at 28-30). See, e.g., Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010); Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866, at 10-12 (D. Idaho Nov. 2, 2009); Fiber Materials, Inc. v. Subilia, 974 A.2d 918, 928 (Me. 2009) (containing conflicting opinions, each coming down on a different side of this issue). See generally, Anthony E. Davis, “Attorney-Client Privilege in Work E-mails“, N.Y.L.J. (Nov. 5, 2009).

In those situations, an employee contemplating suing the employer had communicated with the employee's lawyer over the Internet (e.g., via a private email account), unintentionally leaving a digital trail on the employer-owned machine. Case law is split in this arena, with half of the decisions finding that an employer's TAUP-notice arguments are trumped by public policy attorney-client privilege.

As to reasonableness, employers should establish a logical connection between the employer's legitimate business interests and any employee conduct the employer attempts to regulate. A TAUP should expressly address all information in all forms that is created, stored, received, or maintained on any employer-provided system or device. A TAUP should also warn that any supposedly personal information on a work machine or system is the employer's property and may even exist after the employee attempts to delete it.

Reasonableness does have an outer boundary. An employer should not engage in the illicit accessing of password-protected sites or accounts. Particularly in light of recent case law, an employer should not go as far as to actually log into and/or access a current or former employee's personal Web mail account. See, Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199 (9th Cir. 2009); Pietrylo v. Hillstone Rest. Group d/b/a Houston's, 2009 WL 3128420, at 6, 29 IER Cases 1438 (D.N.J. Sep. 25, 2009); Brahmana v. Lembo, 2009 WL 1424438, at 1, 3 (N.D. Cal. May 20, 2009). For older case law, see, Brownstone eWorkplace, supra, at 22-25 (.pdf at 28-31).

Educate

Once written policies have been developed, employers should provide periodic training on the contents of such policies and of related protocols. In spite of the risks of data leakage, many employers fail to offer, let alone require, e-mail training for their employees. “Global Cisco Study Applies Reality Check to Corporate Security Policies, Draws Connection to Data Leakage Risk,” Oct. 28, 2008 (“Research Identifies Gap in Policy Awareness of Employees, Shows 1 in 4 Companies Lacks Security Policies”). The training should have a rules-of-law underpinning, as well as an information technology (“IT”) component. The training should be offered not only at the time of rollout of a new technology update but also periodically. Consequently, veteran employees can receive refresher training, and new employees can be educated as part of, or a follow-up to, their orientation.

Enforce

Intrusions into an employee's electronic activity should be thoughtfully and reasonably administered. Before drafting or revising, let alone rolling out a policy or protocol, an employer should have thought through what realistically will happen “in the trenches.” Then, once an employer cuts the ribbon on a new policy, it should enforce the policy as uniformly as possible.

Without both a clear-cut policy and essentially uniform enforcement of it in the trenches, the door can be open for employees to establish an expectation of privacy when using an employer's resources. In spite of the case's ultimate pro-management outcome, the recent U.S. Supreme Court decision in Quon v. Arch Wireless Op. Co., 130 S.Ct. 2619 (June 17, 2010) (obtaining and reviewing content of a government employee's text messages on employer-issued pager was reasonable search under the Fouth Amendment; available at www.supremecourt.gov/opinions/09pdf/08-1332.pdf) is a cautionary tale for 21st Century government and private sector employers alike. In the culmination of the type of multi-year litigation that is every employer's nightmare, the High Court in Quon purported to dodge creation of a modern emplyee-expectations standard. Yet, the majority opinion expressly and impliedly reminds of the importance of: 1) keeping polices up to date; and 2) avoiding statements and practices at variance with official written policies. (Contact the author to receive a copy of his “Top Ten Takeaways from Quon.”) [Editor's Note: See, "Navigating the Changing Technological Landscape" in this issue.]

If a TAUP includes an incidental or limited “personal use” exception, an employer must avoid discriminatory enforcement. Provable consistency can insulate against labor law claims and/or any other complaints about unfair implementation. See, e.g., Guard Publishing Co. d/b/a Register-Guard v. NLRB, 571 F.3d 53 (D.C. Cir. 2009); Dep't of Education v. Choudhri, OATH Index No. 722/06 (N.Y.C. Office Of Admin. Trials & Hearings Mar. 9, 2006). In general, the employer should be respectful of individuals' privacy when the underlying activity neither interferes with job performance nor entails any risk of corporate liability based on employee conduct. To avoid discrimination allegations, the employer should memorialize the details of the context each time it disallows a communication.

