computer forensic
ariannaeliza97
Youremailtrailwhereethicsmeetsforensics.pdf
Your E-mail Trail: Where Ethics Meets Forensics1
JENNIFER M. MOORE
ABSTRACT
This article addresses ethical and legal issues arising from the increasing use of e-mail and other forms of instant written communication in the conduct of busi- ness. E-mail communications are often casual and infor- mal. Yet e-mail is a written record that can be more permanent and widely accessible than a paper commu- nication. This article focuses on the implications of this fact, including (1) how individuals compromise their own privacy by the voluntary use of e-mail; (2) how e-mail has complicated the duty of confidentiality of employees to employers, and professionals to clients; (3) whether the use of e-mail affects ethical deliberation and choice; and (4) the use of e-mail as evidence of corporate conduct and intent in civil and criminal litigation. The article suggests that e-mail users think “forensically” about their e-mail—i.e., consider its potential as evidence in the context of other emails and underlying events—before pressing the “send” button.basr_343 273..293
Jennifer M. Moore, JD, PhD, is a partner at Epstein Becker & Green PC, New York.
Business and Society Review 114:2 273–293
© 2009 Center for Business Ethics at Bentley College. Published by Blackwell Publishing, 350 Main Street, Malden, MA 02148, USA, and 9600 Garsington Road, Oxford OX4 2DQ, UK.
INTRODUCTION
It means a great deal for me to be here this week. I started myprofessional life at Bentley University as an adjunct professorin philosophy in the early 1980s, at a time when business ethics had just begun as a field of study. When I told people I taught business ethics, they invariably responded, “Isn’t that an oxymoron?” I want to thank Dr. Michael Hoffman for hiring me those many years ago, and for his dedicated work for over three decades, which has made business ethics no longer an oxymoron, but a standard part of the education and development of business managers. I would also like to thank Verizon Communications for its generosity in sponsoring this lecture and Visiting Professor- ship, which bring together academics and practitioners. It is the commitment of companies like Verizon that helps makes corpo- rate integrity, responsibility, and accountability not just slogans, but operating principles in the conduct of business.
Let me tell you a bit about my background and how it has influenced my thinking about business ethics. I spent the early part of my career as a philosopher and business school professor teaching and writing about issues in corporate ethics. I also read extensively in law journals and judicial opinions. I became inter- ested in the law because I found that judges who were required to resolve real-world cases were struggling with many of the same concepts studied by philosophers working in ethics and social and political philosophy: individual and organizational intent, respon- sibility, and deliberation, and the relationship between individual and organizational responsibility.
I went to law school and then clerked for a federal judge at the trial court level. As a result of this experience, I decided to become a practicing lawyer. For 10 years I served as a federal prosecutor in Manhattan, where I focused on investigating and prosecuting “white-collar” criminal cases. Three years ago, I left the govern- ment and returned to private practice. I now spend my time representing corporations and individuals that are the subjects of civil and criminal white-collar investigations, conducting internal investigations at the request of organizations, and advising cor- porations and their leaders on ethics and compliance.
I will be speaking to you today about some ethical, legal, and philosophical issues that arise from the increasing use of e-mail
274 BUSINESS AND SOCIETY REVIEW
in the conduct of business. My comments also apply to other forms of instant, written communication, such as instant messaging and text messaging. A great deal of ethical discussion related to com- puters has focused on privacy and confidentiality issues posed by the ability of unauthorized persons (e.g., “hackers” or identity thieves) to get access to electronic information and communica- tions that belong to, and are kept private by, others. Although these issues are of great importance, they are not my main focus today. Rather, I want to focus on the ways in which individual computer users compromise their own or others’ privacy or confi- dentiality by voluntarily creating and sending instant electronic communications that are legitimately accessed by other people. I suggest that the use of e-mail and other instant forms of electronic written communication in business can compromise our ability to control the distribution of certain information about ourselves that was previously private or shared with a limited few.
