The Information Superhighway is a compilation of Internet and commercial online services that provides access to a number of multimedia tools including the Net, e-mail, and the World Wide Web. Individuals and businesses alike are charging onto this maze we call cyberspace and finding a complex, unregulated, and potentially problem-filled virtual galaxy of information.

This article will highlight some areas of interest for employers taking their workspace onto the Information Superhighway, including privacy issues, proper use of e-mail, access to the Internet and a suggested policy to deal with some potential problems.

For many businesses, e-mail has become a preferred method of communication. it allows users to compose short writ-ten messages and instantly send them to any location. Responding to an e-mail message is simple and avoids the problem of having to connect with somebody in "real time." An e-mail message also can transmit digital information such as documents, spreadsheets, and even video clips. In addition, e-mail messages are easy to save.

Do employees using company provided equipment have a reasonable expectation of privacy in their e-mail and Internet use? As a technological matter, the answer is "no." Although it is difficult for an employer, Internet Service Provider ("ISP"), or hacker to intercept e-mail messages that go out over the Internet, monitoring in-house systems or sites that an employee visits is not that difficult. See Michael J. McCarthy, Now the Boss Knows Where You're Clicking, Wall Street Journal, B1, October 21, 1999. ("Advancing technology is rapidly extending, electronic-eavesdropping capability to every office that uses the Internet. There is a new set of Internet-surveillance systems.... Some can conduct desktop-to-lap-top sweeps.") As a legal matter, the question is much harder to answer. The Electronic Communications Privacy Act of 1986 ("ECPN"), 18 U.S.C. §§2510, 2701, its state law equivalents, and laws governing invasion of privacy all come to bear on the question. There is no clear answer, and the law on the point is evolving.

The type of system used has some bearing on the reasonableness of the employee's expectation of privacy. E-mail may be sent either on a secure in-house system or over the Internet. One feature of most employer-based computer systems is an e-mail network that allows employees to send messages to one another by typing a message onto the computer screen and directing the computer to deliver the message to another employee with a computer attached to the employer's computer network. Other systems use the Internet to get the e-mail messages from the sender to the recipient. Since there is no central Internet computer, and every computer on the Internet is linked to multiple computers, e-mail sent via Internet is stored in any number of computers on its way from the sender to the recipient.

To the extent that the average e-mail-using employee analogizes e-mail to anything, it is probably to the use of a telephone: "If I place the call to one person, that is the only person that I intend to receive the message--wiretapping is illegal, and it's nobody else's business. I intend the same when I send an e-mail message." To the employer, the matter is different: "I own the equipment, and it's there to help you do your job. It's just the nature of the equipment that lets me see how you're using it, and for what. So you don't have an expectation of privacy." (This tug-of-war can go on interminably. "Just because companies own bathrooms doesn't mean they have the right to install cameras and monitor whatever goes on in there." Marc Rotenberg, quoted in Michael J. McCarthy, Virtual Morality: A New Workplace Quandary, The Wall Street Journal, B1, 4, October 21,1999.) Some employers unintentionally undercut their own position by providing employees with passwords; still others permit their employees to select their own passwords. Of the latter employers, some require disclosure of the password to the employer, while others do not. The nature of the employer's e-mail system is likely to be crucial; the employees' expectation of privacy may arise in part from the kind of system used (in-house or external). But more important still is the policy that the employer sets and communicates to its workforce.

If an employer has any realistic hope of defeating its employees' expectation of privacy, it must take steps to announce the rules as soon as it permits access to the company e-mail system. These rules, in the form of an e-mail use policy, must limit and restrict employees' expectations of privacy in their electronic communications, but must do so consistently with laws that prohibit interceptions of electronic communications in transit and unauthorized accessing or disclosure of stored communications.

Except for narrowly prescribed circumstances, employers are prohibited from eavesdropping on employee telephone calls. However, there is as yet no specific prohibition against reviewing an employee's e-mail communications. This situation has resulted in litigation over how to balance two equally legitimate interests: the privacy rights of employees and the employer's need to maintain control over the workplace through means that might include monitoring employees' use of e-mail. This topic will be addressed in detail in the below.

Any employer hoping to engage in legal activity with respect to employee computer use, or to promulgate a valid computer-use policy must have an understanding of the laws governing communications privacy. Most states have laws that protect the privacy of electronic communications, and many of these are modeled on the ECPA. For purposes of this article, we will examine the provisions of the ECPA. Since most electronic communications cross state lines, the ECPA, should be considered the baseline of legal protection.

In the ECPA Congress recognized that laws previously on the books failed to-address adequately issues raised by new forms of communications. The ECPA was enacted in response to the eavesdropping and wiretapping circus that we know as Watergate. Originally, the statute was passed to limit the ability of the government to eavesdrop on telephone communications. In 1986, Congress amended the ECPA to regulate emerging forms of electronic communication.

The ECPA protects most electronic communications, including e-mail, from interception, attempted interception, disclosure, use, and unauthorized access. See 18 U.S.C. §§2510(12), 2510(17)(A), (B). The ECPA's reach extends beyond "common carriers" to include private communication systems operated or subscribed to by major companies. 18 U.S.C. §§2510(14), (15). Unfortunately, the ECPA is complicated. Its application depends upon the medium of the message, the system upon which the message is located, and the status of the message (whether in motion or standing still). Nevertheless, the statute prohibits both the interception of messages in transit and the unauthorized access of stored messages.

