March 5, 2009

Email Disclaimer

I hate those silly disclaimers some people put on their email. I suppose that in most cases, their employers force them to add a disclaimer at the bottom of their email for "legal reasons." If you're unfamiliar with the concept, this is what I'm talking about:

This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited.

If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments).

I hope that no individuals are putting these disclaimers on their email without being coerced by some corporate entity.

It will not surprise you to hear that I have a number of gripes.

Firstly, the disclaimer is at the bottom of the email message. There is no guarantee that someone is going to read your whole message. How can anyone expect to hold you to an "agreement of which you were not even aware? Even if you do read it, shouldn't you have to consent to an agreement? And since it's at the end of the message, you've already read the confidential information, so it's already been disseminated in violation of the agreement.

I question the legal enforceability of such a disclaimer. I expect it's just enough CYA that a company can scare you with lawyers. I hate manipulation like that.

And it's just plain unfriendly sounding, no matter when you encounter it. You get an email from a friend or colleague and at the bottom are a bunch of demands. How pleasant! You have a nice day, too.

Have you ever gotten misdirected email that had one of these disclaimers on it? I actually have, more than once. In fact, I did earlier this week. it was a fascinating story about some sort of liver and brain research, and frozen rodent carcasses were involved. Bert screwed up royally by throwing away some of the carcasses without having done the necessary brain samples. It was a whole sad tale. Happily, though, it looked like two years of research might be salvaged by some carcasses that had been shoved to the bottom of a bag in the freezer by Jason.

So, good on ya, frozen rodent carcass researchers! And congrats, Jason, for saving the day.

I'm wondering if I should put a directive at the end of each of my blog posts:

This blog post (including any images) is for the sole use of the intended reader(s) and may contain confidential and privileged information. If the reader of this post is not the intended reader, you are hereby notified that you smell like dirty socks. If you are the intended reader then you are required to laugh at my jokes, tell me how brilliant I am, and buy me a beer.

Posted by James at March 5, 2009 9:18 PM
Create Social Bookmark Links
Comments

It's very similar to the ones people put on faxes, and I am so glad you brought it up.

Does anyone know if one of these disclaimers, on a fax or on an email, ever saved someone from a lawsuit? I ask because we have a big debate in the child welfare community about people using email to conduct casework or other work with agencies, and many agencies put this caveat on their emails to cover their butts, but I am afraid it won't hold water if a client's information is disclosed and the client decides to sue.

I did a search on this once a couple weeks ago and couldn't find anything definitive. Anyone else know?

~mj

Posted by: mjfrombuffalo at March 6, 2009 7:21 AM

Wow cuz, someone piss in your sourdough starter? ;)

The statement you show seems pretty BS. Just me being a "sea lawyer" here, but you need to cite some specific (and legally defensible) reason the email needs protecting. We in the Navy are required to use "PRIVACY ACT Statements" for business emails on the unclassified side because we fling around crap like SSN's and DOB's like they're smiley faces. We're lazy and put the statement in every email signature because with the amount of email and attachments that fly around, you never know when you need to send someone Privacy Act-protected info.
I've seen several wordings.

Funny I just checked my automatic statement and it cites Title 10, USC 1102 which is confidentiality of medical records - obviously cut and pased from an unclassified email from a DoD medical facility...so I need to change my Navy-directed statement to cite the actual Privacy Act:

5 USC 552a

I'll also actually check with a JAG and see if I can get any skinny on the actual effectiveness.

Read it all, if you have the patience and the stomach. If you want TRY to protect private info, I can see the utility of including a statement to the effect of:

PRIVACY ACT/Confidentiality Notice: This e-mail Message, including any attachments, is for the sole use of the intended recipients and may contain information subject to The Privacy Act (5 USC 552a). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, or you have inadvertently received this document, please contact the sender by reply e-mail and destroy all copies of the original message.

Still don't know if that has ever been tested.

mj, I don't know if the casework you speak of falls under the Privacy Act as a whole - I'm sure elements of it do. That may be an avenue to discuss with your legal counsel.

Posted by: Bull at March 6, 2009 9:08 AM

I did a quick search on it before posting this, and what I read seemed to say "it doesn't hurt, and it's cheap to do." I didn't read of any actual cases. So, nothing definitive or particularly enlightening.

