Columnists

Office emails carry risk of employer liability

email

Work emails and emails sent from work computers carry an element of employer liability. FILE PHOTO | NMG

Last week the Data Privacy Act became law, ensuring our personal information isn’t touted around as a market asset, and giving us a little protection from the loss of account and preference information.

Yet there are areas where we have long assumed that privacy is ours where it really is not, with perhaps the top example being our workplace email and any workplace phone that gets assigned to us.

As workplace communication tools these are as open to interrogation and viewing as any letter we send on behalf of our employer, and yet they mimic private communication tools, leading many to move into personal communication.

The results can be shocking, but rarely more so than a case I saw last week, where an individual had used his work email address to sign up for a daily newsletter from an extreme pornography website.

That particular kind of porn is classed as criminal in most countries around the world. As illegal communication it also benefits from no security protocols or protection and is thus a prime vector for computer viruses and worms. The employee had clearly been alarmed last weekend to get additional emails to his company email advising the company’s operating system had become infected, sharing the virus alerts with his IT support to be investigated.

However, it was only his then sudden resignation without a handover that prompted his employer to look into his email for social media log ins. Many other IT desks would have looked at his email far sooner, most certainly on the forwarded viral alert. Some just read the staff’s inboxes for sport and for the fun of it, while ever more are monitoring company communications as a matter of compliance.

For the unexpected discovery raised a few difficult questions for that employer: if that newsletter had been found prior to the employee’s resignation, would it have prompted his dismissal? And what is the legal position for the company? If a company finds a member of its staff doing something illegal and chooses to do nothing about it, is the company then doing something illegal, in some way an accessory?

In fact, another relatively recent law for Kenya is the Computer and Cyber Crime Act, and this does cover areas of pornography distribution and of hacking. However, it is often vaguely worded and, as yet, largely untested in courts. Also, there is a large difference between being a recipient, and being the producer of illegal porn.

However, in many jurisdictions, receiving illegal porn is, itself, illegal. And, for sure, no company can afford to have any employee distributing or engaging in cybercrime from its own servers and domain names, pushing companies inexorably towards employee communication monitoring. This has anyway happened more in recent years, as companies have chased breaches. I have personally seen two completely unrelated companies pulling in security experts to deal with very similar breaches, suggesting these are remarkably widespread (for what are the chances of me seeing a nearly identical situation twice unless it is actually happening frequently).

In both cases, a disgruntled employee, or perhaps a would-be champion, had started pushing out information and claims regarding purported wrongful behaviour by top executives. These weren’t as reports to the boards of directors or other whistle blowing routes, but as information campaigns, in one case, making it onto blogs and the internet and in both cases being shared widely by email.

In fact, both cases saw an employee found and fired as the email starting point. It has always struck me as remarkably ironic that both were in marketing, one a marketing manager, the other a brand manager, perhaps, therefore, with the most innate understanding of reputation as a tool, but a concomitantly low understanding of technology and the risk they were creating for themselves.

For servers can reveal the contents of web-based emails too, where employees choose to send their emails from their work-based and connected computer. In all, the situation on privacy is a clear null. Work emails and emails sent from work computers carry an element of employer liability. Never assume they are private. They may only be unseen. They are never unseeable.