The ECPA does have loopholes, however. Section 2511 governs unlawful interception of communications. "Intercept" is a defined term under the ECPA. See 18 U.S.C. §2510(4). Broadly speaking, a message must be in transit to be "intercepted." U S. v. Moriarty, 962 F. Supp. 217 (D. Mass. 1997). Accessing someone else's mailbox and reading their stored e-mail messages does not constitute an "interception" for purposes of a criminal violation of section 2511. Section 2511 has eight exceptions set forth at sections 2511(2)(a) through (h). Of these exceptions, two appear to be directly applicable to business e-mail systems:

• A provider of electronic communications services may lawfully intercept electronic communications "while engaged in any activity which is a necessary incident to the rendition of his service" or to protect the provider's rights or property. 18 U.S.C. §2511(2)(a)(i); and
• It is not unlawful for a person to intercept a wire communication if that person is a party to the communication or if one of the parties to the communication has given consent to the interception. 18 U.S.C. §2511(2)(a)(i); and
• A provider of electronic communications services may lawfully intercept electronic communications "while engaged in any activity which is a necessary incident to the rendition of his service" or to protect the provider's rights or property. 18 U.S.C. §2511(2)(a)(i); and
• It is not unlawful for a person to intercept a wire communication if that person is a party to the communication or if one of the parties to the communication has given consent to the interception. 18 U.S.C. §2511(2)(d).

Most of the remaining exceptions deal with law enforcement and intelligence gathering. One, however, may be applicable to employee Internet use. Section 2511(2)(h)(ii) states that it is not an offense for an electronic communications service provider to "record the fact that" communications have been initiated or completed, if this is done to protect the provider or a user from "fraudulent, unlawful or abusive use of such service." But does this mean that the service provider can tell the employer (who is arguably the user) what sites the employee (the originator of the communication) has visited? Section 2511(3)(a) restricts the service provider's right to divulge the content of any communication while in transit except as provided in one of the exceptions stated in section 2511(3)(b). But none of the stated exceptions in section 2511(3) indicate that the provider can divulge the identities of the originator and the addressee once "the fact" of a communication was recorded. To some extent, the question of Web hits is inherently one of access to stored information, not interception of communications in transit.

Section 2701 et seq. governs stored communications. Section 2701(a) prohibits any person from intentionally and without authorization gaining access to an electronic communications facility and, in turn, gaining access to stored electronic communications. Section 2701(c) permits the provider of the electronic communication service to gain access to the stored communications. However, section 2702(a)(1) prohibits the provider from disclosing the information to any other person or entity except as permitted by section 2702(b). As with interception, the stored communication provision permits the provider to access the communication to perform acts necessary to the rendition of service or to protect its property. Thus, a company that provides its own service or owns its communication systems might be free to review and disclose stored employee e-mail, at least as far as the ECPA is concerned. There is no exception, however, that authorizes the systems administrator of a company that provides its own communications system to disclose the content of stored communications for some other purpose--such as providing it to managers who want to monitor an employee's e-mail. Nevertheless, at least on court has held that this is permissible. See Bohach v. City of Reno, 932 F Supp. 1232 (D. Nev. 1996), in the section below discussing the privacy rights of public employees.

An important exception to the ECPA deals with consent, both with regard to interception and access to stored communications. The consent exception applicable to interception is section 2511(2)(d); for access to stored communications, section 2702(b)(3). Both sections state that the consent of either the sender ("originator") or the recipient of the communication will suffice. The problem with this language from the point of view of the sender seeking to preserve privacy is that consent by the recipient will expose the sender's message to unwanted scrutiny on the recipient's end. The contract governing the e-mail user's use of the e-mail system may provide extensive privacy protection beyond that provided by the ECPA, or it may disclaim or eliminate all such privacy rights. Thus, an e-mail message which you send to a friend or colleague in a corporate setting may be subject to full protection (no consent to interception or access on either side), little protection (consent on one side), or no protection at all (consent on both sides).

Employee consent under the ECPA includes implied consent that may be achieved through prior notice. Note, however, that implied consent is not constructive consent. Consent will not be measured by what a reasonable employee should have realized or should have known, but only by what reasonable notice an aggrieved employee actually had. Again, a carefully crafted e-mail policy can provide the necessary notice to employees that e-mail is not private, and that by using the e-mail system, they are consenting to have their use monitored.

Employers should not take the ECPA lightly. Of the few cases that have raised ECPA allegations, most have concerned the interception of communications in a criminal context, either with respect to interception of communication in transit or accessing stored communications data. No court has yet held that an employer's interception or accessing of an employee's e-mail message is a criminal act. But in the workplace, the statute clearly has untested parameters and civil and criminal penalties exist for interception and accessing alike.

Interception that does not fall within one of the exceptions is subject to the criminal penalties stated in section 2511(4)(a). The criminal penalties include a maximum imprisonment of not more than five years, plus fines. 18 U.S.C. §2511(4)(a). Similarly, if the interception does not fall within one of the exceptions, section 2520 authorizes recovery of civil damages including preliminary and other equitable and declaratory relief, monetary damages, punitive damages, attorneys' fees and costs. 18 U.S.C. §2520(b).