Moreover, computer technology should not be installed or rolled out in a vacuum. Its uses must be in lockstep with the establish and educate aspects of the compliance policies. In that way, technology can support enforcement rather than becoming the tail that wags the dog.

Some Key Privacy-Related Policies

Policies Eliminating Employee Privacy Expectations

An effective TAUP/NEoPP clearly sets forth that: 1) network resources and computers (and other company-issued and company-supported electronic devices) are the property of the employer; and 2) the employees waive their privacy rights when they use such machines or devices. (Note, though, that today's increasingly international economy requires many American employers to pay close attention to privacy rules in other countries, which may be stringent indeed. Some data rules regulate the entire European Union (“EU”) region, some are country-specific, and some apply at the province/state level. Generally, European laws are more protective of employees' privacy rights than U.S. laws.) In particular, the employer will want to delineate a broad scope, namely something to the effect that “the Company owns all information created, received, or stored” on any “system, network, computer, and mobile device provided or supported by the Company.”

Policy provisions governing employees' use of employer-provided networks and computers can trump employee arguments as to the reasonableness of a purported expectation of privacy. Thus, a TAUP can also take an educational tone, instructing employees that any given Web-posted content can have more permanence than is apparent. Technology, as evidenced by the WayBack Machine and Google's cached archive, enables content to live on even after the author thinks he or she has deleted such information.

Special Issues Often Ignored: Voicemails, IMs, PDAs, and Smartphones

Retention policies, computer-use policies, and separation policies (regarding when or if to erase hard drive data and network data of departing employees) need to be broad in scope. Their coverage should include voicemails, instant messaging (“IM”) messages, personal digital assistants (“PDAs”), smartphones, and other employer-issued mobile devices. Laptops and smartphones can retain sensitive materials easily retrieved by hackers if data is not properly “hard-wiped” before disposal of the device.

Prohibitions and Restrictions on Social Networking

Determining an employer's official position on employee Web postings is a much harder task than it may appear at first glance. The spectrum of positions ranges from actively encouraging employees to create and maintain content by providing them with the tools necessary to do so, to providing guidance about proper posting of content, to flat out prohibiting such postings (that approach could be illegal in certain circumstances).

To determine where an employer should fall on this spectrum requires a risk/benefit analysis. Consider not only the legal implications, but also the practical impact that Web activity and the employer's Web philosophy can have on the employer's image and corporate culture. Not every employer needs a separate detailed policy on blogs, wikis, and social networking. Typically, though, at least amending pertinent parts of some of the following existing policies is in order: Code of Conduct and/or Ethics Internet and Computer Use Policy (may be same as TAUP/NEoPP); Anti-Harassment and Equal Employment Opportunity Policies; and Confidential and Trade Secret Information Policy; and/or Password Policy.

Some employers may decide to supplement their current policies with a full-fledged separate policy on blogs and social networking. This approach would be highly recommended for a company that decides to encourage and enable employees to blog/Twitter, either for personal or corporate reasons.

Whether part of another policy or on its own, a Web 2.0 protocol should address posting parameters as to both employer-sponsored and personal pages. Some crucial topics often include common sense; discretion; reflecting before posting; respect for others; confidentiality; intellectual property; ways to change default (lack-of) privacy settings on social networking sites; and limitations on many employees' authority to speak on behalf of the employer.

Risks of Strict Policies

An employer's right to monitor must be distinguished from a duty to monitor. If an employer actually filters and monitors communications (instead of just having employees acknowledge in writing that the employer reserves the right to do so), it should allocate enough resources to follow through and review the electronic activity and properly address any inappropriate conduct. At least in the harassment context, failure to do so may result in potential vicarious liability to employers based on actual or constructive knowledge of an employee's harmful activities coupled with the employer's failure to remedy the behavior.

An employer, however, should be cautious of having overbroad Web-surfing restrictions, especially if the employer plans to enforce such limits only selectively.