Some of these compromises result from technological features of e-mail that increase the likelihood that a communication intended for one recipient or group of recipients will be received and read by others for whom it was not intended. They make it more difficult to keep information private and contribute to the larger trend in which maintaining privacy is increasingly a matter, not simply of refraining from disclosure, but also of affirmatively preventing dissemination of information. Simple examples are the “autocomplete” function and the sheer ease and speed of sending e-mail. In part because of these technological factors, preserving confidentiality no longer consists of merely limiting the disclosure of information. Affirmative steps are required to prevent disclo- sure to inappropriate persons.
Other issues arise from the style and content of many e-mails. Anyone who reads the headlines knows that even at work, e-mail users seem to feel comfortable sharing thoughts, feelings, and information that they never would have recorded in writing and disseminated before the advent of e-mail. These e-mails have the potential to disclose to unintended recipients parts of the self that have traditionally been private and not subject to public exposure. Such e-mails can become the basis for inferences made by others about the sender’s intent or character, and can result in public embarrassment, loss of reputation, loss of job, or even civil or criminal liability, both for the individual sender and the
275JENNIFER M. MOORE
organization. The results are particularly dramatic in criminal law, where proof of intent is a necessary requirement for liability. It is no surprise that e-mail has become the “smoking gun” of choice in today’s white-collar prosecutions. Before the advent of instant electronic communications, the statements in many of these “smoking gun” e-mails most likely would have remained internal or would have been expressed orally to only a trusted few. It is unlikely that the senders would have been held to these statements in a court of law.
The issues raised by these features of e-mail and the way it is used are different in kind, not just in degree, from those raised by more traditional written business communications. To address these issues, we need to ask: What is the impact of the way we use e-mail on our ability to manage our identity, relationships, and roles? What is the scope of the duty of confidentiality in an age of e-mail and electronic data? When is reflecting on or pro- posing a course of action preliminary or deliberative, and when does it mature into intent? Does the use of e-mail have an effect on the deliberative process of individuals or organizations?
It is clear that although business people are now communicat- ing routinely by e-mail, they frequently approach this form of communication with a casualness that denotes a lack of aware- ness of the seriousness that should be accorded to it, given its potential longevity and its value as evidence in lawsuits. From this perspective, I would suggest that the “forensic perspective” can provide a useful deliberative and self-assessment tool when considering our e-mail conduct.
HOW E-MAIL IS DIFFERENT
Written Records in a Conversational Style
The use of e-mail in business raises new questions because e-mail differs in important ways from letters and memoranda, the tradi- tional forms of written business communication. Written commu- nications may be created for several different reasons: to make a complex matter clear, complete and precise; as an aid to memory for both writer and recipient; to create a record that the com- munication took place; and to avoid the need to rely on oral
276 BUSINESS AND SOCIETY REVIEW
testimony should a dispute about the contents ever arise. As a consequence, written communications have a credibility and evi- dentiary weight that oral communications, which are temporary, fleeting, and vulnerable to memory lapse, do not. United States law recognizes the importance of written communications by requiring certain kinds of agreements to be in writing in order to be enforceable.2 In arm’s-length business dealings, people are assumed to mean what they have said in writing, and are held to what they have written. A written statement is thought to commit the writer in a way that an oral statement does not. As a result, traditional business letters and memoranda were, and are, formal, deliberate, and precise.
E-mail, in contrast, arose in the personal context as a form of spontaneous, casual, off-the-cuff communication. E-mail is often conversational in style and tone, and is frequently used for the same kinds of communications that take place in person or over the telephone. Its main advantage is speed and low cost. Gener- ally written quickly and sent within seconds with the touch of a button, it may not be fully thought out or well-articulated. Although it may appear complete, it often does not present the sender’s final position on a topic. It may be merely a form of “thinking out loud,” as in a conversation. Before the advent of e-mail, most people would never have thought to write down these communications. Now they often choose to write them rather than say them.
