The speed and convenience of e-mail⁽¹⁾ are quickly making it the communication medium of choice. It is often easier to e-mail someone than to play "phone-tag," or to invest the time and effort required to compose, print, address, and mail a memo or letter. This is especially true if the communication is designed to reach multiple addressees. However, the ease of using e-mail, and its attendant informality, has created several pitfalls, some of which harbor potentially serious legal consequences. These concerns include confidentiality, privacy, search and seizure of employees' e-mail, compliance with public records laws, and appropriate use of institutional resources. The importance of a well-written institutional policy to deal successfully with these issues and to protect the institution from liability for the abuse or misuse of its e-mail system cannot be overemphasized. This paper addresses three topics. First, the factors that should be considered when crafting an institutional e-mail policy are outlined. Second, the current state of the law establishing the parameters of each of the relevant factors is examined. Finally, model policies that may be adapted for use by your institution are presented.

Policy Considerations Overview

What Are Appropriate Uses of E-Mail Accounts?

Business before pleasure

Needless to say, an institution's investment of resources to establish and maintain an e-mail system is justified primarily, if not solely, by use of the system to conduct the institution's business. However, it is unrealistic to think that users will limit their messages to purely business content. At a minimum, the same type of pleasantries that are exchanged as a prelude to a business phone call are likely to be used in an e-mail message. At the other end of the spectrum, some users tend to think of their e-mail account as their own private "CB" radio or cell phone to be used for personal messaging or even to carry on money-making activities such as placing stock buy and sell orders. Striking a balance between the extremes is not just an academic exercise. Too strict a rule becomes one that is observed primarily in the breach and breeds disrespect for the institution's regulatory code. Too little restraint can result in overloading the system, declining productivity and possible institutional liability based on implied ratification of the activities of the employee. Additionally, a wide open policy regarding personal use of an e-mail account can adversely affect the institution's ability to examine the contents of an employee's e-mail account by creating a reasonable expectation of privacy in that account. This latter issue will be discussed in greater detail later in this paper.

Violations of law and policy

Although it is not legally necessary to state that e-mail may not be used to violate law or institutional rules, a well written e-mail policy serves a valuable educational function by helping remind users of considerations including copyright, defamation, harassment (racial and sexual), obscenity, pornography, fraud, confidentiality of student records, etc. Further, given the technical interpretation of conduct policies by some courts and governmental agencies (e.g. OAH), it may be wise to state clearly that use of e-mail for such illegal purposes may result in discipline up to and including dismissal.

When May the Institution Examine an Employee's E-Mail?

There are myriad reasons why an institution may need to retrieve an employee's e-mail. These range from the innocuous examination by computer "techies" in order to determine if the system is operating properly, to highly intrusive monitoring to ensure compliance with appropriate use policies. The law, both statutory and court-made, is more highly evolved in this area than in most others related to e-mail. A well-crafted policy can profoundly influence the likely outcome of legal challenges to the institution's examination. The body of law applicable to this issue includes the Electronic Communications Privacy Act, Fourth Amendment search and seizure constraints, and common law privacy considerations.

Compliance with the Public Records Law

One of the major pitfalls of e-mail is the ease of getting rid of it. In some cases, hitting the delete button will do the trick. In others, it may take a few more steps, or the system may be set either by default or on purpose to get rid of archived e-mail after a certain time period has elapsed. Whatever the design or settings of the system, the problem is the same: public records are improperly or even illegally destroyed. Employees are generally not conditioned to think of the content of their e-mail as a public record. But, if it is made or received in the course of the government's business, it almost certainly is a public record. Some of the important policy considerations are:

What e-mail is subject to the Public Records Law?
How long must e-mail be retained?
In what form must e-mail be retained?
What must be done when a member of the public requests to inspect or copy e-mail?
Who is the custodian of stored e-mail?

Confidentiality

E-mail users tend either to assume that e-mail is more secure than it actually is, or they forget about the rules of confidentiality altogether. On the sending end, it is a common error to reply to an entire listserve⁽²⁾ rather than the single individual who is the intended recipient. On the receiving end, it is very easy to forward e-mail without considering whether the addressee is authorized to receive the information. A good policy should remind users that student and personnel records, medical records, and trade secrets, should not be sent over e-mail unless the recipient is clearly authorized to receive that material. The sender should also be careful to advise the recipient of the confidential nature of the material.