Periodic Training

Key subject areas for employee training should include email netiquette as well as privilege/confidentiality. Employees should be taught to be circumspect about what they put in writing, especially in email. The concept of “writing for multiple audiences” is crucial. The capacity for e-mail and Internet postings to proliferate and end up all over the world raises the stakes greatly. In this regard, the author's firm cautions clients' employees via a proprietary “Green Eggs and Ham” mantra: “Would you like to see it in the press? Would you like it on a competitor's desk? Would you like it in the government's hand? Would you like to read it on the witness stand?” See, www.constitutionconferences.com/L3/9W-DL#page=12 at Slide 9 (.pdf at 12). Examples of inappropriate e-mail content include sexual imagery, defamatory language, name-calling, and discussion of predatory acts.

A lawyer should train employees on best practices regarding written communications with attorneys. Some best practices in this arena include providing an e-mail message ' and the accompanying attachment(s), if any ' to counsel before circulating them to others (i.e., instead of counsel receiving the item as a “cc” when the message is sent to others); avoiding excessive forwardings, redistributions, and “replies to all”; and refraining from re-stating counsel's legal advice.

Information-Security: Some Compliance Considerations

Data leakages can occur in many different ways, including hacking of networks, loss or theft of mobile devices such as laptops and iPods, improper disposal that enables dumpster-diving, human error, employees' Internet activity, and phishing/whaling schemes. Yet IT processes tend to be insufficiently controlled.

Employers of all sorts can improve their information-security practices by focusing on the CIA ' Confidentiality, Integrity, and Availability ' of electronic data. See, e.g., Chad Perrin, “The CIA Triad,” Tech Republic, June 30, 2008. Confidentiality's focus is the categorization of information and then using security measures to limit access to each subset of information to those with a need to know. Id. Integrity's key “is protecting data from modification or deletion by unauthorized parties, and ensuring that when authorized people make changes that shouldn't have been made the damage can be undone.” Id. Availability's modus operandi is the implementation of measures such as “failover redundancy systems and rapid disaster recovery capabilities” to make sure that information is readily retrievable when someone searches or surfs for it. Id.

There are three major frameworks providing guidance for electronic information management: ISO (International Organization for Standardization), COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library). As for the risk of security breaches ' and avoiding having to make the painful and costly notifications to those impacted ' several day-to-day measures that can help plug security holes include encrypting laptops, employing metadata-scrubbing software, and generating an automatic warning prompt each time an employee clicks “reply to all” in an e-mail.

Conclusion

It behooves each 21st Century employer to marshal its legal, technological, and human-resources expertise to decide how intensely to scrutinize applicants and employees both inside and outside the e-Workplace's physical and virtual walls. Given that all the key parameters are ever-changing, it is impossible to develop a perfect approach. However, perfection is not required by the law or by expectations of customers or co-workers. Every employer of any shape or size can reap tremendous benefits from substantial compliance with a realistic set of policies and protocols.

Part One of this article, last month, examined the liability involved with social media and e-mail use. Part Two discusses implementing compliant and defensible workplace policies.

Introduction to Compliance

The Three Es ' Establish, Then Educate, Then Enforce

Employers should consider the “Three Es” theory when developing a compliance policy regarding e-mails: First, establish written policies with clear goals. Second, once the policies are written, educate employees on the content of the policy. Third, enforce the policies. Taming the three-headed compliance monster is not easy. See, Darrell Dunn, “E-mail is Exhibit A,” Information Week (citing ePolicy Institute), May 8, 2006.

Establish

To minimize risks associated with electronic communications and maximize employee compliance, start by creating well-crafted written policies. Prophylactic rules can cut off future protracted litigation disputes. When employers consider acts that might arguably violate employee privacy, two key applicable principles are notice and reasonableness.

As to notice, employers gain a valuable measure of legal protection by giving clear and specific notice to employees of the employer's legitimate business interests and its policies regarding monitoring and investigating employees' conduct. First and foremost, a Technology Acceptable Use Policy (“TAUP”) can greatly diminish the privacy expectations of employees, perhaps enough to permit an employer to prevail in any subsequent pertinent dispute. The author and other commentators even go as far as to co-brand a TAUP as a “No-Expectation-of-Privacy-Policy” (“NEoPP”). See, Cecil Lynn, “Public ESI or Privileged? Enforcement of Workplace Computer Privacy Policies,” BNA Privacy & Security Law Report, Nov. 17, 2008.

