Liability Issues and the Internet Part 1: Electronic Mail

Scott F. Uhler, Philippe R. Weiss and Michele M. McGee

As a medium of mass communication, the Internet is relatively new, with virtually no statutes and precious few cases dealing with it. There are, however, present library-related and general uses of the Internet that often seem identical to the traditional format of transactions and occurrences that are subject to existing federal and state rules. As legislatures and courts come to deal with the legal issues of Internet transactions, both in and outside libraries, the ubiquitousness of Internet communications and the requirements of new technologies, they may well amend the traditional legal approaches and create specialized rules and principles for the Internet.

The Internet's technical requirements make it different from existing communication technologies. The Internet is not itself an entity or a process, and no single government, company or individual controls it. Further, information placed on the Internet is accessible to all other Internet users, and the person who places the information on the Internet generally cannot control who obtains that information. Likewise, no one controls the routing of Internet information from its place of origin to its destination: the exact path of Internet transmissions are controlled by Internet equipment and software. Indeed, one of the major aspects of the Internet is its global scope, and questions of "jurisdiction," as well as issues of enforceability, arise when pornography originating in Papua is received in Peoria.

I. Electronic Mail

With the increased use of electronic mail ("E-mail"), a variety of legal questions and issues have come to light. It is anticipated that by the year 2000, 40 million individuals will be using electronic mail and sending 60 billion messages annually. Lee, Laurie Thomas. Watch Your E-Mail! Employee E-Mail Monitoring and Privacy Law in the Age of the Electronic Sweatshop, 28 John Marshall Law Review 137, 140 (1994). Because E-mail has become a common communicative tool, libraries should consider the following legal issues in determining the scope of E-mail use among staff and/or patrons.

A. Confidentiality and Employer Review

E-mail is often used for both professional and casual/personal purposes. For example, it is simple for an employee to E-mail another employee on a different floor or in a different building to arrange luncheon plans. Depending upon the type of E-mail system, it may be possible for employees (and library patrons) to receive E-mail letters from friends and family in far away cities. What degree of privacy do employees have in their E-mail messages? In recent years, the content of E-mail messages has been used to prosecute crimes. United States v. Baker, 890 F.Supp. 1375 (E.D.Mich. 1995) (threats to injure or kidnap). People v. Eubanks, 44 Cal.2d 846 (6th Dist. 1995), cert. granted 1995 WL 783028 (1995), (theft of trade secrets), and pursue civil actions. Id. at 849. In fact, Los Angeles Police Officer Powell, who was accused of beating Rodney King, sent an E-mail message over the Los Angeles Police Department system stating, "Oops, I haven't beaten anyone so bad in a long time." John K. Keitt, Jr. and Cynthia L. Kahn, Cyberspace Snooping, Legal Times, May 2, 1994, 24. Employers are reading employee E-mail with increased frequency. In fact, in 1993, nearly 22 percent of employers surveyed responded that they review employee E-mail. Charles Piller, Bosses With X-Ray Eyes, MacWorld, July 1993, 188. With this in mind, it is important for libraries and library districts to evaluate the possible liability involved in reviewing employees' E-mail.

66

1. Federal Constitutional and Statutory Limitations

To date, no federal laws specifically address employer review of employee E-mail, but a number of statutes and constitutional provisions affect reviewing employers. Public entity employees, including library employees, have a right to be free from unreasonable searches. U.S. Const. Amend. IV. If the library or library district invades or intrudes upon an area where an employee has a reasonable expectation of privacy without that employee's consent or a warrant, a search occurs. Whether a reasonable expectation of privacy exists depends upon a number of factors. In general, a reasonable expectation of privacy exists when society at large would recognized that it is reasonable for an employee to expect the area to be private.