Although e-mail is conversational, it lacks the interpretive aids of face-to-face conversation, such as tone of voice, body language, and facial expressions. The electronic substitutes—“emoticons,” such as smiley faces, and abbreviations meant to indicate tone— are poor substitutes. Nor does e-mail usually include the compo- sitional elements that help the reader determine tone and meaning in more formal writing. Accordingly, e-mail is easily misunderstood by the reader.
Sent in Haste, Repented at Leisure
Traditional forms of written communication, such as letters, take time to compose, revise, and send. During this time the writer has several opportunities to reflect on the letter’s form, content, and the advisability of sending a letter at all. E-mail, however, is
277JENNIFER M. MOORE
usually composed quickly, often without editing, proofreading, or reflection, and can be sent instantaneously with the touch of a button. Normally, within minutes of its being sent, an e-mail appears in the inbox of the recipient. Despite the “recall” function on many e-mail programs, there is no reliable way to retract an e-mail before it is seen by the recipient.
E-mail is also easily misaddressed. Both electronic address books, which may hold addresses of several people with the same name, and the “autocomplete” function, which “recognizes” a name from the first few letters typed in the “to” field,” are culprits here. In one well-known case, the New York Times reported that an attorney for Eli Lilly mistakenly sent a confi- dential e-mail about a settlement in a government investigation to a reporter for the Times, rather than to the intended recipi- ent, another lawyer involved in the case with the same last name as the reporter.3 Most e-mail users have had the experi- ence of sending an e-mail to the wrong person. “Snail mail” is far more difficult to misaddress.
The following e-mail was sent by Jonas Blank, a summer associate at top New York City law firm Skadden Arps. Summer associates are second-year law school students who are hired for the summer so that the law firms can evaluate whether to offer the student a full-time job after graduation. Blank wrote this e-mail to a friend—but also mistakenly e-mailed it to 40 other people in the firm, including 20 partners.4
I’m busy doing jack s***. Went to a nice 2 hr sushi lunch today at Sushi Zen. Nice place. Spent the rest of the day typing e-mails and bulls***ing with people. Unfortunately, I actually have work to do—I’m on some corp finance deal, under the global head of corp finance, which means I should really peruse these materials and not be a f*** . . .
So yeah, Corporate Love hasn’t worn off yet . . . But just give me time . . .
JLB
Blank’s e-mail was opened almost immediately by the recipients and was forwarded to Human Resources, as well as to friends outside the firm. Within a day or two virtually every New York lawyer had received a copy from a friend or had read about it in the news.
278 BUSINESS AND SOCIETY REVIEW
The following is Blank’s follow-up e-mail:
I am writing you in regard to an e-mail you received from me earlier today. As I am aware that you opened the message, you probably saw that it was a personal commu- nication that was inadvertently forwarded to the underwrit- ing mailing list. Before it was retracted, it was received by approximately 40 people inside the Firm, about half of whom are partners.
I am thoroughly and utterly ashamed and embarrassed not only by my behavior, but by the implicit reflection such behav- ior could have on the Firm.
The addressing of the e-mail was obviously an honest mistake. The content of the e-mail was inappropriate, showed a total lack of discretion, responsibility and judgment, and undoubtedly did my reputation and my future here no favors. It showed disregard for the Firm’s policies and procedures and for the very explicit speech that all summer associates were given about personal responsibility and using good judgment at the start of their training.
The appropriate parties, including Hiring Partner Howard Ellin and Hiring Director Carol Sprague, are aware of the incident and working with me to deal with it appropriately.
Although I cannot change what you and the other recipients saw, I do reiterate my sincerest apologies. I do and will take full responsibility for my actions in this incident, and I will do everything I possibly can to correct my mistakes and, more importantly, ensure that this and things like it will not happen again.