The Legal Landscape

Appropriate Use

Conversion of state property for personal use is a criminal offense in North Carolina. N.C.Gen.Stat. § 14-91; 143-32; Flaherty v. Hunt, 82 N.C.App. 112, 345 S.E.2d 426, disc. rev. denied, 318 N.C. 505, 349 S.E.2d 859 (1986). However, in the author's experience, attempts to prosecute employees for occasional personal usage of state property (e.g. telephones) that does not abuse the system are usually unsuccessful (e.g. State v. Marsha Lilly). At the other end of the spectrum, using the institution's e-mail system for unlawful purposes ought to provide ample justification for discipline up to and including dismissal. Cf., Smyth v. The Pillsbury Company, 914 F.Supp. 97 (E.D.Pa. 1996)(Termination of at-will employee for transmitting inappropriate and unprofessional comments over employer's e-mail system did not violate public policy.)

It is important for an institution to take action against users who abuse the system or who use the system for unlawful purposes. Although service providers are not generally held liable for the content of messages sent over the system, Zeran v. America On Line, Inc, 129 F.3d 327 (4th Cir. 1997), where the service provider is also the employer, different rules may apply.

In Zeran, the plaintiff sued America On Line (AOL) for unreasonably delaying removal of defamatory statements which had been posted on the system by a third party subscriber, and for failing to pre-screen that party's subsequent postings. The Fourth Circuit Court of Appeals rejected that claim holding that section 403 of the Communications Decency Act, 47 U.S.C. § 230(c)(1) creates a federal immunity from claims seeking to hold an internet service provider liable for content originating from a third party user of the service. Specifically, § 230 exempts service providers from publisher liability.⁽³⁾ Congress' purpose for creating this immunity was in recognition of the fact that,

The amount of information communicated via interactive computer services is staggering. The specter of tort liability in an area of such prolific speech would have an obvious chilling effect. It would be impossible for service providers to screen each of their millions of postings for possible problems. Faced with potential liability for each message republished by their services, interactive computer service providers might choose to severely restrict the number and type of messages posted. 129 F.3d at 331

Additionally, Congress sought to encourage service providers to self regulate by removing the danger that self-regulation would cast them in the role of a publisher. See, Stratton Oakmont, Inc. v. Prodigy Services. Co., 1995 WL 323710 (N.Y.Sup.Ct. May 24, 1995), and Cubby, Inc. v. CompuServe Inc., 776 F.Supp. 135 (S.D.N.Y.1991).

However, the fact that service providers have immunity does not mean that institutions are free to let their employees or agents say and do whatever they please over the institution's e-mail system. An institution whose supervisory personnel use e-mail to demand sex from subordinates is likely to be held just as liable for quid pro quo sexual harassment as in the case of a supervisor who uses the company's phone or lunch room for the same purpose. Failure to act in such cases may be held as ratification of the employee's or user's unlawful activities.

Examination of User E-Mail Files

A system provider's right to access a user's e-mail account is potentially subject to scrutiny under both the Fourth Amendment to the U.S. Constitution and the Electronic Communications Privacy Act of 1986 (ECPA).

The Fourth Amendment⁽⁴⁾

The retrieval of a user's e-mail from the user's computer files for an investigatory purpose is likely to be considered a search and seizure subject to the Fourth Amendment. A person may challenge the validity of a search only by asserting a "subjective expectation of privacy which is objectively reasonable" in the place or thing to be searched. Minnesota v. Olson, 495 U.S. 91, 95, 110 S.Ct. 1684, 1687, 109 L.Ed.2d 85 (1990). The person claiming a right of privacy under the Fourth Amendment has the burden of proof. Smith v. Maryland, 442 U.S. 735, 740, 99 S.Ct. 2577, 2580, 61 L.Ed.2d 220 (1979). Courts that have examined this question in the context of e-mail have generally found a limited expectation of privacy in e-mail until such time as another person receives the e-mail. After that, the sender no longer controls the destiny of the message and can have no objectively reasonable expectation of privacy in it. See, e.g., United States v. Maxwell, 45 M.J. 406 (C.A.A.F. 1996); United States v. Charbonneau, 979 F.Supp. 1177, 1184 (S.D.Oh. 1997); Bohach v. City of Reno, 932 F.Supp. 1232 (D.Nev. 1996). However, searches of system files may reveal messages that were never sent or received for any number of technical reasons. The case most likely to be cited as authority in such cases is O'Connor v. Ortega, 480 U.S. 709, 107 S.Ct. 1492, 94 L.Ed.2d 714 (1987), in which the Court defined the extent of a government employee's right to privacy in the work place. Although O'Connor dealt with a search of a public hospital employee's desk and file cabinets, the principles enunciated by the court would seem to be applicable to e-mail stored in computer hard drives. The Court began by rejecting the contention that public employees can never have a reasonable expectation of privacy in their workplace. That expectation can be reduced or even eliminated by actual office practices, procedures or regulations. However, in O'Connor, the Court found that the employee did have a reasonable expectation of privacy in his desk and file cabinets because he did not share them with other employees and had kept personal items in those places throughout his seventeen years of employment at the hospital. Further, the Court noted that there was no evidence that the hospital had adopted any policy discouraging employees from storing personal items in their desk or file cabinets.