Incidents of accessing or disclosure of stored electronic communications that do not fall within an exception are likewise subject to criminal and civil penalties. Section 2701(b) provides for fines or imprisonment up to six months. Section 2707 authorizes preliminary and equitable relief, monetary damages, punitive damages, attorneys' fees and costs.

The concern over electronic communication privacy will continue growing. An increasing percentage of the American workforce is made up of knowledgeable workers who rely extensively on electronic communication. Outside the work place, more and more Americans are going online. An expanding market of privacy tools has emerged, and public demand for greater online privacy--both inside and outside the workplace--has resulted in a flurry of legislative proposals at the state and federal levels. (For an idea of the pending privacy measures and tools available, visit the Electronic Privacy Information Center at www.epic.org.)

One day, employers also may be faced with legislation proposed by Congress that would limit an employer's right to monitor any e-mail system. The proposed Privacy for Consumers and Workers Act ("the PCWN') covers electronic monitoring of e-mail and would require employers to provide employees with individualized notice before actual monitoring. In addition, the proposed PCWA would place strict limits on an employer's right to monitor employee e-mail use, based upon an employee's years of service. The PCWA was introduced in Congress during the 1989-1990 term, but never has been passed into law. Employers should keep their eyes open for the passage of this Act.

Given the uncertainties in the potential application of the EPCA's penalties in the workplace, some employers may feel that it is just too dangerous to engage in monitoring at all. But this is an extremely unattractive option for most employers. The potential for abuse of Internet access and e-mail is obvious, and may range from a significant waste of what might otherwise have been productive time to illegal activity by the employee. The best alternative is for the employer to take steps to reduce the employee's expectation of privacy and gain explicit consent for monitoring.

The first step in crafting a strong electronic communications policy is to inform employees of the fact that the electronic mail system is owned by the employer, provided for business purposes, and may be monitored when the employer deems it necessary. The policy should begin with the simple premise: that a company's electronic communication system is a company resource and provided as a business tool.

Be careful that the notice itself does not carve out certain privacy expectations for areas outside the scope of the implied consent. For example, the use of passwords or certain security levels on e-mail may give an employee a legitimate belief that certain communications will be strictly private, and that only a limited degree of consent is implied in any notice. The capacity to delete files or purge messages similarly may supply a level of unwarranted comfort to employees who do not realize that certain deleted and purged files may actually remain on most computer systems. Again, a carefully worded policy can minimize the expectation of privacy.

Assuming that the ECPA either permits or does not prohibit an employer's accessing its employees' e-mail, it still is not clear when and in what circumstances an employer's actions may violate an employee's right to privacy. Indeed, many state courts have considered common law claims based on invasion of privacy and intentional infliction of emotional distress, brought against employers that have either monitored or accessed their employees' e-mail. However, no cases have yet found an employer liable for invading an employee's privacy by reading that employee's e-mail messages.

In Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996), the employee was terminated after sending his supervisor e-mails referring to sales management as "backstabbing bastards" and an upcoming holiday party as the "Jim Jones Koolaid affair." In the hope of finding a public policy exception to the strong at-will presumption of Pennsylvania law, the plaintiff asserted that the employer's accessing of his e-mail constituted a tortious invasion of privacy pursuant to Restatement (Second) of Torts §652b.

The court, in rejecting the plaintiff's claim that his employer had violated his right to privacy, held that the plaintiff did not have a reasonable expectation of privacy in his e-mail messages. The court reached this conclusion despite the fact that Pillsbury had assured all of its employees that private e-mail communications would be confidential and would not be intercepted. The court found that the employee had no reasonable expectation that his message would not be "intercepted" by management once he sent it to his supervisor. Although the court did not analyze the differences between various modes of communication or particular e-mail system configurations, it stated that, for the purposes of Restatement analysis, the plaintiff lost his expectation of privacy once he used an e-mail system "apparently utilized by the entire company" Id. at 101. The court held that "the employer's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighed any privacy interest the employee might have in those comments." Id.

The decision leaves a few questions unanswered. Would the employee have had a reasonable expectation of privacy if the message had been to a non-supervisory co-worker? Under such an analysis could any employee ever have a reasonable expectation of privacy in any e-mail system used by the whole company? Significantly the plaintiff's attempt to establish a public policy exception to the at-will presumption was not premised on the ECPA or its Pennsylvania equivalent, the Wiretapping and Electronic Surveillance Act, 18 Pa. C.S.A. §5701 et seq. Would the employee have had better success if he had taken this route?

In Restuccia v. Burk Technology, Civil Action No. 95-2125 (Mass. Super. Ct. 1996), two former employees claimed that, by reading their e-mail communications, their former employer unlawfully invaded their privacy and intercepted wire communications in violation of a state wiretapping statute. The plaintiffs claimed that their supervisor had violated their privacy rights by reading their e-mail communications and, subsequently, terminating them for the "excessive quantity" of their personal e-mail usage.

The court granted the employer's motion for summary judgment on the statutory claim, holding that an employer's interest in storing computer information in backup files was a permissible wire "interception" allowed by the statute. The court, however, found that there were questions of fact as to whether the plaintiffs had a reasonable expectation of privacy in their e mail messages and whether the employer's reading of their e-mail messages constituted an unreasonable, substantial, or serious interference with their right to privacy.