In recent years, courts have found that employees have no reasonable expectation of privacy in their desks or lockers. Schowengerdt v. United States, 944 F.2d 483 (9th Cir. 1991), American Postal Workers Union v. United States Postal Service, 871 F.2d 556 (6th Cir. 1989). If an employee is aware that the E-mail system administrator and/or another library employee has the capability of reviewing E-mail messages, it is unlikely that any reasonable expectation of privacy exists. While it is generally well known that a systems administrator can access all users' E-mail, it is good practice to openly advise employees of this and, if applicable, make access available to other employees/supervisors. Such disclosure limits an employee's expectations that her E-mail messages were to remain private.

Some federal statutes may also affect a library or library district's ability to review employees' E-mail. Because this is a relatively new area of law, very few courts have addressed the subject. In fact, because E-mail tends to be a hybrid form of communication, combining written mail and electronic/wire communication, it is uncertain whether mail privacy or wire privacy statutes or both will be applied by courts.

The federal Electronic Communications Privacy Act, 18 U.S.C. §2510 et seq. (1995), prohibiting electronic monitoring, specifically applies to E-mail communications. See, e.g., Steve Jackson Games v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994). In this case, the seizure of a computer by the Secret Service with unread E-mail was held to be a violation of the federal wiretap act. This Act was amended in 1986 to include E-mail and other computer transmissions. However, the Electronic Communications Privacy Act contains several key exceptions to the prohibition against access to stored electronic communication. The first is an exception for monitoring after receiving the consent of one party to the communication. Second, disclosures in the ordinary course of business are exempt. Last, certain disclosures to government are excepted. In light of the exceptions, avoiding liability under this statute may be as simple as obtaining the explicit or implicit consent of your library or library district employees to monitor their E-mail.

Various pieces of legislation have been proposed to regulate E-mail monitoring. Each legislative attempt has a different approach, but includes such techniques as mandatory disclosure of monitoring policy, notice requirements, limitation of random monitoring of long-term employees, or permission to monitor in the course of business. To date, these bills have been unsuccessful in part because of the strong corporate and business lobby in Washington. It is likely, however, that some guidance regarding the monitoring of employee E-mail will eventually be forthcoming from the federal government and, possibly, the state legislature.

Arguably, the mere use of an E-mail system gives implied consent to intercept messages if the user is aware of the library's ability to review such messages. Moreover, it is likely all monitoring will occur in the ordinary course of business because the purpose of monitoring is to prevent personal use, crime or inappropriate use of the system. Violations of the Electronic Communications Privacy Act could result in civil damages, attorneys fees and costs. However, it is unlikely that a library that notifies employees of the monitoring requires consent to such monitoring before using the system, and monitors only in the course of library business will be liable under this Act.

2. Illinois State Constitution and Statutes

Similar to the United States Constitution, the Illinois Constitution protects individuals from searches, seizures or other invasions of privacy. Ill.Const. Art. I §6. However, unlike the federal eavesdropping statute, the Illinois Eavesdropping Act does not explicitly include electronic mail as a protected communication. 720 ILCS 5/14-1 et. seq. (1995). Even if the Act did contain such protections, the Illinois Legislature during this past legislative session exempted a company's use of an employee monitoring system if such monitoring is conducted with the intent to control service quality or with educational, training or research purposes. 720 ILCS 5/14-3(j) (1995). Essentially, a limited business use exception for monitoring of employees who use the telephone as a primary tool to perform their job duties was created. If E-mail is deemed protected by the Illinois Eavesdropping Act, this exception would apply in certain situations.

67

3. Invasion of Privacy

In addition to specific state and federal statutory protections, libraries and library districts could be liable for the tort of invasion of privacy. If an employee has a reasonable expectation of privacy in her E-mail, it may be possible for the employee to recover civil damages for invasions of privacy by E-mail monitoring. The following are several factors a court evaluates when this tort is alleged: (1) whether the intrusion was intentional; (2) the location and private nature of the activity involved; (3) whether the intrusion is highly offensive to the reasonable person and (4) whether a legitimate purpose existed for the infringement.