Having found a reasonable expectation of privacy, the Court concluded that the employee's expectation was, nevertheless, outweighed by the government's need for supervision, control and the efficient operation of the workplace. In this case, that need was the hospital's legitimate concern about possible improprieties in Dr. Ortega's management of the residency program. In such cases, the search must be justified at its inception by reasonable grounds for suspecting that the search will turn up evidence that the employee is guilty of work-related misconduct or that the search is necessary for noninvestigatory work-related purposes such as to retrieve a needed file. Additionally, the search must be limited in scope to achieve the employer's legitimate objectives.⁽⁵⁾

Despite the fact that the courts are finding a diminished expectation of privacy in e-mail, the prudent course of action would be to remove all doubt by expressly stating in the institution's policy that employees should expect no privacy in e-mail created or sent over the institution's system.

Common law privacy claims

North Carolina recognizes the common law tort of invasion of privacy in some circumstances, but not others. Specifically, the courts recognize claims for unauthorized appropriation of a person's likeness, and for intrusion, physically or otherwise upon an individual's seclusion or solitude or upon his private affairs or concerns. Miller v. Brooks, 123 N.C.App. 20, 472 S.E.2d 350 (1996), disc. rev. denied, 345 N.C. 344, 483 S.E.2d 172 (1997); Smith v. Jack Eckerd Corp., 101 N.C.App. 566, 568, 400 S.E.2d 99, 100 (1991). However, the courts will not adjudicate claims for disclosure of private facts or for placing the individual in a false light. Hall v. Post, 323 N.C. 259, 372 S.E.2d 711 (1988); Renwick v. News & Observer Publishing Co., 310 N.C.312, 312 S.E.2d 405, cert. denied, 469 U.S. 858, 105 S.Ct. 187, 83 L.Ed.2d 121 (1984). Although the North Carolina courts have not dealt with search and seizure of e-mail records, in general, searches that are permissible under the Fourth Amendment for regulatory purposes will not give rise to a claim for a common law invasion of privacy. Majebe v. North Carolina Board of Medical Examiners, 106 N.C.App. 253, 416 S.E.2d 404, disc. rev. denied, 332 N.C. 484, 421 S.E.2d 355 (1992)(Search of acupuncturist's office and seizure of patient records did violate patients' right to privacy).

Courts in other jurisdictions have not sustained common law privacy claims with respect to the search of an employee's e-mail records. See, e.g., Smyth v. The Pillsbury Co., 914 F.Supp. 97 (E.D. Pa. 1996)("the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in those comments.")

The Electronic Communications Privacy Act

The ECPA substantially amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968. This law, more commonly known as the Wire Tap Statute, can be found at 18 U.S.C. § 2510-2522. The Wire Tap Statute was originally designed to regulate government interception of oral communications by telephone. The ECPA amended the law to include transmission of electronic data by computer and regulated both the interception of electronic communications and access to stored electronic communications.

Interception

18 U.S.C. § 2511 makes it illegal for any person to intercept intentionally⁽⁶⁾, endeavor to intercept, or procure any other person to intercept any wire, oral or electronic communication. It further makes it illegal to intentionally disclose, or endeavor to disclose to another person the contents of any wire, oral or electronic communication knowing or having reason to know that the information was obtained through unlawful interception. However, the law creates three major exceptions to the general prohibition on interception. These are the "public access" "employer owned system" and "consent" exceptions.

18 U.S.C. § 2511(2)(g)(i) provides that "It shall not be unlawful under this chapter or chapter 121 of this title for any person to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." So, to the extent that e-mail is posted to a site that is accessible to the general public, e.g. an unrestricted web page, Usenet or bulletin board, the ECPA is not violated.