In states such as California, where the right to privacy is included in the state constitution, an employee's right to privacy is heightened. Ten state constitutions explicitly guarantee their citizens a right to privacy:

• Alaska;
• Arizona;
• California;
• Florida;
• Hawaii;
• Illinois;
• Louisiana;
• Montana;
• South Carolina; and
• Washington.

However, not all states have interpreted this constitutional protection to extend to private action. See Luedtke v. Nabors Alaska Drilling Corp., 768 P.2d 1123 (Alaska 1989) (interpreting the provision in Alaska's constitution guaranteeing the "right of the people to privacy" as prohibiting only state action).

Thus, employers in these states must take special precautions to minimize the employee's expectation of privacy in e-mail communications. Although California courts have not applied a right to privacy analysis to e-mail, the right has been recognized in the cases involving drug testing and employee searches, and may be applied to e-mail invasion of privacy cases in the future. (Note that the court in Pillsbury rejected a drug-testing analogy, because the information was not sufficiently "personal.") The analysis used in the drug testing cases provides some guidance on how the courts in states with privacy protection in their constitutions may apply the law to claims of invasion of privacy relating to e-mail communications.

Courts consider the following factors when determining whether an employee's right to privacy has been violated:

• The employees' reasonable expectations of privacy;
• The employer's special interests; and
• The interest of the public in the particular setting.

When this analysis is applied to e-mail transmissions and Internet access, it is clear that an employer's best shield against a suit for invasion of privacy is a clearly articulated e-mail and Internet policy. A well-worded policy will decrease employees' expectations of privacy in their e-mail communications and Internet exploration. The lower the employee's expectation of privacy, the less likely the employee can succeed on a claim of invasion of privacy. A strongly worded policy also may serve to decrease e-mail abuse by alerting employees that their messages may be monitored.

Public employees are entitled to additional privacy safeguards based on the fourth amendment to the United States Constitution, as well as state constitutional provisions. The Supreme Court has held that the fourth amendment's protection against "unreasonable searches and seizures" applies to invasions of privacy that take place in the work place. See, e.g. O'Connor v. Ortega, 480 U.S. 709 (1987). The fourth amendment, however, only protects against searches that a court would deem "unreasonable." U.S. Const. Amend. IV.

Courts generally have held that searches will be deemed "unreasonable" when the employee had a "reasonable expectation of privacy." Whether an employee has a privacy expectation will depend on many factors, including whether:

• The employer has a policy that puts the employee on notice of diminished privacy expectations;
• The system used is completely in-house or routed through an outside server;
• E-mail access is password-protected;
• The employer requires a signed acknowledgment of the company e-mail policy; and
• The employee has taken affirmative steps to protect his or her privacy.

Thus, when an employer has a policy in place that notifies employees that their e-mail will be monitored and the employer has a legitimate reason to search, courts will rarely deem monitoring to be unreasonable and a fourth amendment violation.

In Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996), for example, two police officers alleged that their department violated the ECPA by accessing messages stored on their electronic pagers. The court held that the officers had no reasonable expectation of privacy because they were warned that the messages on their pagers would be put on a department network for viewing by anyone with access. The court also concluded that the City of Reno was a "service provider" within the meaning of section 271(c)(1) of the ECPA, thereby allowing the police department to access the stored messages as it saw fit. Bohach, 932 F. Supp. at 1237.

The constitutional protection provided by the fourth amendment applies only to searches deemed "governmental intrusions." For an employee of a private employer to plead a violation of the fourth amendment, some level of "state action" must, be shown. Schowengerdt v. General Dynamics Corp., 823 F.2d 1328,1332 n.3 (9th Cir. 1987).

• From an employer's perspective, a major risk of allowing e-mail, Internet, and Intranet access in the workplace is the danger of sexual harassment or discrimination. Since the Communications Decency Act was struck down on first amendment grounds, the Internet will continue to grow with communications inappropriate for the working environment.

Hostile environment harassment occurs when unwelcome verbal, visual, or physical conduct of a sexual or discriminatory nature unreasonably interferes with an employee's work or creates a hostile or offensive working environment. Meritor Savings Bank v. Vinson, 477 U.S. 51, 64 (1986). Under federal employment statutes, an employer is liable for hostile environment harassment if the employer either creates such an environment or knowingly tolerates it. Thus, courts have held employers liable when the employer allowed or knew that employees read or displayed explicit magazines in the office. Similarly, liability against an employer has been based on knowledge of workers posting pornographic pictures or cartoons or telling off-color, sexual or sexist jokes. See Robinson v. Jacksonville Shipyards Inc., 769 E Supp. 1486, (M.D. Fla. 1991).

The emergence of Internet use in the workplace poses new risks for employers. Employees who may not purchase pornographic magazines may, nevertheless, download pornographic pictures, using them as screen savers or printing them at a printer located in the common area. Similarly, although an employee may not be inclined to tell an off-color joke, that same employee may pass on an offensive joke through the e-mail system without much thought. Employees also may "search" the vast number of sexually related sites on the Internet and World Wide Web. If a computer monitor is visible to passersby, such activities may create a hostile environment. Moreover, because these online activities may be transient or difficult to detect by an employer, some employers have made no effort to prohibit them.

