Strange things happen when you put an attorney together with a self proclaimed computer nerd, especially when that computer nerd finds himself working in eDiscovery. I’m not sure when this scenario started formulating in my head. I was expecting those around me in the legal field to punch holes in this but instead I got possible validation with case law. Even stranger still, I heard there may already be an existing case pending.
My scenario stems from the general corporate monitoring of email and ends in a lawsuit worth $100 of millions. The case has nothing to do with product liability and everything to do with wrongful death. It’s simply a case of murder. And again, this is a work of fiction.
Setting the Stage
I think this can only happen in the United States. As those of us employed in major company, and growingly in the mid-tier now, employers routinely monitor employee email. The Electronic Communications Privacy Act made it federally legal for companies to monitor emails. I will not debate the legitimacy of this, for it is the law. Nor will I attempt to interpret this. With monitoring, companies have growingly focused on these emails.
Of course those of you reading this in some countries you know there are no issues here. In many countries, such as Scandinavian countries, email is private communications between to individuals, like phone conversations. Monitoring those communications requires cause, due process, and an order.
Reports from over four years ago, indicate that over 50% of companies monitor employee emails. Today I believe that number to be over 80%. Many companies simply monitor all employee emails. Some, instead of looking for items of material nature, monitor all emails, for instance job hunting. In extreme cases, some employers are even known to monitor voice mails. It is here where my story begins.
The Story Begins
The story begins with an elicit affair between two employees. The two have an affair for over a year communicating, on occasion, through the company email and voicemail systems. The company, ignores this because both are managers and work in different departments.
After a year, the mistress catches the man with another woman, not his wife, but a new younger mistress. This infuriates female employee. The fuse is further lit after a confrontation and a liaise faire attitude to the situation. The woman decides to teach him a lesson.
The woman begins researching hiring a hit man using the company’s laptop, as she has no PC of her own. In time she finds someone through the Internet and starts an email thread with them. No NBC Dateline story here. The woman is able to hire a hitman. Unfortunately for her, she gets caught and spends the rest of her life in prison. But the story does not end here.
The Corporate Spin
Losing her husband, the wife decides to open a civil suit, against her husbands employer. The claim? negligence. It is known that her husband’s employer monitors all employee emails. In court, it came up that that the mistress has used her company laptop and email account to hire the hitman.
The wife’s attorney argues that the company should have discovered the emails and warned her husband and more appropriately the police of the mistress’ actions. The attorney further stipulates that had the employer acted on the information gathered in their monitoring, the man would still be alive. Having been killed at age 40, the cases asks for damages equal to his salary through his planed retirement and punitive damages.
The company alleges that they are not able to monitor the emails for such matters. Yet during the trial a review of the email archive shows the email threads between the mistress and the hitman. Further still, it is shown that the company was able to support several discovery matters involving emails and had also taken action on company matters that were discovered through email monitoring. The company continued to state that this was not their responsibility.
In the end the case went to the plaintiff and the company was ordered to pay damages and significant punitive damages.
Coming Up With My Fictional Verdict
Some will say that hey this can’t happen. But here’s the thing. There is case law that shows the exact case to be true.
The first area of case law is around restaurant’s liability for serving alcohol. We have heard of cases where a restaurant was sued for serving drinks to a patron later caused an accident. The restaurant and the servers can be held liable for serving those drinks. Further still, a restaurant can not argue that they had too many patrons to monitor all of them. Restaurant have been found liable for their patron’s actions.
This goes even further when you look at negligent retention, where a company retains an employee even though they have knowledge of the potential criminal acts. This is found under the doctrine of “respondeat superior” where an employer is responsible for the actions of its employees during the performance of their tasks. My favorite example is that of the pizza delivery driver causing an accident while trying to meet a delivery guarantee.
It is through these case laws and doctrines that I come up with the hypothesis that some day in the not so distant future an employer will be sued for the criminal acts of an employee that were made visible to the employer through their monitoring of employee emails.
Great Story But What Does This Mean?