Ah, but here's something:

Which brings us to the real problem with these disclaimers. By overusing them, lawyers may be undermining the effectiveness of disclaimers in protecting the confidential or privileged nature of the information in the e-mail in the (hopefully) rare event that an e-mail is misdirected (or inadvertently produced in discovery). In a recent case, Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436, 444 (2007), the court refused to find that a series of e-mails were privileged just because they contained a disclaimer that was found in every e-mail sent by the plaintiff. Lawyers are also training the world to ignore disclaimers and privilege warnings, which is precisely what we don’t want people to do.

http://lawyerist.com/2008/11/17/this-post-is-privileged-and-confidential/

Posted by: James at March 6, 2009 9:09 AM

Ugh. What I wanted to say, at the end of it all, was that the statement never ever ever relieves the author of the responsibility to CHECK WHO HE/SHE IS SENDING IT TO and make sure they and only they are getting it!

People also need to understand that you can put all the crap you want in one, but there is no such thing as a private email. Nuh-uh. Nope.

Of course, people on the receiving end also need to use their good judgment (holy crap that's a sticky term) in detemining if it merits passing on and who really needs to see it, assuming it's of a business nature that's even remotely sensitive.

I'm sure our friends in the pharma industry will weigh in heavily soon...

Posted by: Bull at March 6, 2009 9:13 AM

In my continued reading, a few things are becoming more clear:

1) If you put the disclaimer on all your mail, including non-confidential and non-privileged material, you weaken your disclaimer, as evidenced by the medical records case above.

1.5) It appears that these disclaimers are overused, and the majority of communications on which they appear are not confidential. That's a problem for prosecutors.

2) While email is certainly not secure, there is an expectation of privacy similar to speaking inside your office. If people break into your email, they absolutely are responsible for those actions. However, receiving an email in error does not confer responsibilities to you, as far as I can tell. Nor should it, in my layman's opinion.

3) When information truly is confidential, a reminder to the recipient to treat it as such is useful. Ironically, that's not the purpose of these disclaimers. A "reminder" would be more appropriate, and would be addressed to the intended recipient.

4) Yes - check your recipients when sending sensitive info!

5) We have the technology to encrypt email. If we used it properly, sending to the wrong person would no longer be an issue. Yet nobody seems to be pushing to adopt this; instead we see this silly disclaimers popping up.

6) A disclaimer should only appear on truly sensitive information, and it should be the first thing a person sees in the message. And probably ought to be in the subject as well. If someone goes on to read the message, they have chosen to do so having already been warned.

Posted by: James at March 6, 2009 9:24 AM

never, never, never, never, never, never send sensative information in an email (or fax).

Those statements only help you if you are sending them to the right person, who is unlikely to misuse them in the 1st place.

All email is "discoverable" and can be used against you.

Even if you add a disclaimer, unless it is for a legal reason and you copy a lawyer it can be used.

If you routinely need to transfer sensative info you should have a validated piece of software on a secure server to do so. one that people outside the company cannot get access to (except through lawsuit of course)

Posted by: B.O.B. (bob) at March 6, 2009 9:36 AM

Luckily, I myself do not have or handle personal information, but the agencies that are members of my trade organization do. The information is most definitely protected by law (not HIPAA law, but other law) and the problems are twofold:

1) workers have gotten very used to the convenience of email and so will send email with questions or information within our outside their agency regarding specific cases routinely. The information includes names and often narratives etc., for a social service field in which no one should even know that Person X *has* a case.

2) the public entities that contract this work to the agencies will often request case-specific and person-identifying information be sent via email... so even if the agency decides this information cannot be transmitted via email, the entity that pays the bills is demanding it be sent (and often sends it to the agencies too).

My problem is in getting the agency administrations to take this seriously before one of them gets sued. The general sense is "Well, we have the disclaimer on the email and we're generally only sending the information to people who are also bound by confidentiality, so it's OK." I'm thinking "no, not so much" but don't want to get an agency in trouble by pursuing it too actively with people who might report it as an "incident."

Posted by: mjfrombuffalo at March 6, 2009 3:37 PM

Copyright © 1999-2007 James P. Burke. All Rights Reserved