In Knox v. State of Indiana, 93 F.3d 1327 (7th Cir. 1996), a female correctional officer sued the State of Indiana for sexual harassment and retaliation. The plaintiff alleged that she received numerous e-mails from her supervisor asking her to have sex with him. She complained to her employer and her supervisor was disciplined and demoted. The court found that the state was not liable since it had taken prompt and remedial action. However, the court made it clear that an employer could be found liable under Title VII for sexual harassment if an employee is being harassed (which can include offensive or sexist e-mail), the employer has actual or constructive knowledge of the harassment, and does not take prompt and remedial action. (See Burlington Industries, Inc. v. Ellerth, 118 S. Ct. 2257 and Faragher v. City of Boca Raton, 118 S.Ct. 2275 (1998).)

Recently, in Owens & Hutton v. Morgan Stanley, 1997 WL 403454, No. 96 Civ. 9747 (S.D.N.Y July 17, 1997), two African-American employees sued Morgan Stanley for racial discrimination. One of the allegations included charges that a white employee authored and sent an e-mail that contained racist jokes, using the identification password of a black employee. The court dismissed the hostile work environment claim, holding that a single e-mail communication cannot create a hostile work environment. However, the court did not say that a racist or sexist e-mail communication could never be the basis of a sexual or racial discrimination charge.

To minimize the possibility of a hostile work environment and the potential legal liability resulting therefrom, employers have several options:

• First, every employer should implement and enforce an e-mail policy. A copy of the policy should be signed by each employee before he or she is allowed Internet and/or e-mail access. The policy should include a clear statement that derogatory, obscene, defamatory and/or harassing communications are prohibited and will lead to disciplinary action up to and including termination. (For more information regarding the contents of an effective e-mail policy, please see the sample policy that appears as Appendix 2 to this article);
• Second, employers can purchase the same software sold to parents who wish to block children's access to sex-related Internet sites. Some Web browsers even have settings built in that will permit the employer to do this. (The employer's failure to take advantage of such a feature can give employees a colorable argument about the employer's acquiescence to unrestricted use);
• Third, employers can purchase computer programs which track access to the Internet. Although these programs do not block access to sex-related material, they create a record of activity by employees on the Internet. If you implement such a program, employees should be advised, in order to limit their expectation of privacy. Also, a warning that "we know who you are and where you have been," may persuade some employees to avoid accessing sex-related Internet sites. Do these programs work in a way that amounts to "interception" or "access" to stored information for purposes of the ECPA or similar state statutes? No one knows yet;
• Fourth, employers can state that and misuse of e-mail and Internet are violations of the company harassment/discrimination policy. Specifically, employers should institute and enforce uniformly policies that prohibit use of company equipment to access, possess, or forward offending material, regardless of sexual content. Although it is not often possible to maintain a sexual harassment action based on the mere presence of undisplayed, sexually explicit material in the work place (lack of pervasiveness), the employer can state that such activity violates its sexual harassment policy. The same analysis can be used with respect to other material which is suspect under Title VII. Employers should warn employees that a violation of this policy may result in termination;
• Fifth, employers should engage in consensual monitoring of e-mail messages on a regular basis. Proper auditing and monitoring of e-mail files may assist employers in identifying problem areas before legal action is started and they are forced to produce damaging material. . Employers should develop an auditing program that will be effective and efficient. An audit of all company e-mail is too burdensome. Rather, an employer should use more focused methods. This may include random monitoring of e-mail files and checking the hard copy printed off the terminal to determine compliance with corporate record retention policies. Some employers may choose to have all employees with computer access sign an annual statement that they have followed the corporate policy with respect to e-mail use. Some employers even install programs that bring up a consent statement every time the computer is started, and require the employee to press an "I agree" button to proceed. A sample is provided as Appendix 1 at the end of this article.

In sum, by implementing and enforcing a sound e-mail policy, an employer can ensure that its e-mail system and access to cyberspace do not create a hostile working environment for employees.

The attorney-client privilege is one of the oldest recognized privileges for confidential communications. "The privilege is intended to encourage 'full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and the administration of justice.' " Swidler & Berlin v. United States, 524 US. 399, (1998) (citing Upjohn Co. v. United States, 449 US. 383, 389 (1981)). The attorney-client privilege protects clients and their attorneys from any disclosure of communications made in confidence unless there has been a waiver of the privilege. See United States v. Workman, 138 F.3d 1261, 1263 (8th Cir. 1998); In re Sealed Case, 877 F.2d 976, 980 (D.C. Cir. 1989).

The problem comes, however, in determining what constitutes a "waiver." In general, if either the attorney or the client errs and fails to take reasonable precautions to maintain the confidentiality of a communication, the communication is not protected. See United States v. Gangi, 1 F. Supp.2d 256 (S.D. N.Y. 1998); Bank of Brussels Lambert v. Credit-Lyonnaise, 160 F.R.D. 437 (S.D. N.Y. 1995). In Gangi, the court held that four factors should be considered in determining whether a party has taken sufficient steps to protect the confidentiality of documents being requested for production:

• The extent to which reasonable precautions were taken to avoid disclosure of privileged documents;
• The scope of discovery as compared to the amount of privileged material disclosed;
• The amount of time taken to correct the error; and
• The issue of overall fairness.