18 U.S.C. § 2511(2)(a)(i) states that interception of an electronic communication is legal when done by an officer, employee or agent of an electronic service provider "in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service," In other words, if the system administrator needed to find the originator of a "spam"⁽⁷⁾ that was overloading the system, this exception would apply to make that interception legal. However, that same section goes on to admonish that "a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks."

The distinction between a provider of an e-mail service intended for use by employees versus a service, like America On Line (AOL), that is intended for use by the general public is critical. It would appear that this section gives employers who own the computer system used by its employees the absolute right to monitor employee e-mail files (assuming the Fourth Amendment doesn't provide a bar). The fact that a proprietary system can be used to communicate with members of the general public by linking to the internet does not make the system one that is "provided to" the general public within the meaning of the statute. Andersen Consulting LLP v. UOP, ___ F.Supp. ___, No. 97C5501, 1998 WL 30703 (N.D.Ill., Jan 23, 1998).

18 U.S.C. § 2511(2)(d) allows interception of electronic communications when "one of the parties to the communications has given prior consent to such interception, unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State."

There is an important question that remains to be answered under this exception. Must consent be specific to an individual transmission or may the requirement be satisfied by a more general consent such as might be contained in an institutional policy that notifies users that their mail is subject to monitoring and that use of the system constitutes consent to that monitoring?

Access to stored or archived e-mail

It is much more likely that the employer's access to a user's e-mail will be by retrieval from a stored archive, than from real-time interception. The ECPA also added a new section to the Wire Tap statute prohibiting access to stored electronic communications. However, 18 U.S.C. § 2701(c)(1) specifically exempts service providers from this prohibition. Thus, in Bohach v. City of Reno, 932 F.Supp. 1232 (D.Nev. 1996), the court rejected the claim of police officers that the City violated their ECPA rights when it retrieved months of messages they sent over the department's computerized paging system, stating that "§ 2701(c)(1) allows service providers to do as they wish when it comes to accessing communications in electronic storage."

E-Mail and the North Carolina Public Records Law

Chapter 132 of the North Carolina General Statutes regulates the disposition of public records. The Public Records Law defines public records, establishes the public's right of access to those records, governs the retention and disposition of public records and provides for civil and criminal sanctions for failure to comply.

Is e-mail subject to the Public Records Law?

Because e-mail is so easy to use, and because of its relative informality, it is common for employees to treat it somewhat cavalierly and forget that it may, and depending on its content probably does, fall within the statutory definition of a public record.

N.C.Gen.Stat. § 132-1(a) defines the term "public record" to mean "all documents, papers, letters, maps, books, photographs, films, sound recordings, magnetic or other tapes, electronic data-processing records, artifacts, or other documentary material, regardless of physical form or characteristics, made or received pursuant to law or ordinance in connection with the transaction of public business by any agency of North Carolina government or its subdivisions." (Emphasis supplied). This is a very broad definition, and it is intended to be liberally construed in favor of public access. News & Observer Publishing Co. v. Poole, 330 N.C. 465, 412 S.E.2d 7 (1992). There can be little doubt that e-mail, if it meets the "made or received" prong of the definition, will be included within the regulatory scope of the law.⁽⁸⁾ This is the position taken by the North Carolina Department of Cultural Resources, Division of Archives and History, which was issued a legislative mandate to regulate the disposition of public records. N.C.Gen.Stat. §§ 121-5, 132-8 - 8.2.

In its "Interim Electronic Mail Guidelines," the Division states,

The content of electronic mail is a public record (according to G.S. 121.8 and 132.1) and may not be disposed of, erased, or destroyed without specific guidance from the Department of Cultural Resources

The "made or received" prong of the definitional criteria is also interpreted broadly. It is not simply limited to those records required by law, but is interpreted to include records made while carrying out the employee's lawful duties. News & Observer Publishing Co. v. Wake County Hospital System, 55 N.C.App. 1, 284 S.E.2d 542 (1981), cert. denied, 305 N.C. 302, 291 S.E.2d 152, cert. denied, 459 U.S. 803, 103 S.Ct. 26, 74 L.Ed.2d 42 (1982).

