Addressing the risks of the new legal landscape
New technology breeds new legal issues. Recoding computers for Y2K, widespread use of E-mail systems and the Internet, electronic records storage all create new legal risks that require cautious maneuvers.
Almost without exception, every large corporation has embraced the notion that increasing lines of communication enhances efficiency and helps companies meet their business objectives. However, organizations need to manage and establish clear policies to minimize risk related to the explosive use of the Internet and intranets by employees and customers.
In a recent case, a court held both the corporation and its owner liable for copyright infringement because it sold a product on its Web site in violation of a copyright. Because the actions of the owner were so egregious, the court punished him personally for his indifferent attitude.
Similarly, a line of cases holds Web site owners responsible for the actions of independent third parties. Courts have held otherwise innocent Web site owners liable for copyright violation for failing to purge material attached to their site without the copyright owner’s permission. If the company Web site allows attachment of articles or pictures to the site by employees or outsiders, the site should contain a written prohibition regarding attachment of any work without permission from its author or owner. Further, management should review the Web site and contents to rid them of all questionable material, attachments or postings.
Another issue increasingly addressed by the courts is unauthorized linking to Web sites. Web site owners have successfully sued for the use of their information, pictures and articles-accessed by some direct and some surreptitious means-without permission (sometimes referred to as spoofing, mirroring, framing, linking). Before links are created, written permission should be obtained.
Services or products offered for sale or advertised on the Internet may satisfy personal jurisdiction and force an unsuspecting defendant into court far from home. Web site owners should be clear about the purpose of the Web site and understand the potential effect of its content. That is particularly significant in the Internet context where the corporate Web site might be viewed anywhere in the world.
That precise issue was recently addressed by a court, which held that merely accessing a Web site advertisement was a sufficient legal basis to force someone to defend a lawsuit in a particular location. In other words, an advertisement may be enough to force a party to a dispute into a court where the Web surfer accessed the site or where the Web site owner is located.
Material on the Web site should be reviewed to determine the legal impact the Web content may have. Further, Web visitors or customers should agree to the law to govern any disputes and the place the matter will be litigated before an electronic transaction is consummated or relationship formalized.
Technology meets tort
When and how to computerize company records and how long they should be kept are questions of import and complexity. If an electronic message replaces a paper memorandum, the record must be dealt with by its content, not by the medium in which it is created or the system through which it passes. If an E-mail message has business significance, it needs to be retained like all company records on the same topic. Failure to retain electronic records for the same retention period as the paper memo on the same topic, undermines the overall legitimacy of the records program and can subject the company to claims for destruction of evidence (spoliation). Recycling storage tapes without regard to content has been held to violate the Federal Records Act (which is applicable to federal agencies). Recycling storage media without knowing the content might be problematic for the private sector as well.
In a recent case, the court held that a company had "destroyed" records by simply reusing computer storage tapes containing otherwise relevant information. While some have interpreted the case as attacking the short retention period for the electronic records at issue, others have concluded that the court allowed the claim for spoliation because the company failed to have procedures to preserve relevant records and information for litigation.
To obviate that risk, company retention schedules should be media independent, and procedures must be in place that suspend destruction of records when faced with litigation or audit.
Technology obsolescence is another daunting technology issue ripe for the application of the expanding definition of spoliation. While originally spoliation was only applied to intentional destruction of records, more recently courts have been entertaining claims for negligent or mistaken conduct. For example, one court noted that "utilizing a system of record keeping which conceals rather than discloses or makes it unduly difficult to identify or locate them" was the functional equivalent of destroying records. As corporations implement new technology, change operating systems and use new storage mediums, a plan should be developed to ensure continued access to the records stored on older technologies. Failure to take action could mean that records simply cease to be accessible over time.
Without regularly migrating information to currently accessible technology, vast quantities of information might be trapped on old computers or storage devices, potentially giving rise to the next generation of claims for spoliation.
Further, even when information is systematically migrated, problems can arise. For example, a federal government agency recently learned that after migrating information from one computer environment to another, numbers were incorrect by as many as eight digits. Such lack of record integrity or trustworthiness in the private sector could make it unusable and be a liability.
Controlling risk with procedures
Increasingly companies are storing records on optical storage and imaging systems. With computer output to laser disc (COLD) storage, records are created without an "original" document ever being created until the record is retrieved and printed to paper. However, relying on such records requires confidence that they will be acceptable to governmental agencies and/or courts. While laws regarding the acceptability of "good" optically stored records are more common (although there still are federal and state agencies that require paper records), such laws do not ensure that records will be allowed into evidence.
For example, federal agencies (such as the IRS and the Securities and Exchange Commission) make clear that for optically stored records to be acceptable, they need to be created with procedures and polices that ensure record accuracy, integrity and completeness. That has little to do with adequate hardware, which is assumed to be acceptable. Usable imaged records will depend on whether the process by which they were created ensures complete image capture, record quality and accuracy, thorough indexing, among other things.
If an optically stored record is successfully challenged, all other records similarly captured are vulnerable to attack.
Controlling liability through policies
By now you have heard about the numerous high-profile discrimination lawsuits based in part on inappropriate E-mail messages sent through the company system.
The liability and negative public relations exposure exacted on companies when they fail to stop the transmittal of inappropriate jokes or pictures is huge. Policies must be drafted and strictly enforced to limit use of E-mail to business purposes, with specific prohibitions. Thereafter, the system should be audited for compliance, and all violations of the policy should be uniformly punished.
While policy development might seem like an easy fix, there may be reluctance to take the proscribed action because of concerns regarding the legal authority to monitor employee communications or reluctance to confront the current culture of employee privacy. There appears to be greater support in recent court decisions for implementing more aggressive policies, which could raise eyebrows in the short run but have substantial benefits in the long run.
In a federal court case in Pennsylvania, an ex-employee sued his former employer for invasion of privacy because the company violated its own policy, stating that E-mail would remain confidential, would not be intercepted or used against employees as grounds for termination. The employee sued after his E-mail was intercepted and he was fired.
In refusing to recognize the invasion of privacy claim, the court stated, "We do not find a reasonable expectation of privacy in E-mail communications voluntarily made by an employee to his supervisor over the company E-mail system notwithstanding the assurances that such communication would not be intercepted by management."
New and increasingly complex technical and legal issues are created by the storage and reproduction of the corporate memory in electronic form. Failure to recognize and proactively address the various issues can be costly in money, time and reputation.
Bringing together a multidisciplinary team including lawyers, technology, information systems, and records personnel is needed to accommodate the differing perspectives and to provide the best solution to reduce risk and legal exposure.