---

Cyberliability: New Exposures to Old Risks

By Russell Beck
rbeck@ebglaw.com

The term cyberliability is sending shivers through companies that provide Internet and e-mail access to their employees. The driving force of the trepidation is not so much the actual risks suddenly thrust to the fore, but rather the foreboding incorporation of the term liability.

Cyberliability does not actually involve any new theories of liability. It simply involves the application of existing traditional legal doctrine to a relatively new medium: computers. As Internet and e-mail usage skyrockets, more claims involving computer conduct have arisen. Once the liability risks are understood and put in context, however, a company can easily limit its exposure to such liability.

Cyberliability claims that have been made and likely will continue to be made include privacy violations, workplace discrimination and harassment, defamation (i.e. libel), contract-related claims, trespasses, and intellectual property violations. The most prevalent cyberliability privacy violation involves a claim by an employee that an employer wrongfully reviewed the employee’s e-mails or personal files. In such a case, a court generally will first determine whether the employee had a reasonable expectation of privacy, and, if so, whether the employer’s intrusion into that privacy was warranted. Valid and enforceable consent from the employee, however, will effectively remove any meaningful privacy claim. Such consent can, and should, be obtained by the employer before the intrusion.

Discrimination and harassment claims typically involve so-called hostile workplace claims, in which an employee claims that unwelcome verbal, visual, or physical conduct of a sexual or discriminatory nature has unreasonably interfered with his or her work. Given the proliferation of e-mails containing sexist and racist jokes, the risk of such claims has increased exponentially.

Some liability risks involve the employer’s direct property losses. For example, there is the risk of a disgruntled or defecting employee misappropriating an employer’s trade secrets through e-mail, posting them on a bulletin board on the Internet, or deleting them from the employer’s computers.

Similarly, intellectual property claims involve misappropriation of trade secrets as well as trademark, copyright, and patent infringement. Such violations are likely to increase as it becomes easier to infringe on the intellectual property rights of others. For example, although trade secrets were once cumbersome to steal, e-mail allows a thief to steal secrets without leaving behind physical evidence.

One of the greatest risks arising from the use of workplace technology is the risk that evidence will inadvertently be created and then used in support of some substantive claim against the company. Virtually every new case of any complexity involves documents in the form of e-mail or other computer-generated information. Many employees think that e-mails do not leave permanent records if they are deleted from the sender’s or recipient’s computer. In reality, even if an e-mail is fully removed from all of the company’s computers, it may continue to exist on the computers of any third parties that received or sent the e-mail. Making matters worse, e-mails are treated far too casually. Given their potential permanence and wide dissemination, they should be treated with all the care that would be given to any other important correspondence.

Likewise, each time a Web site is viewed, a record is made of the visit. It has recently been reported, for example, that Penthouse Magazine’s Web site was visited almost 13,000 times in one month by employees of three large companies. Information of this type would not help a company defending against a hostile work environment claim.

An employer cannot assume that it is immune from liability or other risks of which it can be aware at minimal expense. Fortunately, many of the risks associated with cyberliability can easily be minimized.

Companies should integrate enforceable Internet and e-mail policies into their document retention policies. Without proper and consistent enforcement, however, these policies will likely be disregarded or, worse, considered as evidence of wrongdoing on the employer’s part if enforced only selectively.

Companies should consider installing e-mail monitoring and Internet usage software to detect improper employee conduct. Such software enables a computer to scan for inappropriate e-mails and impermissible Internet usage, thereby striking some balance between the privacy interests of employees and third parties and the company's need to protect its employees from harassment and insulate itself from liability. The failure to implement such screening software may result in a company’s liability.

Finally, when all else fails, there is insurance. Although the preference certainly is to avoid liability, this third line of defense should not be overlooked.