With sincere regret,
Jonas L. Blank5
You may have little sympathy with Blank because his embar- rassment was largely because of his own carelessness. The inci- dent does not pose a traditional “privacy” issue in the sense of protecting confidential information from assault from the outside. Nevertheless, the Blank e-mails illustrate an important aspect of privacy. One of the most striking things about these two e-mails is the difference in their style, tone, and composi- tion. The second one is recognizable as a formal business com- munication; the first is not. Which e-mail represents the “real” Jonas Blank? Cynics may suggest the first one, but the more
279JENNIFER M. MOORE
likely answer is “both.” Blank’s partners were simply never intended to see the face he showed his friend. Absent the e-mail, they were not entitled to see it, and almost certainly would never have done so.
As Sissela Bok noted in her book, Secrets, that privacy plays an important role in the definition and regulation of a person’s relationships with others.6 What you communicate to friends is not necessarily something you would choose to communicate to your employer. Moreover, this is not necessarily because you have “something to hide,” but because maintaining a zone of privacy gives you a degree of control over your role, relationship, and identity, which you would not have if everyone were aware of all available information about you.7 The choice is part of what makes it possible to be intimate with your friend and to be professional with your employer. Blank’s misdirected e-mail caused a spillover of his personal life into his professional iden- tity. Privacy also protects from disclosure one’s thoughts, inclina- tions, and intentions, which in turn fosters autonomy and which provides some protection against manipulation and control by other people.
Luckily for Blank, his personal e-mail resulted in embarrass- ment for him, but no harm to his law firm. But the e-mails of individuals in a business may represent more than their own personal thoughts and statements. Organizations are legal fic- tions that can act and speak only through their employees. Under corporate criminal law, acts of a corporation’s agents or employees, done in the course of their employment, for the benefit the corporation,8 are imputed to the corporation for pur- poses of criminal liability. Employees do not have to be high- level executives for their statements or conduct to bind the corporation.
An e-mail itself may constitute an act attributable to the cor- poration. In a well-publicized case in 1995, for example, female employees at Chevron brought a sexual harassment suit against the company, charging that it created, or failed to prevent, a hostile working environment for women. One of the principal pieces of evidence was a “personal” e-mail circulated among 25 men at the company listing “25 reasons why beer is better than women.” Chevron ultimately paid $2.2 million to settle the lawsuit.9
280 BUSINESS AND SOCIETY REVIEW
E-MAIL AND THE SCOPE OF THE DUTY OF CONFIDENTIALITY
Not only is e-mail easily misdirected, it also proliferates more rapidly and widely than traditional, hard-copy written communica- tions. Once an e-mail is received by a recipient, it is a freestanding document and the user has no control over its ultimate destina- tion. It can be forwarded easily and at almost no cost; it can be posted to a blog or message board and become available to the public. E-mail, then, makes it much more difficult for both indi- viduals and corporations to maintain privacy and confidentiality.
Confidentiality is vital in business for many different reasons. Professionals such as doctors, lawyers, accountants, and psychia- trists have legal and ethical duties to preserve the confidentiality of client confidences in order to encourage the candor that is necessary for them to provide their professional services. Employ- ees generally have ethical and legal duties of confidentiality and loyalty to their employers that require them to maintain the confidentiality of information belonging to their employer, such as patented inventions, trade secrets, nonpublic financial informa- tion, customer lists, business strategy, and marketing informa- tion, among others. Organizations must be able to maintain the confidentiality of this information if they are to compete economi- cally and profit from the sale of their products and services.
Corporations also have legal duties to safeguard the confiden- tiality of certain types of customer information. For example, the Gramm-Leach Bliley Act10 contains provisions restricting the sharing of customers’ personal financial information and requires covered financial institutions to have systems in place that safe- guard that information. The privacy provisions of the Health Insurance Portability and Accountability Act establish regulations for the use and disclosure of “Protected Health Information,” (PHI), that is, information about the health status, provision of health care, or payment to health care that can be linked to an individual.11
Before the advent of electronic data storage and electronic communications, the duty of confidentiality was primarily the negative one of refraining from disclosure. Information was known to a limited group unless affirmative, sometimes costly, steps were taken to publicize the information. Advances in the capture and
281JENNIFER M. MOORE
storage of electronic data, and the ability to transmit it rapidly using e-mail and other forms of electronic communication, have changed the scope of the duty of confidentiality. Increasingly, confidential information is becoming public, and preventing dis- semination has become the affirmative and more difficult task.
