Internet Newsletter for Lawyers, September/October 2002, by Delia Venables

Internet Newsletter for Lawyers September/October 2002, by Delia Venables

Harnessing Internet and Email
by Dominic Watson
Being aware of the risks is good, provided that this knowledge is used positively. However, introduction of the improvements that email and the web can bring are being stifled through fear of undefined, potential breaches of security and abuse that can be tackled if clearly understood. Here we outline some positive steps other firms have taken, that you might consider too.
The Problem

Fears about use of the web and email inhibit lawyers from harnessing their full potential and there is some justification for these concerns. However, email is not that different from hard copy letters or the telephone. If commercial enterprises have learned to cope with it and the powerful combination of email and online services have made big improvements in productivity and quality of service, every firm of solicitors should be tackling this now too.
The two big fears are:
Potential breaches of security (confidentiality, copyright, viruses, hackers etc.); and,
Abuse of the system (productivity, pornography, harassment of fellow employees etc.)
Difficulties arise because some of the risk management involved here involves new ways of working and use of technology itself (which many lawyers do not trust or fully understand) to monitor and police the situation.
However, it's not really that different from the old world. Even now, an employee could write anything on your letterhead and make an attempt at forging your signature, or they can even steal the keys to your office if they really want to. But there do need to be some new ground rules and new ways of working that have to be monitored constantly and enforced rigorously.
In reality, no employer ever has complete control over every employee's every word or act. Employing anyone always carries risks that need to be actively and realistically managed to deliver acceptable commercial results. If employees get it wrong, they should be disciplined which could lead to dismissal; but you need grounds to justify dismissal and you need to make it as difficult as possible for them to cause any serious damage.
Where to Begin

Begin by identifying the risks, defining the ground rules, communicating them, monitoring and enforcing them. If there are no defined rules or if they are not communicated effectively, enforcement becomes impossible.
Step 1
Establish a sound method of operation which will counter the risks of security and abuse of email in and out and use of the web and define these in a policy statement; maybe along the lines of the example provided here (Microsft Word document). However, this is just a sample to give you a feel for how your policy might look and some issues you might address. To copy and adopt this is not the solution for you, but you have our permission to adopt this framework for your own statement of policy. More thought and internal discussion is needed to tailor your own approach and make sure you really understand and can implement it.
Issues you should address and safeguards you should build into your systems and policy could include:
a) Who owns the email accounts; the employee or the firm? Make it a priority to tell your employees that the company owns all email and that the firm reserves the right to monitor any email.
b) Employees should be told that the e-mail account is for business use. Their email correspondence should not embarrass the company or make it liable for any fines.
c) You can forbid or limit personal emails and access to the Internet, then monitor use to eliminate abuse. However, be wary of the provisions of the Data Protection Act, which can restrict your ability to pry too far into the content of personal emails and the like.
d) You should reserve the right to go into defined email accounts, monitor them and take disciplinary action, including termination of their employment when appropriate. Even if you cannot read the content, you can see where emails are coming from and going to.
e) You can adopt "mailsweeper" software to filter out incoming email that looks potentially hazardous before it comes in or is sent out - perhaps all with image, sound or executable (.exe files) attachments for starters.
f) Define who is authorised to use the email account and how email in and out will be processed. You could perhaps appoint a "postmaster" account managed by an administrator to filter out spam in the early days and probably beyond. This can enable you to identify or eliminate emails to personalised or rogue addresses.
g) Install virus checking on emails in and out, with automatic update facilities.
h) Reserve the right to monitor compliance with defined policies.
i) Install a firewall to restrict access to your browsers to specified sites and track visits to others. You will also use the firewall to restrict incoming traffic onto your system.
j) You can filter emails for content e.g. to identify swear words, stop or quarantine any emails containing them the email and notify this abuse to an administrator.
k) You could consider encryption or stop FTP (file transfer by employees).
....and there are many more options available to you.
Step 2
Write down your policy, then talk to your people about what it means. Don't just send them a piece of paper (or an email!) but do also give them a piece of paper explaining the policy, and make sure every employee signs off their acceptance of it. This ensures that they know about the policy, understand it and are bound by it.
Step 3
Monitor compliance. It is critical that you act when there is a breach to enforce the rules. Reports and rejections from mailsweepers, firewalls and the mailserver itself should be reviewed regularly and acted upon where there has been any breach.
For more information, contact Dominic Watson at Practical Solutions on 0161 929 8355 or dwatson@inpractice.co.uk. Practical Solutions's web site is at www.inpractice.co.uk.
The draft policy is at here (Microsoft Word document).
Back to Contents.