Much like the early days of the internet, today there is little corporate governance in archiving. It is shocking what different and adamant beliefs companies have to archiving, especially email. Some say they keep everything. Other keep nothing. I even had a case where I was told a company was going to strip all metadata so it isn’t easy to find a message during discovery.
Let get the first issue out of the way. Ralph Losely said it best. “If you’re doing things right you have nothing to hide.” Do accounting classes teach you how to keep two sets of books? Start with good governance process that ensure what needs to be kept is being kept. eDiscovery is about documenting that you did things right not hiding things you do wrong. What are those documentation requirements? Every company is different. There is no one size fits all governance process. I’ll touch on some in later articles.
But in my example the company itself did nothing wrong. By monitoring every email a company sets itself to be privy to individual conversations. Even a psychiatrist must break doctor patient confidentiality if they believe someone is in imminent harm. Search filters can track which emails need to be maintained. But the real question is does a company need to read every employee’s every email?
Choosing to monitor all employee communication comes at a cost that is not just financial in implementation. The hidden cost is that while you reduce the risk in one area, you still create it in another. Approaching eDiscovery in an uninformed, save and monitor everything approach could create a bigger problem than the one you sought to solve. All of that information locked away just waiting for the right set of circumstances to unleash its destructive power
Pandora’s Box was presented to corporate world with the Electronic Communications Privacy Act. Whether a company opens the box and monitors evry employee email is a question of archival governance.
Not a lawyer as you well know, but I think that if they search for set terms for retention, and behavior, they may be found free of negligence. If none of their filters catch the email thread and bring it to someone’s attention, then they should be okay. You can’t setup searches to handle all of your employees actions.
Mind you, if the ones setup DO catch those emails, then I would assume negligence could apply as long as the filter does more than just store the emails for a time and people look at numbers as to why emails are caught.
It is tricky and not something to be handled just by techies.
-Pie
Pie
Well an argument can be made that if a company is monitoring emails and they have made this part of their duties, then a company cannot be choosy of what it decides to report on. Can a company choose to monitor for some elicit acts and not others? That is what negligent retention is about.
And your second point is one of my real concerns. If a company keeps ALL emails does it put them at additional risk.
Marko
Hi Marko,
Interesting post. I like your analogies; however, I’m not sure they way you describe them mimics the challenges with eDiscovery.
For your restaurant analogy, I think a more appropriate analogy would be if a restaurant was responsible for serving a drink to a customer who was allergic to particular ingredient in the mix drink. A restaurant should be able to monitor how many drinks it serves each customer, but it should not be liable for unforeseen issues like allergies. This is just like a company should monitor email for specific topics (eg threats on life), but not everything in the world.
For you the negligent retention, if a company does not explicitly state that an employee will be terminated immediately for their actions (ie zero tolerance), then I can see an employee sue the company for wrongful termination (without due process). I think if the pizza delivery guy never had an accident before AND the company had him go through some safety training, the company should not be liable. I believe the same should apply to emails (although I’m no lawyer as well). If a company is actively monitoring email AND it demonstrates that it has implemented procedures to act on “questionable” emails, then its hard to say that the company was acting negligent.
Pandora’s Box may be open, but I’m not sure that pestilence is abound. My question is whether we are doing more harm than good.
-Johnny
Johnny,
Those are not analogies. Those were the summaries of real case law. Restaurants have lost cases where they have served someone alcohol and later caused an accident. A pizza company lost a case where the driver caused an accident during delivery.
More in my reply to Pie.
– Marko
Johnny – that is the question indeed. Is it more harm than good. Companies have to manage email and they have to monitor it. The problem is if they do not define what they are doing in legally defensible ways then the mitigation of risk from monitoring could (and probably will) be undone by the greater exposure from doing too much.
Gone are the days when legal departments can get away with not addressing policies in this area by cavalierly saying “keep everything” or “dispose of everything.” Some in corporate legal and risk management have to become techie enough to develop informed legal positions appropriate for their company. I don’t think consultant generated, IT oriented “best practices” will cut it in this arena for the long term.
Marko,
The analogy reference wasnt about your real world examples, it was how you referenced those examples as comparisons to your email scenario. Not exactly apples to apples.