Certain habits of e-mail users increase the likelihood that e-mail will be forwarded to individuals who were never intended to be recipients. For example, use of the “Reply to All” function sends messages to everyone who was copied on the original message, often unnecessarily. In addition, in order to avoid looking up e-mail addresses, many users often start a new e-mail exchange by replying to an earlier e-mail from the recipient. These practices result in long e-mail “chains” that distribute information widely to employees who are not authorized to have the informa- tion or for whom it is not relevant or important. This can have significant legal consequences.
In a recent case, forwarding an e-mail “chain” outside the circle of employees for whom it was relevant resulted in the loss of the corporation’s attorney–client privilege. As you may know, confi- dential communications between a client and an attorney, for the purpose of giving or receiving legal advice, are legally protected from disclosure unless the client consents to the disclosure or certain exceptions apply. Corporate clients are protected by the attorney-client privilege as are individuals. For a corporate client to receive the protection of the privilege, however, many jurisdic- tions require the corporation to restrict privileged communica- tions to the small group of employees who need to review it in order for the corporation to be effectively represented (such employees are referred to as being “within the scope of the privi- lege”). In Muro v. Target Corp., 2007 WL 1630407 (N.D. Ill. Novem- ber 28, 2006), an e-mail addressed by counsel to Target personnel within the scope of the privilege was later forwarded via an e-mail “chain” to a nonlawyer outside the privilege’s scope. The e-mail was marked “Confidential. Attorney–client privileged communica- tion. Do not forward without author’s consent,” but the court held that forwarding the e-mail outside the privileged circle defeated Target’s claim that the communications were confidential, and ordered Target to disclose the document to its opponent in the litigation.12 In law, lack of care in protecting privacy may waive the right to have the information later treated as confidential.
282 BUSINESS AND SOCIETY REVIEW
Many people do not realize that the threat to confidentiality is increased when electronic communications are used to transmit files such as word processing files or spreadsheets. Many elec- tronic documents contain hidden data that reveal more informa- tion than meets the eye. This data—called “metadata,” or data about data—reveals information that is not evident from the face of the document, such as the author, date of creation, and changes made during the life of the document. Sophisticated recipients can use forensic software to unlock the secrets of metadata, gaining access to information that was never meant to be transmitted, unless steps are taken to eliminate or conceal the metadata, which can be done through various software programs.
ORGANIZATIONS: MANAGING THE RISK
Not surprisingly, most organizations have taken steps to reduce the risks of e-mail by adopting comprehensive electronic commu- nication policies, which are designed to protect the organization’s control over its own identity and reputation, prevent the loss of trade secrets and confidential information, prevent breach of organizational duties to stakeholders, and detect and prevent unlawful conduct by employees. Because organizations act only through their employees, these measures involve greater or lesser restrictions on the privacy of individual employees. Electronic communications policies usually include one or more of the following:
1. Restrictions limiting the personal use of e-mail and the Internet;
2. Policies forbidding harassing, offensive, threatening and other illegal communications, such as those that violate privacy law or copyright law;
3. Monitoring of e-mail and Internet use; 4. Blocked access to personal web-based e-mail; and 5. Blocked access to external blogs and certain Internet sites
(e.g., pornographic, sexist or racist, personal networking, gambling, or shopping sites).