Typically, U.S. Federal and state courts have found that adequate TAUP/NEoPP notification vitiates any reasonable employee expectation of privacy, thus removing an invasion of privacy claim's key element in any or all of the following causes of action: the federal Electronic Communications Privacy Act (“ECPA”), comprised of the Wiretap Act (“Title I”) and the Stored Communications Act (Title II); state ECPA counterparts; state law statutory intrusion; common law invasion; and, in the public sector, constitutional theories premised on the First Amendment, Fourth Amendment, and/or a state constitutional right to privacy. See, Robert D. Brownstone, Workplace Privacy Policies (Aug. 2009), (hereafter “Brownstone eWorkplace“), at 16-30 (.pdf at 24-36), available at www.fenwick.com/docstore/publications/EIM/eWorkplace_Policies_Materials_Public_Sector_EEO_8-28-09.pdf.

In the unique context of an employer's examination of an employee's information that was protected by attorney-client privilege but was stored on a computer owned by the employer, the employee's invasion of privacy claims have survived judicial scrutiny sometimes, and sometimes they have not. Id. at 22-24 (.pdf at 28-30). See, e.g. , Stengart v. Loving Care Agency, Inc. , 990 A.2d 650 (N.J. 2010); Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866, at 10-12 (D. Idaho Nov. 2, 2009); Fiber Materials, Inc. v. Subilia , 974 A.2d 918, 928 (Me. 2009) (containing conflicting opinions, each coming down on a different side of this issue). See generally, Anthony E. Davis, “Attorney-Client Privilege in Work E-mails“, N.Y.L.J. (Nov. 5, 2009).

In those situations, an employee contemplating suing the employer had communicated with the employee's lawyer over the Internet (e.g., via a private email account), unintentionally leaving a digital trail on the employer-owned machine. Case law is split in this arena, with half of the decisions finding that an employer's TAUP-notice arguments are trumped by public policy attorney-client privilege.

As to reasonableness, employers should establish a logical connection between the employer's legitimate business interests and any employee conduct the employer attempts to regulate. A TAUP should expressly address all information in all forms that is created, stored, received, or maintained on any employer-provided system or device. A TAUP should also warn that any supposedly personal information on a work machine or system is the employer's property and may even exist after the employee attempts to delete it.

Reasonableness does have an outer boundary. An employer should not engage in the illicit accessing of password-protected sites or accounts. Particularly in light of recent case law, an employer should not go as far as to actually log into and/or access a current or former employee's personal Web mail account. See , Van Alstyne v. Electronic Scriptorium, Ltd. , 560 F.3d 199 (9th Cir. 2009); Pietrylo v. Hillstone Rest. Group d/b/a Houston's, 2009 WL 3128420, at 6, 29 IER Cases 1438 (D.N.J. Sep. 25, 2009); Brahmana v. Lembo, 2009 WL 1424438, at 1, 3 (N.D. Cal. May 20, 2009). For older case law, see, Brownstone eWorkplace, supra, at 22-25 (.pdf at 28-31).

Educate

Once written policies have been developed, employers should provide periodic training on the contents of such policies and of related protocols. In spite of the risks of data leakage, many employers fail to offer, let alone require, e-mail training for their employees. “Global Cisco Study Applies Reality Check to Corporate Security Policies, Draws Connection to Data Leakage Risk,” Oct. 28, 2008 (“Research Identifies Gap in Policy Awareness of Employees, Shows 1 in 4 Companies Lacks Security Policies”). The training should have a rules-of-law underpinning, as well as an information technology (“IT”) component. The training should be offered not only at the time of rollout of a new technology update but also periodically. Consequently, veteran employees can receive refresher training, and new employees can be educated as part of, or a follow-up to, their orientation.

Enforce

Intrusions into an employee's electronic activity should be thoughtfully and reasonably administered. Before drafting or revising, let alone rolling out a policy or protocol, an employer should have thought through what realistically will happen “in the trenches.” Then, once an employer cuts the ribbon on a new policy, it should enforce the policy as uniformly as possible.