Obviously, most employee monitoring will be intentional. It could be argued that the location is not private in light of cases that hold that an employee's desk or locker is not private; however, depending upon the design of the library or library district's network, the security of an employee's E-mail may be greater than that of a desk or locker in situations when only the system administrator and the employee have access. The degree of privacy afforded, therefore, will depend upon the library or library district's policy and the design of the system. It is unlikely, however, that E-mail monitoring will be found highly offensive to the reasonable person, and there is an obvious legitimate library or library district's purpose involved justifying the infringement. As such, a library should not be civilly liable for such actions.

Recommendations:

Libraries and library districts can help protect themselves from liability under state and federal law by engaging in a few simple procedures. One important step is to create and publicize an E-mail policy or appropriate guidelines. In creating such a policy or guidelines, the library or library district should consider the degree of monitoring required, permitted uses of the system, treatment of personal vs. business messages, and backup/deletion capabilities of the system. In addition to informing employees of the policy, the library or library district may want to have employees sign waivers or consent forms.

B. Freedom of Information Act

Because libraries are public bodies under the Illinois Freedom of Information Act (FOIA), libraries should consider the FOIA implications of an E-mail system. Under FOIA, libraries and library districts must make numerous categories of designated records available to members of the public. 5 ILCS 140/3 (1995). Such records may include information stored on computer disk, cd-rom, tape or other electronic method. 5 ILCS 140/2(c) (1995), AFSCME v. County of Cook, 136 111. 2d 334 (1990) (the court in AFSCME viewed public records as including computer tapes. As such, it is important to consider the implications of FOIA when creating E-mail files. See Star Publishing Co. v. Pima County Attorney's Office, 181 Arz. 432 (1995) In Star Publication, the court held that the defendant county was required to release computer back up tapes containing public records and non-public records because the county did not prove the tapes contained non-public records.

Recommendations:

Since libraries and library districts must maintain and make available certain public records, libraries and library districts should create a policy or guidelines regarding creation and deletion of E-mail messages constituting a public record. In designing an E-mail system, libraries and library districts may wish to include options to designate appropriate messages as public records upon creation of the message and then have those records saved separately from non-public records. Such a system should also take into consideration saving and destroying back-up tapes. Generally, back-up tapes are kept for a limited period of time. If an employee deletes an E-mail message that is public record and the only copy of the message is on a backup tape that is deleted within a short period of time, the public record is destroyed. If public records are separated in the system from the beginning and never stored along with non-public records, it will be easier to answer an FOIA request and make decisions regarding destruction of records.

Libraries and library districts should also consider separate storage of public and non-public records in light of technology that allows undeleting or unerasing of records. If a computer tape or disk that once contained deleted non-public records is given to a requester of information, the requester may be able to undelete or unerase the record. That being the case, the requester not only has the requested public record, but various non-public records as well. For example, during the Iran-Contra investigation, it was determined that back-up tapes existed that contained deleted E-mail messages between Oliver North and John Poindexter. The tapes were used as evidence by the prosecution, and a judge later ruled that the records were official and could not be destroyed.

It is important for libraries and library districts to recognize that computer documents such as E-mail

68

constitute a public record under FOIA. Unlike many other documents generated by a library or library district, E-mail messages are rarely printed on paper. As such, a procedure and policy for identifying which messages are public records and archiving such records should be considered by every library or library district with E-mail capability.

The laws governing Internet use are clearly in the formative process. Until legislatures and courts address the issues involved in this new communication technology, we can only look to the laws presently governing similar issues. As the number of Internet users increases, we can expect to see a more comprehensive response by both legislatures and courts.

* Scott F. Uhler is a partner and Philippe R. Weiss is an associate with the firm of Klein, Thorpe and Jenkins, Ltd. Both attorneys represent library clients with offices in Orland Park and Chicago. Michele M. McGee is an associate with the firm whose practice includes telecommunications matters. This article is the first part of a three part series. Parts 2 and 3 will address issues of screening Internet access, copyright defamation and other related matters.

69