Monitoring is generally conducted using a combination of auto- mation and manual review. Software programs are available to
283JENNIFER M. MOORE
flag risky e-mails, which can then be viewed by investigators or compliance professionals. According to the 2007 Electronic Moni- toring and Surveillance Survey by the American Management Association (AMA) and The ePolicy Institute, 43 percent of com- panies retain and review employee e-mails. Another 45 percent track the content, keystrokes, and time spent by employees at the keyboard.13 Of the 43 percent of companies that monitor e-mail, the survey reports, 73 percent use technology to automatically monitor e-mail and 40% assign an individual to manually read and review e-mail.
Because the U.S. Constitution protects individual privacy only against intrusions by the federal government, not private parties, employees have no constitutional right to privacy as to nongov- ernmental employers. Some privacy protections are provided by statute, such as the Electronic Communications Privacy Act of 1986. However, these protections are generally not available when the employer provides employees with e-mail service through a company-owned system, or when the employee consents to moni- toring by using the company-owned system after having been clearly informed of e-mail monitoring. According to the AMA, 83 percent of organizations do notify their employees that monitoring is taking place.14 Some do so through employee handbooks; others provide a notice that appears on the company’s computer screen pop-up box informing employees that the monitoring is a condition of use of the company’s computer system.
Employees, then, may have no reasonable expectation of privacy in their e-mail or in records of their web traffic to the extent it takes place at the workplace through servers belonging to their employer. This is true even if the company system is used to access the employee’s personal ISP in order to check his or her e-mail.
Because organizations act through individuals, and have both legal and ethical responsibilities, there are strong arguments in favor of a degree of transparency and control over the business communications of managers and employees. These e-mails are the communications of the organization. On the other hand, monitoring reduces employee privacy and exposes the writer’s thoughts, emotions, and intentions in an unprecedented way. The monitoring of personal e-mail is also controversial. These issues are currently the subject of vigorous debate by lawyers, policy- makers, and academicians. Monitoring employee e-mail has the
284 BUSINESS AND SOCIETY REVIEW
capacity to significantly change the relationship between employer and employees.
Currently the law resolves the tension in favor of employer monitoring in part on the ground that the employee has con- sented to it. Provided they are informed that monitoring is taking place, courts reason, employees can minimize the disclosure of personal information. E-mail is not the only means of communi- cation in the workplace. Employees can pick up the telephone for personal matters.15 The consent argument becomes less persua- sive the more employers choose to monitor, and the more indis- pensable e-mail becomes as a form of business communication. However, employees can also preserve a level of privacy by writing e-mail more judiciously, with the awareness that e-mail may be treated with the same seriousness as a more formal written business communication and may be widely disseminated. Argu- ably, employees have an obligation to their organization to write e-mails that are professional and well-written.
Increasingly, employers have access to technological solutions such as software that flags high-risk e-mail for review, encryption software that can be used by to protect confidential communica- tions or data transmissions, and “scrubbers” that determine when an e-mail or attachment poses a high risk of transmitting meta- data that could reveal confidential information. These solutions could be used to reduce the need for company monitoring. However, each of these options reduces the speed and efficiency of e-mail, and increases its cost.
THE USE OF E-MAIL AS PROOF OF INTENT
The adoption of e-mail as a means of business communication has led to another recent development: the use of business e-mails as proof of intent in litigation. This trend, which started with white-collar criminal cases, has now spread to civil regula- tory enforcement cases and private litigation.
When corporations and their employees are accused of criminal conduct, the key evidence is not typically fingerprints, blood- stains, or bullet trajectories. The primary dispute in white-collar criminal cases is often about intent. Criminal liability, like moral responsibility, requires not merely a “bad act,” but also a “guilty
285JENNIFER M. MOORE
mind.” A statement may be false, for example, but it is not fraudulent unless the speaker knew it was false and intended to defraud the listener of something of value. Intent, knowledge, or agreement with others to carry out an illegal act may all be “elements” of a crime, for example, facts that a prosecutor must prove to the jury beyond a reasonable doubt before the jury can properly convict the accused. When the accused is a corporation, intent is found by imputing the intent of an individual employee or employees to the organization.