The fact that an e-mail message may contain some personal information (e.g., "Hi Harry, how's the family?") along with business content, will not remove the message from the law's reach. Nor will the fact that some of the business information may fall within an exception to the public inspection rule keep the whole message from being divulged. The exempt portions will have to be redacted. N.C.Gen.Stat. § 132-6(c), and see, S.E.T.A. UNC-CH, Inc. v. Huffines, 101 N.C.App. 292, 295, 399 S.E.2d 340, 345 (1991). This can be a very time consuming and painful process, (especially when a request is made for "all e-mail flowing into or out of the Chancellor's office," a request that was actually made to several UNC institutions).

Retention of E-Mail

Don't hit that "DELETE" button

Perhaps the most important point to be gleaned from this discussion is that the key factor in determining compliance with the Public Records Law is the content of the e-mail message, not the medium. Electronic mail is just another way of communicating information. As such, the law treats it no differently than hard copy letters, memos, etc. If the content of the e-mail brings it within the definition of a public record, it is, quite literally, a criminal act to hit the delete button unless a copy is made in some form or unless the deletion is in accordance with an approved records retention schedule.⁽⁹⁾ The Division's Interim Guidelines go on to provide that,[A]agencies and their offices which use e-mail should normally retain or destroy e-mail by following the provisions of a current, valid records retention and disposition schedule listing the records maintained by a particular office, filing e-mail (whether in paper or electronic format) within existing records series on their schedules and handling it according to the disposition instructions assigned to each such records series.

How long must e-mail be retained?

The length of time that e-mail must be retained should also be addressed in a records retention schedule. E-mail often contains information having only transitory value, e.g., a request for times and dates when a meeting can be scheduled. There is little reason for keeping those messages and clogging up the institution's system when there is no further useful purpose to be served. The Division also addresses this issue in its Interim Guidelines.

E-mail is also used to transmit and receive messages which may have reference or administrative value but which are simultaneously of an ephemeral, temporary, or transient nature. As such, e-mail of this kind functions in some ways like telephone calls or telephone messages. Such messages remain public records but may be treated as having a reference or administrative value which ends when the user no longer needs the information such a record contains. E-mail of ephemeral or rapidly diminishing value may be erased or destroyed when the user has determined that its reference value has ended.

Office administrators, department or unit heads, and all other state employees who use e-mail should regularly and consistently retain or delete e-mail in accord with the records series and disposition instructions, and other instructions, provided above. Retention of e-mail or any other records, whether in electronic or paper format, for longer than provided in a valid records retention and disposition schedule leads to inefficiency and waste and may subject the affected unit to legal vulnerabilities.

Format for retention

The Law does not address the format in which e-mail must be retained. The institution or individual user has some discretion here. A hard copy can be made and filed or, for those wishing to make the "paperless office" concept a reality, a copy can be electronically stored. However, this is one instance where the unique nature of e-mail may impose special requirements not found in more traditional communications media. The Division admonishes that,

Agencies and offices need, however, to pay particular attention to the sometimes complex requirements for the retention of e-mail for longer periods of time, i.e. e-mail of more than transient value. E-mail in this category may be retained in electronic or paper form (the latter may in some cases be the only means of providing for archival retention, for example through microfilming of paper copies), but must be retained for as long as the period specified in a valid records schedule. If retained in paper form, the copies must retain transmission and receipt data. If electronic mail is retained in electronic form, office administrators need to insure that their electronic environment (client server, mainframe computer in or outside their agency or office personal computer) assures the retention of e-mail for the required period of time. Office administrators need to insure that such systems process e-mail in accordance with records retention schedules and provide for backups, disaster recovery, physical and electronic security, and the general integrity of the system, its components, and the records it generates and maintains. Office administrators may also need to assure that office filing systems adequately provide for the proper classification of electronic files (including e-mail) in the same manner as currently provided for paper-based files. (Emphasis supplied)

Public examination of e-mail

The public has an absolute statutory right to inspect public records at reasonable times, and the custodian may not demand the motive or purpose behind the request. N.C.Gen.Stat. § 132-6(a), (b). As was discussed earlier, the fact that the requested records may contain confidential information does not excuse disclosure if there are portions, which are not exempt. In such a case, the agency must provide a redacted version and the cost of the redaction must be borne by the agency. N.C.Gen.Stat. § 132-6(c).

Additionally, N.C.Gen.Stat. § 132-6.2(a) provides that, "Persons requesting copies of public records may elect to obtain them in any and all media in which the public agency is capable of providing them. No request for copies of public records in a particular medium shall be denied on the grounds that the custodian has made or prefers to make the public records available in another medium." For example, if the request is for copies to be provided on a floppy disk in ASCII, the request must be met if the agency is capable of providing it in that fashion. The request need not even be made in writing unless it is for an electronic database.

