E-MAIL CAN GET COMPANIES INTO TROUBLE, SAYS SA’S DELOITTE
Email may be an easy way to keep in touch but it's also an easy way to get into trouble -- especially at work. Recent scandals -- such as the hoax e-mail saga that implicated senior African National Congress members in a supposed conspiracy against the party's deputy president, Jacob Zuma, and its secretary-general, Kgalema Motlanthe -- and fraud such as that experienced by clients of some of SA's major banks such as Standard Bank and Absa Bank, have caused businesses to take a good hard look at their e-mail policies.
Kris Budnick, a director at Deloitte enterprise risk services, says the bank clients were the victims of what is known as "phishing attacks". Phishing is the term used when fraudsters claim to be from a bank and send clients e-mails to trick them into disclosing personal information, such as passwords and PINs (personal identification numbers) to steal their identity.
"There is so much risk associated with e-mail," says Budnick. "E-mail is one of the least secure systems, and is open to much abuse."
Johannesburg-based lawyer Michael Judin, of Goldman Judin, says many employees abuse the company's e-mail system by sending private jokes and pornographic material to each other. "It is a waste of company resources and time." Judin says employees also send letters to third parties, which can potentially bind the company to contracts.
Budnick says the message to employees is "don't put anything in an e-mail that you wouldn't want the whole world to read". And he urges employees to abide by their company's policy for acceptable e-mail use. "Employees need to stop and think about the trouble they could get into if their e-mails get into the wrong hands," he says.
Budnick says the IT department of a company tends to spend too much time on the hazards of inbound e-mail threats such as viruses, spam and Trojans. He says companies should rather make compliance with a policy when sending out e-mail their priority.
Outbound e-mails can ruin the reputation of a company, he says. This can cost the company hundreds of thousands of rands. Furthermore, the trademark of the company is diluted. For instance, if an employee sends out an e-mail containing offensive material, it weakens the trademark of the entity, says Budnick.
"While the majority of employees are generally aware that sending inappropriate e-mails could be dangerous to their company, abuse of a company's e-mail continues on a daily basis because too many firms do not make their staff aware of what is and isn't acceptable use. Staff continue to cross the boundary lines. Employees do not even understand the guidelines."
Budnick says employees don't even know if an employer has the right to monitor and intercept their communications, such as their e-mails and phone calls.
Although no one has yet been sued under the Monitoring Act, cases have been heard in dispute resolution forums, such as the Commission for Conciliation, Mediation and Arbitration and arbitration tribunals.
However, Judin says times are changing and it will not be long before the first test case takes place in the high court. "We are moving into an era of class action, shareholder activism, and company damages."
He says it is possible that an e-mail may land on someone's desk which will lead to the MD of a listed company being taken to court. " This could cause huge embarrassment and cost for the company," he says. Budnick says e-mail is "a grey area that is causing companies enormous problems -- their employees are bringing their social lives into the workplace".
There are certain exceptions under the Regulation of Interception of Communications and Provision of Communication Related Information Act, 2002 (the new "Monitoring Act"), which was passed into law in 2004, whereby an employer may intercept and monitor an employee's communications, such as e-mail and phone calls, provided a company fulfil s the criteria of the so-called business monitoring test.
The communications must have been carried out during the course of that business; must be related to that business; or must have taken place in the course of carrying on that business.
However, the act empowers only certain individuals within the organisation to intercept such communications, such as a financial director or CEO. IT staff are by virtue of their role empowered under certain circumstances to do so, Budnick says.
An employee's communications may be intercepted to protect the company's interests, for instance to prevent fraud or embarrassment and exposure, Budnick says. He says it is still open to debate as to whether a business may monitor an employee's private e-mail. No doubt the debate will continue until the high court rules on the matter. Judin says that employers must exercise caution under the act. There is a lot of debate around where an employee's right to privacy ends and where the company's right to monitor communications begins.
The Monitoring Act contains a general prohibition on the monitoring of an employee's communications, such as e-mails, phone calls and faxes, and carries heavy penalties, including a fine of up to R2m or imprisonment for not more than 10 years.
Judin says the act contains a number of exceptions -- where the parties have given written consent to the interception; where a person is a party to the communication; and where a law enforcement officer obtains a directive from a judicial officer because of suspicion that a serious crime has been, or is about to be, committed.
A clear, well-communicated e-mail policy backed up by the right processes and systems will ensure companies and individuals remain on the right side of the law, Judin says. "Companies must ensure that they are legally covered by explaining the policy to every employee and having every employee signing the policy on an annual basis."