Traditionally, intent, knowledge, and agreement have been difficult to prove. Other than an admission by the accused, there is no direct evidence of intent. Intent must be inferred from cir- cumstantial evidence, including actions, witness testimony, and formal business documents. Today, prosecutors and other liti- gants turn to e-mail for spontaneous, uncensored communica- tions that are memorialized in writing and arguably demonstrate intent.
In 2005 and 2006, for example, in the course of an investiga- tion into leaks by the company’s Board of Directors, Hewlett- Packard’s internal investigators hired an outside private investigation (“PI”) firm to investigate the leaks. The PI firm, in turn, obtained telephone records through “pretexting,” that is, a subterfuge in which investigators contact the telephone company and trick employees into providing the records by posing as the individuals whose telephone records they are seeking. Kevin Hun- saker, an HP lawyer who was in charge of the investigation, reportedly e-mailed one of HP’s internal investigators to ask if obtaining the phone records was “above board,” and was advised that the PI firm obtained the phone records “under some ruse.” The investigator described the technique as “on the edge but above board.” Hunsaker’s reply, “I shouldn’t have asked,” was key to establishing that he knew or should have known that the practice was fraudulent.16
In the WorldCom case, an e-mail from CFO Scott Sullivan to CEO Bernie Ebbers helped prove that Ebbers knew of the massive fraud to conceal losses by WorldCom. Sullivan wrote:
[WorldCom’s monthly revenue reports are] getting worse and worse. [The] copy that you and I have already had accounting fluff in it . . . all one-time stuff or junk.
286 BUSINESS AND SOCIETY REVIEW
The e-mail was a significant link in a chain of evidence that led to Ebbers’ conviction and his sentencing to 25 years in prison.17
The use of e-mail to conduct business results in an enormous increase in the amount of evidence available in legal cases. In some cases, it may appear as if every step of the offense has been documented in e-mail. E-mail can be used to create a timeline of the offense, to identify who knew what, when, and to determine who spoke to whom for purposes of identifying members of a conspiracy. It provides a road map of the case for prosecutors. In some cases, additional evidence may be obtained from e-mail by forensic analysis. The name of the creator, date of creation and editing, names of recipients, and changes made may be recover- able. In one of my cases, forensic analysis showed that a docu- ment that seemed to be written solely by Individual A had in fact been edited by Individual B, a fact that proved guilty knowledge on the part of B.
E-mail has significantly changed the landscape of white-collar litigation. It has played a role in almost all of the high-profile white-collar criminal cases of the past 10 years.18 Investigators and other litigants now often begin an investigation by issuing subpoenas requesting all of the e-mail traffic relevant to the subject under investigation or litigation, as well as for more tra- ditional business records. With limited exceptions, United States law requires that these materials be produced. The e-mails are then reviewed and culled to identify those that produce the most powerful case.
Electronic discovery law now requires that steps be taken to preserve all documents, including all e-mail and other electronic documents, when the company becomes “reasonably aware” aware that litigation is a possibility.19 This involves ensuring that electronic documents are not destroyed by routine procedures that are part of the company’s document retention program, which determines when documents are destroyed and sets forth protocols for destruction. Because the costs of responding to requests for documents in litigation and the suspension of a company’s document retention program are so high, many com- panies have begun to retain documents, including e-mail, for longer periods of time, making it more likely that email can be retrieved.
287JENNIFER M. MOORE
Frequently, individuals or corporations conclude that deleting inculpatory e-mail will protect them against an inference of bad intent. This assumption is usually incorrect. Although e-mail is fleeting and electronic, it is usually more difficult to destroy than a hard-copy document. Even when an e-mail is deleted from a user’s inbox or sent folder, it can frequently be found on a backup tape or in the company’s e-mail archives. Regulations in some industries require members to save all communications for a particular statutory period, such as seven years. E-mail may also be present in the inbox, sent folder, or hard drive of a direct or indirect recipient of the e-mail, or on a PDA, home computer, laptop, or thumb drive. Finally, hard drives may contain deleted e-mails or fragments of deleted e-mails, because deleted data remains on a hard drive until it is overwritten. Such material can be recovered by a forensic e-mail program.