Without both a clear-cut policy and essentially uniform enforcement of it in the trenches, the door can be open for employees to establish an expectation of privacy when using an employer's resources. In spite of the case's ultimate pro-management outcome, the recent U.S. Supreme Court decision in Quon v. Arch Wireless Op. Co. , 130 S.Ct. 2619 (June 17, 2010) (obtaining and reviewing content of a government employee's text messages on employer-issued pager was reasonable search under the Fouth Amendment; available at www.supremecourt.gov/opinions/09pdf/08-1332.pdf ) is a cautionary tale for 21st Century government and private sector employers alike. In the culmination of the type of multi-year litigation that is every employer's nightmare, the High Court in Quon purported to dodge creation of a modern emplyee-expectations standard. Yet, the majority opinion expressly and impliedly reminds of the importance of: 1) keeping polices up to date; and 2) avoiding statements and practices at variance with official written policies. (Contact the author to receive a copy of his “Top Ten Takeaways from Quon.”) [Editor's Note: See, "Navigating the Changing Technological Landscape" in this issue.]

If a TAUP includes an incidental or limited “personal use” exception, an employer must avoid discriminatory enforcement. Provable consistency can insulate against labor law claims and/or any other complaints about unfair implementation. See , e.g. , Guard Publishing Co. d/b/a Register-Guard v. NLRB , 571 F.3d 53 (D.C. Cir. 2009); Dep't of Education v. Choudhri, OATH Index No. 722/06 (N.Y.C. Office Of Admin. Trials & Hearings Mar. 9, 2006). In general, the employer should be respectful of individuals' privacy when the underlying activity neither interferes with job performance nor entails any risk of corporate liability based on employee conduct. To avoid discrimination allegations, the employer should memorialize the details of the context each time it disallows a communication.

Moreover, computer technology should not be installed or rolled out in a vacuum. Its uses must be in lockstep with the establish and educate aspects of the compliance policies. In that way, technology can support enforcement rather than becoming the tail that wags the dog.

Some Key Privacy-Related Policies

Policies Eliminating Employee Privacy Expectations

An effective TAUP/NEoPP clearly sets forth that: 1) network resources and computers (and other company-issued and company-supported electronic devices) are the property of the employer; and 2) the employees waive their privacy rights when they use such machines or devices. (Note, though, that today's increasingly international economy requires many American employers to pay close attention to privacy rules in other countries, which may be stringent indeed. Some data rules regulate the entire European Union (“EU”) region, some are country-specific, and some apply at the province/state level. Generally, European laws are more protective of employees' privacy rights than U.S. laws.) In particular, the employer will want to delineate a broad scope, namely something to the effect that “the Company owns all information created, received, or stored” on any “system, network, computer, and mobile device provided or supported by the Company.”

Policy provisions governing employees' use of employer-provided networks and computers can trump employee arguments as to the reasonableness of a purported expectation of privacy. Thus, a TAUP can also take an educational tone, instructing employees that any given Web-posted content can have more permanence than is apparent. Technology, as evidenced by the WayBack Machine and Google's cached archive, enables content to live on even after the author thinks he or she has deleted such information.

Special Issues Often Ignored: Voicemails, IMs, PDAs, and Smartphones

Retention policies, computer-use policies, and separation policies (regarding when or if to erase hard drive data and network data of departing employees) need to be broad in scope. Their coverage should include voicemails, instant messaging (“IM”) messages, personal digital assistants (“PDAs”), smartphones, and other employer-issued mobile devices. Laptops and smartphones can retain sensitive materials easily retrieved by hackers if data is not properly “hard-wiped” before disposal of the device.

Prohibitions and Restrictions on Social Networking

Determining an employer's official position on employee Web postings is a much harder task than it may appear at first glance. The spectrum of positions ranges from actively encouraging employees to create and maintain content by providing them with the tools necessary to do so, to providing guidance about proper posting of content, to flat out prohibiting such postings (that approach could be illegal in certain circumstances).

To determine where an employer should fall on this spectrum requires a risk/benefit analysis. Consider not only the legal implications, but also the practical impact that Web activity and the employer's Web philosophy can have on the employer's image and corporate culture. Not every employer needs a separate detailed policy on blogs, wikis, and social networking. Typically, though, at least amending pertinent parts of some of the following existing policies is in order: Code of Conduct and/or Ethics Internet and Computer Use Policy (may be same as TAUP/NEoPP); Anti-Harassment and Equal Employment Opportunity Policies; and Confidential and Trade Secret Information Policy; and/or Password Policy.