Gangi, I F. Supp. 2d at 264 (citing Lois Sportswear, U.S.A. Inc. v. Levi Strauss & Co., 104 F.R.D. 103, 105 (S.D. N.Y. 1985).

The potential problem when an attorney communicates with a client over e-mail or the Internet is whether the fact that the message is transported over an insecure medium affects the confidentiality of the message.

Formal Opinion 99-413) specifically addressed the confidentiality of unencrypted e-mail. The opinion stated that it '"uniformly is accepted that lawyer's reliance on land-line telephone, fax machine, and mail to communicate with clients does not violate the duty of confidentiality because in the use of each medium, the lawyer is presumed to have a reasonable expectation of privacy." The opinion examined the lawyer's expectation privacy with regard to:

• "Direct" e-mail;
• "Private system" e-mail;
• Online service providers; and
• Internet e-mail.

Stating that "[t]he reasonableness of a lawyer's use of any medium to communicate with or about clients depends on both the objective level of security it affords and the existence of laws intended to protect the privacy of the information communicated," the opinion found that lawyers have a reasonable expectation of privacy in all of the above.

Direct e-mail permits a lawyer to e-mail clients by programming the lawyer's computer modem to dial the client's modem. This, in the opinion's view, is "virtually indistinguishable from the process of sending a fax." Since this information is transmitted in digital form, it is much more difficult to intercept than a telephone call.

Private system c-mail configurations permit one in-house system to communicate directly with another. The opinion noted that such systems pose a greater risk of misdirected messages than direct e-mail systems. However, since such systems do not use "publicly accessible" networks, the opinion concluded that they are as secure as direct e-mail systems or faxes.

The typical online service provides a subscriber to its e-mail with a "mailbox" and a password to get into it. The service provider will typically have a privacy policy and will take steps to preserve the privacy of subscriber e-mail consistent with that policy. The existence of password protection and the stringency of such policies determine the reasonableness of the expectation of privacy.

Of particular interest, the opinion addressed the question of interception of such messages:

"Moreover, federal law imposes limits on the ability of OSP [online service provider] administrators to inspect user e-mail, irrespective of the Sop's formal policy. Inspection is limited by the ECPA to purposes 'necessary to the rendition of services' or to the protection of 'rights or property.' Further, even if an OSP administrator lawfully inspects user e-mail within the narrow limits defined by the ECPA, the disclosure of those communications for purposes other than those provided by the statute is prohibited."

Accordingly, the opinion concluded that lawyers have a reasonable expectation of privacy in the use of private system e-mail.

The opinion stated that there is in fact a reasonable expectation of privacy in the Internet e-mails that attorneys send to clients. The opinion acknowledged that messages in transit between a sender and recipient are stored along the way and could be viewed by ISPs or hackers. But the opinion took note of the realities of Internet traffic: An enormous volume of electronic data passes through ISPs every hour, and messages are split into packets, making it extremely unlikely that an ISP monitor or a hacker could see the entire message. According to the opinion, these realities underscored the reasonableness of the expectation of privacy in the communication.

The opinion also analogized the use of Internet e-mail to the use of a telephone:

"The fact that ISP administrators or hackers are capable of intercepting Internet e-mail–albeit with great difficulty and in violation of federal law–should not render the expectation of privacy in this medium any less reasonable, just as the risk of illegal telephone taps does not erode the reasonable expectation of privacy in a telephone call."

The fact that the messages could be intercepted on their way from the sender to the recipient did not destroy the reasonableness of the sending attorney's expectation of privacy. The opinion thus acknowledged that the expectation was to some extent intertwined with the sender's intent. Footnote 32, in the section addressing, private system e-mail, is of particular interest in understanding the expectation of privacy in the face of possible interception:

"The qualified right of interception of OSP's cannot be argued to create unique risks to the confidentiality of e-mail communications because phone companies (and other providers of wire or electronic communication services) are given identical rights under 18 U.S.C. §2511(2)(a)(i). Moreover, many commercial mail services reserve the right to inspect all packages and letters handled, yet no one suggests this diminishes the user's expectation of privacy."

Before ABA formal opinion 99-413, states took different positions on the expectation of privacy in unencrypted e-mail. Footnote 40 of the ABA opinion lists many of them. The careful practitioner should be sure to check the ethics opinion of the relevant jurisdiction to determine if additional steps to assure privacy are in order.

Other than using a private e-mail system, there are a few pre-cautions e-mail users should take to ensure confidentiality of communications. First, the user should add a disclaimer at the beginning of all e-mail messages, marking them as private and confidential, similar to the wording on a facsimile cover sheet. Second, the user may consider encryption. An encrypted message is one that is scrambled so that it is unreadable to everyone except the intended recipient, who must in turn de-crypt the message in order to read it. Commercial software, such as "PGP," which uses a system, of electronic "keys", is available to encrypt messages. Both the sender and the recipient receive a key that allows them to encode and decode e-mail messages sent over the Internet. A fairly new Internet e-mail service called "Ziplip" allows a user to send encrypted e-mail that self-destructs in 24 hours. Passwords are optional with Ziplip, and the service is both free and easy to use. Ziplip is available at www.ziplip. com.

