One question I sometimes get asked is how to protect yourself or your business against the risks associated with email. As an administrator (or a business owner, or corporate officer, or other person who might face such risks), what steps can you can take to help protect yourself?
My first suggestion, of course, would be, "Don't hire stupid or dishonest people," but then I'm sure you already knew that. Perhaps I can offer some slightly more useful advice.
Under the American system of jurisprudence, anyone can sue anyone for anything, so of course you can be sued for an email you write or that someone sends from your corporate systems. I've been harassed and threatened with lawsuits by a crazy person who objected to something I wrote on my blog about his business; so could you be. It doesn't mean that such a suit would be valid, just that the potential exists for it to be filed. That's part of the price of admission to a nation where you get the benefits of a stable, well-established judicial system based on adversarial law. So, the first thing to know: There's no magic solution that guarantees that you (or your company; I'll just say "you" from now on) will never be sued because of something one of your users does with email.
For a bit more detailed answer, let's take a look at the case of Sandals Resorts v. Google. Basically, Sandals filed suit to force Google to disclose information about a Gmail user who wrote an email the resort company didn't like. Google won, and Sandals lost. That's good, right? Well, mostly. A little more nuanced answer requires us to dig into the facts of this particular case.
(Disclaimer: As though you didn't know this, I'm not a lawyer, and this is not legal advice.)
Sandals didn't sue the person who wrote the email; the company asked Google, the person's email provider, to find out who that person was. Google declined, and the fight was on. Anonymity is often an effective defense against bearing the consequences of what you say in email . . . but that doesn't really mean anything in the case of a user who uses their authorized access to your system to, say, send a death threat to their ex-spouse or to bad-mouth a competitor.
It's interesting to examine the grounds for the suit, too. In this particular case, Sandals claimed that the email message in question was libelous, defamed the business, and caused the company financial injury. The judge ruled against Sandals on several points. The most interesting ones are these: First, because the plaintiff didn't prove any actual financial injury, they couldn't claim that the alleged defamation had actually harmed them. Second, the judge found that the email message was clearly an expression of opinion, and would very likely be perceived as such by the recipients.
Defamation and libel require that the offender present his or her claims as fact. It's OK for me to say, "It's my opinion that Oracle makes crappy software"; couched as an opinion, my statement cannot be construed as libelous or defamatory. If I instead claimed that Larry Ellison eats small children, and presented that claim as fact, that might be defamatory (unless I could prove that it was true, not that I'm planning on trying.)
So what does this all mean? If you have users who are in fact sending out libelous, defamatory, or otherwise damaging email messages, existing case law makes it pretty clear that they can be sued, and there doesn't seem to be any case law saying that the email service provider-in this case, you or your company-can't be sued as well. If you don't have an acceptable use policy for email in place, you should draft one and do whatever you can to ensure that your users follow it.
The New York Law Journal review of the Sandals Resorts v. Google case is worth reading in depth if this sort of thing interests you, in part because it explains what you must do to write email messages that don't meet the legal standard for defamation (hint: overblown rhetorical language helps). It's also fairly entertaining in its own right.
In closing, I'd like to wish you all a wonderful Thanksgiving. Even if you don't live in the United States, feel free to take the day as an opportunity to be thankful for whatever you like. And I wish the Detroit Lions success in their annual Turkey Day outing.
