The email scandal that blew up in recent days when it emerged male workers at leading accountancy firm PricewaterhouseCoopers had shared a top 10 ranking of female colleagues highlights the importance of unambiguous acceptable usage policies in the workplace, a leading security expert said.
Brian Honan, security consultant with BH Consulting, said that when most people think about risks and security issues around email systems they tend to focus on security issues like spam and viruses, but it is the non-technical risks – aka, people and usage – that tend to be overlooked.
During the week it emerged that that a group of male workers at PwC began grading the attractiveness of female colleagues, many of whom had just joined the firm from some of the country’s most elite universities.
It is understood a series of emails were sent to a group of male employees with pictures of as many as 13 of the young women, along with derogatory comments.
Senior management at the firm, which employs 2,000 people in Ireland, are taking the matter seriously and an investigation is under way.
“PwC regrets this situation as it has always required its people to adhere to the highest level of standards in their conduct and behaviour,” the company stated yesterday.
Non-technical email threats
Honan said the typical non-technical email risks that organisations are faced with usually begin with the leak of confidential information by email, either as attachments or copied and pasted into the body of an email.
The next threat – as demonstrated by what happened at PwC this week – is the reputational damage caused by the content of emails, such as inappropriate jokes or the use of abusive, derogatory or defamatory comments about colleagues, customers or competitors.
Another situation that could arise is the organisation – not the individual – being held responsible for the intentional or unintentional distribution of copyrighted material, such as software, music or video files, which could lead a company into a breach of copyright case.
The notorious "reply all" button or not using the BCC (blind copy) option when sending emails can lead to the exposure of other people’s email addresses which could lead to complaints, especially under the Data Protection Act, where people may feel their personal information (email address) was released without their permission.
Honan said that under the Electronic Commerce Act 2000, an email could have the same legal status as a written document, resulting in the company being obligated to agree to any terms in that email.
Another danger is companies who have not vetted or acquired an email marketing list to ensure those on the list have given their permission to be contacted by email may find themselves accused of sending spam. This could result in fines and sanctions from the Data Protection Commissioner.
Risk of litigation
Finally, many of the above could also lead to the risk of litigation by individuals, particularly if their reputation or privacy was damaged in a significant way.
“To manage the above risks it is important that companies have clear and unambiguous acceptable usage policies for email in place, that staff are also aware of those policies and have been trained in the proper and appropriate use of email,” Honan explained.
“Companies also need to also ensure that those policies are appropriate for their business and for the legal and privacy requirements in Ireland. They should also ensure that those policies are complied with, managed and indeed enforced properly and fairly,” Honan added.