Rule 34 of the Federal Rules of Civil Procedure provides for discovery of electronic records such as e-mail, thereby creating a large amount of potentially discoverable information in lawsuits. Thus, it now is commonplace for a party to demand production of e-mail in discovery proceedings. The employee who never would include a racist or sexist joke in a "formal" memorandum, will send such information through an "informal" e-mail communication without much thought. Thus, plaintiff's attorneys have learned that the "smoking gun" they need to win the case may be stored in the company's e-mail system. For example, in New York, a federal court held that a supervisor's e-mail message to an employee about Finland's proposal to create a "sex holiday" was evidence of sex discrimination. Strauss v. Microsoft Corp., 1995 U.S. Dist. LEXIS 7433, at * 11 (S.D. N.Y. 1995). As another example, the e-mail comments of Los Angeles Police Officer Lawrence Powell–"Oops, I haven't beaten anyone so bad in a long time"–were introduced in his criminal trial for the beating of Rodney King.

Electronic communications are considered "documents" for purposes of federal litigation and must be produced when requested. Thus, employees must be aware of the fact that, by sending an e-mail message, they are creating a company document that may be viewed by individuals other than the intended recipient, including people outside of the company.

Unfortunately, the cost for retrieving an employer's e-mail files, which often includes bringing in computer experts or running a special program, will be billed to the employer. Courts often view the cost of producing these e-mail messages as a foreseeable cost of doing business. See In re Brand Name Prescription Drugs Antitrust Litig., 1995 WL 360526 (N.D. 111. June 15, 1995) (requiring the defendant drug manufacturer to produce over 30 million pages of e-mail at its own cost of $50,000 to $70,000).

It is important to realize that, even though an e-mail message has been "deleted" from the system, it often still is retrievable. Most systems will keep a backup of some sort for anywhere from six months to one year. Fortunately, there are programs which can "shred" these files from the system. However, it is important to note that, once an employer is on notice of a formal investigation or litigation, the employer is under an obligation to preserve any and all electronic records. See Turner v. Hudson Transit Lines, Inc., 142 F.R..D. 68,72-73 (S.D. N.Y. 1991) (finding service of complaint to be sufficient to put employer on notice of litigation and its obligation to preserve all electronic information).

Employers can take several steps to reduce the potential liability resulting from e-mail communications:

• First, employers and employees must understand that e-mail messages do not disappear when they are deleted. Deleted e-mail messages may remain in the system, in "trash," for example, and can be retrieved at a later time. Thus, employees should not write anything in an e-mail message that they would not put in a company memorandum;
• Second, a company should adopt a document retention/destruction system that permanently deletes all e-mail files, including trash, on a regular basis. This retention policy should take into account the types of files to be saved, and must comply with state and/or federal regulations that require employers to ke0ep documents on file for a specified period of time; and
• Finally, the company should adopt and implement an e-mail policy. Employees must be warned that their e-mail messages are not private, that by using the system the employees consent to allowing the company to read any messages on the system and that c-mail messages can be retrieved even after they are "deleted."

Employers must limit the privacy expectations of their employees from the beginnings of the process by implementing and enforcing an effective e-mail policy. We suggest that each employee sign an acknowledgment of the policy before being granted access to the company e-mail system or the Internet. The policy should state that:

• The use of corporate property for personal or inappropriate uses may result in discipline up to and including termination from employment;
• E-mail transmissions sent or received may be monitored by authorized personnel to ensure the employer's legitimate business interest in the proper utilization of its property;
• The use of corporate property for personal or inappropriate uses may result in discipline up to and including termination from employment;
• Employees' electronic communications over company equipment are not considered private and that by using the employer's equipment, the employees are consenting to have such use monitored by authorized company personnel, at its discretion;
• Employees shall not use a code, access a file, or retrieve any stored communication, other than as authorized; and
• All computer pass codes must be provided to supervisors, and that no pass code may be used which is unknown to the employer.

Employers also should incorporate a policy on e-mail access into their employee handbooks and corporate policies and procedures manuals. Additionally, employers should have each employee sign a form acknowledging the employer's right to access e-mail and stored e-mail information. To prevent disclosure of important documents and maintain the attorney-client privilege, only allow authorized personnel to gain access to them. Finally, employers should incorporate an e-mail retention policy that retains e-mail files for a set period of time, then deletes them on a systematic and timely basis.

All electronic communication systems and all communications and stored information transmitted, received, or contained in the Employer's Information Systems are the property of the Employer and, as such, are to be used solely for job-related purposes. Additionally, the employee's use of such equipment and software for private purposes is strictly prohibited. Employees using these systems, equipment and software for personal purposes do so at their own risk. Further, employees shall not use a code, access a file or retrieve any stored communication, other than where authorized, unless there has been prior clearance by an authorized Company representative.

Violators of this policy are subject to disciplinary action, up to and including discharge from employment. To ensure that the use of the Employer's Information Systems, equipment and software, and other electronic communications systems is consistent with the Employer's legitimate business interests, authorized representatives of the Employer may monitor the use of the Systems, equipment, and software from time to time. Use of these S stems constitutes consent to monitoring as stated above.

All electronic and telephonic communication systems and all communications and information transmitted by, received from, or stored in these systems are the property of XYZ Corporation and as such are to be used solely for job-related purposes. The use of any software or business equipment, including but not limited to facsimile machines, telecopiers, computers, the Company's e-mail system, the Internet, and copy machines for personal purposes is strictly prohibited.