The cost of copying the records may not exceed the actual cost of making the copies as determined by "generally accepted accounting principles." Except in special cases where "extensive" time and labor is required, the time of the person making the copies cannot be included because this is deemed to be part of every state employee's job description. N.C.Gen.Stat. § 132-6.2(b).

Who is the "Custodian" of stored e-mail?

The Public Records Law puts a great deal of responsibility for compliance on the "custodian" of the records in question. N.C.Gen.Stat. § 132-2 states that, "The public official in charge of an office having public records shall be the custodian thereof." This definition is not particularly helpful since the word "office' is not also defined. It could mean anybody from the agency head down to the person in charge of any department or office within the institution.

The situation is even more complicated in the case of e-mail. A copy of the e-mail message may reside in the computer of the originator or recipient, and a copy may also reside on the originator's institutional server, which is the responsibility of a system administrator. Additionally, if the recipient is a government employee, then the recipient and the recipient's system administrator may also be "custodians" of that e-mail message. As a practical matter it would seem that the originator or recipient of a requested e-mail message ought to bear primary responsibility for complying with the request. The system administrator's responsibility should be to configure the system so that users can retain e-mail as required under the institution's records retention agreement. Although every prudent system administrator makes regular back-up copies of the hard drives, the purpose of those back-ups is primarily as a safeguard against loss of information due to system failures. System administrators should not be saddled with the burden of having to keep those back-up files indefinitely, nor should they be burdened with the time-consuming responsibility of searching through those back-up files for specific messages, which could more efficiently be produced by the originator or recipient.

Confidentiality

Student and Personnel Records

It is obvious that e-mail messages containing confidential information from student education records or state employee personnel records⁽¹⁰⁾ should not be sent to unauthorized individuals. Care should be taken to ensure that the address is typed correctly before the "SEND" button is pressed. Further, systems used to store such messages should be encrypted or password protected.

An intriguing question is whether e-mail sent by a student through the institution's server is an educational record. This is not just an "academic" inquiry. For example, an actual question posed recently on the NACUA⁽¹¹⁾ listserve asked,

"The University of [X] has received a subpoena that asks it to produce all of a student's emails over a period of time. The student has an internet access account on the University's computer system, and our computer people were able to pull several email messages that were stored in the University's computers. We gave the student notice of the subpoena as required by FERPA. Some of the student's emails also identify other students. However, none of these emails have anything to do with her education at the University--they are entirely personal communications. FERPA defines "education record" as any records directly relating to a student that are maintained by the University. This is pretty broad, and read literally would appear to cover all of the private emails merely because they name students and are "maintained" on the University's computers. On the other hand, these records are purely private, and I doubt Congress contemplated Universities as internet providers when it defined "education records." So, what do you think? Are these computer records "education records" under FERPA, or are they private records such that the University is under no obligation to give the other students notice?"

I agree with the author that these purely private e-mails are probably not education records within the meaning of FERPA. But, if they aren't FERPA protected, then do they become public records since they were received by the University in the course of conducting the institution's business? The answer appears to be yes.

Attorney-Client Communications.

Given the ease with which some hackers can gain access to e-mail systems, can a lawyer ever use e-mail to communicate with a client? The answer is a qualified yes according to State Bar Ethics opinion, RPC 215 which addresses both the use of cellular phones and the use of e-mail for confidential communications with a client. The opinion takes a very practical and realistic view of current technology stating that, although the obligation of confidentiality applies to electronic communications, "this obligation does not require that a lawyer use only infallibly secure methods of communication so long as the responsible lawyer ascertains that procedures are in place which effectively minimize the risks that confidential information might be disclosed." Specifically, the lawyer must use reasonable care to select a mode of communication that, in light of the exigencies of the existing circumstances, will best maintain any confidential information that might be conveyed in the communication. Second, if the lawyer knows or has reason to believe that the communication is over a telecommunication device that is susceptible to interception, the lawyer must advise the other parties to the communication of the risks of interception and the potential for confidentiality to be lost.

It is important for government lawyers to remember that only communications from the attorney to the client are exempt from disclosure under the Public Records Law. N.C.Gen.Stat. §132-1.1; News and Observer Publishing Co. v. Poole, 330 N.C. 465, 412 S.E.2d 7 (1992). Thus, clients should be advised not to respond by e-mail.