Some employers may decide to supplement their current policies with a full-fledged separate policy on blogs and social networking. This approach would be highly recommended for a company that decides to encourage and enable employees to blog/Twitter, either for personal or corporate reasons.

Whether part of another policy or on its own, a Web 2.0 protocol should address posting parameters as to both employer-sponsored and personal pages. Some crucial topics often include common sense; discretion; reflecting before posting; respect for others; confidentiality; intellectual property; ways to change default (lack-of) privacy settings on social networking sites; and limitations on many employees' authority to speak on behalf of the employer.

Risks of Strict Policies

An employer's right to monitor must be distinguished from a duty to monitor. If an employer actually filters and monitors communications (instead of just having employees acknowledge in writing that the employer reserves the right to do so), it should allocate enough resources to follow through and review the electronic activity and properly address any inappropriate conduct. At least in the harassment context, failure to do so may result in potential vicarious liability to employers based on actual or constructive knowledge of an employee's harmful activities coupled with the employer's failure to remedy the behavior.

An employer, however, should be cautious of having overbroad Web-surfing restrictions, especially if the employer plans to enforce such limits only selectively.

Periodic Training

Key subject areas for employee training should include email netiquette as well as privilege/confidentiality. Employees should be taught to be circumspect about what they put in writing, especially in email. The concept of “writing for multiple audiences” is crucial. The capacity for e-mail and Internet postings to proliferate and end up all over the world raises the stakes greatly. In this regard, the author's firm cautions clients' employees via a proprietary “Green Eggs and Ham” mantra: “Would you like to see it in the press? Would you like it on a competitor's desk? Would you like it in the government's hand? Would you like to read it on the witness stand?” See, www.constitutionconferences.com/L3/9W-DL#page=12 at Slide 9 (.pdf at 12). Examples of inappropriate e-mail content include sexual imagery, defamatory language, name-calling, and discussion of predatory acts.

A lawyer should train employees on best practices regarding written communications with attorneys. Some best practices in this arena include providing an e-mail message ' and the accompanying attachment(s), if any ' to counsel before circulating them to others (i.e., instead of counsel receiving the item as a “cc” when the message is sent to others); avoiding excessive forwardings, redistributions, and “replies to all”; and refraining from re-stating counsel's legal advice.

Information-Security: Some Compliance Considerations

Data leakages can occur in many different ways, including hacking of networks, loss or theft of mobile devices such as laptops and iPods, improper disposal that enables dumpster-diving, human error, employees' Internet activity, and phishing/whaling schemes. Yet IT processes tend to be insufficiently controlled.

Employers of all sorts can improve their information-security practices by focusing on the CIA ' Confidentiality, Integrity, and Availability ' of electronic data. See, e.g., Chad Perrin, “The CIA Triad,” Tech Republic, June 30, 2008. Confidentiality's focus is the categorization of information and then using security measures to limit access to each subset of information to those with a need to know. Id. Integrity's key “is protecting data from modification or deletion by unauthorized parties, and ensuring that when authorized people make changes that shouldn't have been made the damage can be undone.” Id. Availability's modus operandi is the implementation of measures such as “failover redundancy systems and rapid disaster recovery capabilities” to make sure that information is readily retrievable when someone searches or surfs for it. Id.

There are three major frameworks providing guidance for electronic information management: ISO (International Organization for Standardization), COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library). As for the risk of security breaches ' and avoiding having to make the painful and costly notifications to those impacted ' several day-to-day measures that can help plug security holes include encrypting laptops, employing metadata-scrubbing software, and generating an automatic warning prompt each time an employee clicks “reply to all” in an e-mail.

Conclusion

It behooves each 21st Century employer to marshal its legal, technological, and human-resources expertise to decide how intensely to scrutinize applicants and employees both inside and outside the e-Workplace's physical and virtual walls. Given that all the key parameters are ever-changing, it is impossible to develop a perfect approach. However, perfection is not required by the law or by expectations of customers or co-workers. Every employer of any shape or size can reap tremendous benefits from substantial compliance with a realistic set of policies and protocols.