Employees using this equipment for personal purposes do so at their own risk. Further, employees are not permitted to use a code, access a file, or retrieve any stored communication unless authorized to do so or unless they have received prior clearance from an authorized XYZ representative. All pass codes are the property of XYZ. No employee may use a pass code or voice-mail access code that has not been issued to that employee or that is unknown to XYZ. Moreover, improper use of the e-mail system (e.g., sending offensive jokes or remarks, including over the Internet) will not be tolerated.

To ensure that the use of electronic and telephonic communications systems and business equipment is consistent with XYZ's legitimate business interests, authorized representatives of XYZ may monitor the use of such equipment from time to time. This includes monitoring Internet usage of any kind. This may also include listening to stored voice-mail messages.

XYZ provides access to the Internet. The Internet represents a useful tool for the Company in conducting its business, but like any other tool, it must be used properly. For purposes of this policy, "Internet" includes any public electronic data communications network.

Internet e-mail offers broadly similar capabilities to other Company e-mail systems, except that the correspondence is external to XYZ. External e-mail messages may carry one or more attachments. An attachment may be any kind of computer file, such as a word processing document, spreadsheet, software program, or graphic image.

Just as XYZ has an official Internet Web site, so do other organizations. Most public Web sites are "read only," meaning that they permit a person who visits the site to read material posted on the Web site but not to leave a message. Other Web sites permit visitors to establish continuing contact by leaving a message (the electronic equivalent of leaving your business card or a telephone message). The owner or operator of a Web site may record the information that a connection was made from XYZ Company.

As a general rule, employees may not forward, distribute, or incorporate into another work material retrieved from a Web site or other external system. Very limited or "fair use" may be permitted in certain circumstances. Any employee desiring to reproduce or store the contents of a screen or Web site should contact the legal department to ascertain whether the intended use is permissible.

Common sense and an absolute commitment to maintaining client confidences are keys to using electronic communications safely and effectively. This memorandum must be signed and returned to get Internet e-mail connectivity. The following guidelines are intended to help you make the best possible decisions regarding the use of e-mail and the Internet.

Client confidentiality/liability–NO CONFIDENTIAL MATERIAL MAY BE SENT VIA THE INTERNET. Absent express client consent, the Internet should not be used for any client communication purposes. With client consent, only employees specifically requested to communicate electronically with clients should do so. By definition, any message sent via the Internet is unsecured. We can and will set up secure electronic communications with clients.

Privacy—On the Internet: There is no such thing as privacy on the Internet. Be advised: The privacy of any electronic item sent via the Internet is analogous to that of a postcard. Never send anything over the Internet that you would not feel comfortable sending on a postcard.

Within the Company: The use of Internet and Internet e-mail is subject to the Company's e-mail policy as stated or amended. ALL INBOUND AND OUTBOUND INTERNET E-MAIL IS AUTOMATICALLY TRACKED BY SENDER NAME, RECEIVER NAME AND SUBJECT LINE. THIS INFORMATION IS MAINTAINED AND CONSIDERED PUBLIC INFORMATION TO FIRM MANAGEMENT. While we make every effort to maintain the confidentiality of our internal there e-mail system, and we ask that everyone respect that confidentiality, there may be circumstances in which it might be necessary for firm management to read or copy e-mail messages (or any other electronically stored file). These circumstances would be extraordinary and might be required to comply with the law, meet our professional responsibilities, or deal with serious management or personnel issues.

Business purposes–The firm provides Internet access and Internet e-mail for business purposes. This is the same principle that applies to all our facilities: phone, fax, postage, etc.

Internet and e-mail functionality–The Internet and Internet e-mail are not 100 percent reliable. This is a function of the Internet, not our particular implementation. Our tracking ability ends once the message has been transferred from our internal e-mail system to the Internet. At that point, we can no longer track its whereabouts or if it has arrived at its destination. We also cannot determine how long it will take to reach its destination. Delivery times from several minutes to several days have been noted. In addition, we cannot certify the integrity of a file attached to an Internet e-mail message. File attachments to Internet e-mail messages are often corrupted in transit, therefore, there is no way to guarantee that a file attachment will be received intact. Although we have a fully compatible Internet gateway supporting file transfer, successful transmission depends on the receiving gateway (and every gateway in between) also having up-to-date, compatible gateway software. If this is not the case, the file attachment may well become corrupted.

Reliability–Remember the Internet is an unregulated web of computers that transmits information in what is essentially an electronic game of "hot potato." Your e-mail message may get to its recipient in Ohio by way of Russia. There's no way to know what route it will take, or how long it will take, or if it will get there at all. A good rule of thumb is to ask the recipient to send a reply message upon receipt, or let you know by phone.

More than just common sense–There is a tremendous amount of sexually explicit material on the Internet. Our system should not be used at any time to access it, download it, display it, or to transmit or receive tasteless humor. The firm does not tolerate actions that may create a hostile environment.

This document should be viewed as a jumping-off place concerning online etiquette. As we gain more experience with external electronic communications, we expect to expand and revise our policy. If you have any questions or suggestions, please contact.

Please sign and return a copy of this memo. Internet e-mail connectivity will be made available through your account and instructions will be sent to you.

I understand this policy memorandum and agree to abide by it.

Printed Name Date