Model Policies

The UNC General Administration's Computer and Internet Legal Issues Committee (CILIC) has created model policies concerning the appropriate use of institutional computer systems, including e-mail systems. They are attached to this paper and may be adapted for use by any institution. Those policies attempt to incorporate most of the considerations discussed in this paper. However, they should be tailored to fit the individual institution and its culture.

This paper adopts the definition of "e-mail" set out by the Court of Appeals for the Armed Forces in United States v. Maxwell, 45 M.J. 406, 411-12 (C.A.A.F. 1996).

"E-mail is a personal communication sent directly from one [computer] user to another. The recipient need not be logged into his computer at the time the communication is sent in order to receive it. Communications may also be sent from one user to a group of users, and while many users only send mail to one user at a time, it is not uncommon for someone to send mail to 30 or 40 people at once. Once the original e-mail message has been sent, the originator of the message has no control over to whom or how many times the message is forwarded."

A listserve is a centralized e-mail server to which a group of e-mail users having a mutual interest subscribe. A message posted to the listserve is automatically distributed to all subscribers.

47 U.S.C. § 230(c)(1) provides that, "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." § 230 also specifically includes libraries and educational institutions within the definition of internet service providers.

More detailed information about this issue may be found in the Federal Guidelines for Searching and Seizing Computers, published by the U.S. Department of Justice in July of 1994.

It has been argued that unlike items placed in desk drawers or file cabinets, "an employee's privacy interest in e-mail messages would likely fail the expectation of privacy test since most users probably realize that a system administrator could have access to their e-mail. Lee, Watch your E-Mail! Employee E-Mail Monitoring and Privacy Law in the Age of the "Electronic Sweatshop," 28 Marshall L.Rev. 139, 148 (1994). However, this assumes a level of knowledge about the operation of computer systems that many employees may not yet possess. Gantt, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace, 8 Harv.J.L. Tech. 345, 349 (1995).

The term "intercept" as used in the ECPA means to intercept through the use of an electronic, mechanical or other device. 18 U.S.C. § 2510(4). Thus, merely glimpsing information on a computer screen is not a violation of the ECPA. Wesley College v. Pitts, 974 F.Supp. 375 (D.Del. 1997).

A "spam" is a message set for delivery to numerous addressees or a whole class of addressees. It may also be set for repeat delivery at set or random times. Spams may be used for lawful advertising purposes or to overload a system purposefully and maliciously.

Compare, Armstrong v. Executive Office of the President, 810 F.Supp. 335, 339-40 (D.D.C.1993), reversed on other grounds, 90 F.3d 553 (D.C.Cir.1996), holding certain stored e-mail records to be public records under the Federal Records Act, 44 U.S.C. § 3301, a federal statute having language very similar to the definitional provisions of the North Carolina Public Records Law.

N.C.Gen.Stat. § 121-5(b) provides that, "No person may destroy, sell, loan, or otherwise dispose of any public record without the consent of the Department of Cultural Resources. Whoever unlawfully removes a public record from the office where it is usually kept, or alters, mutilates, or destroys it shall be guilty of a Class 3 misdemeanor."

Student education records are made confidential under the Federal Educational Rights and Privacy Act, more commonly referred to as "FERPA" or the "Buckley Amendment" 20 U.S.C. 1232g. State employee personnel records are protected from public disclosure under the State Personnel Records Privacy Act, N.C.Gen.Stat. § 126-22, et seq.

NACUA is the National Association of College and University Attorneys.

Page updated: 18-Jul-2008

Accessibility Policy

Difficulties with this website?
Email the Department Webmaster

University Counsel
The University of North Carolina at Greensboro
307 Mossman Building
Greensboro, NC 27402-6170
VOICE 336.334.3067
FAX 336.256.0531
EMAIL University_Counsel@uncg.edu

University Counsel

E-mail and the Law How to Write Institutional Policy

Education Law Section Annual Meeting

Contents

Introduction

Policy Considerations Overview

What Are Appropriate Uses of E-Mail Accounts?

When May the Institution Examine an Employee's E-Mail?

Compliance with the Public Records Law

Confidentiality

The Legal Landscape

Appropriate Use

Examination of User E-Mail Files

E-Mail and the North Carolina Public Records Law

Confidentiality

Student and Personnel Records

Attorney-Client Communications.

Model Policies

E-mail and the Law
How to Write Institutional Policy