The attempt to eliminate a “smoking gun” e-mail may itself become a “smoking gun,” suggesting consciousness of guilt. The destruction of evidence or the inability to produce evidence can itself be a source of liability, potentially resulting in charges of obstruction of justice, spoliation of evidence, or an instruction to the jury that the missing evidence, if found, would be unfavorable to the side that failed to produce it. The most significant illustra- tion of the risks of destroying evidence in recent history is the Arthur Andersen case. The accounting firm, which handled Enron’s accounts, was under investigation for its role in the Enron fraud. Reportedly, massive destruction of documents relat- ing to Enron began following this e-mail:
To: Michael Odom [partner in Arthur Andersen’s Houston office]
Date: October 12, 2001
It might be useful to consider reminding the engagement team of our documentation and retention policy. It will be helpful to make sure that we have complied with the policy. Let me know if you have any questions.
Nancy Temple (In-house counsel for Arthur Andersen)20
Arthur Andersen was indicted and convicted of obstruction of justice. The verdict was later overturned as a result of an erroneous jury instruction. By that time, however, Andersen had dissolved.
288 BUSINESS AND SOCIETY REVIEW
ETHICAL DELIBERATION AND SELF-ASSESSMENT
E-mail makes a compelling centerpiece for a legal case. It is not clear, however, whether e-mail can always bear the evidentiary weight placed on it. As noted earlier, e-mail is not always clear or precise. An e-mail can be ambiguous. It may be intended as a joke. E-mail shares some of the characteristics of conversation. Arguably, individuals should not be held to every statement expressed in an e-mail because some of these may be merely preliminary or exploratory, part of the deliberation process rather than final positions. Ethical deliberation, for individuals and par- ticularly for corporations, necessarily involves sharing and dis- cussing thoughts, opinions, and arguments, including, in some cases, arguments that may ultimately be rejected as unethical or illegal. These thoughts may continue to evolve without the new view ever being communicated in an e-mail. Therefore, it is impor- tant when using e-mail to prove intent that the e-mail is assessed in light of the sender’s overall course of conduct, and in the context of other e-mails relating to the offense as a whole. To treat each e-mail as representative of the sender’s intent may prema- turely “freeze” deliberation, chill the deliberative process, and result in inferior decisions.
An important question is whether the use of e-mail affects the process of deliberation itself. Does making a statement in writing and sending it to others commit the sender to the statement— both in the eyes of recipients, and the sender’s own eyes—in a way that expressing it orally might not have done? Does weighing in on a decision electronically from one’s own office, physically isolated from others, create a distancing effect that insulates the individual from the full meaning of his or her conduct? An elec- tronic dialogue does not provide the immediate and emotional feedback that an in-person meeting provides. Arguably, the feeling of empathy—an important element of ethical deliberation— becomes more difficult when one is alone with one’s computer. Finally, deliberation by e-mail may contribute to a fragmented or diminished sense of responsibility, in which no one individual feels responsible or accountable for a course of conduct because it is not solely attributable to any one person—a tendency that is already a feature of organizational decision making. These ques- tions merit further study, but anecdotal evidence suggests that
289JENNIFER M. MOORE
individuals are willing to say and do things in cyberspace that they might not say or do in person.
E-mail is such powerful evidence because it is in writing. A person may debate the meaning of a particular e-mail, but one cannot easily disavow statements memorialized in an e-mail. E-mail does not exist in a vacuum. It is created in a larger context that includes the background facts. Its meaning depends on this background and on an “e-mail trail” that includes prior e-mail received and sent by the same sender or recipient by other key individuals. To understand it, it is nec- essary to think “forensically,” that is, to consider its evidentiary value, which depends on the larger context in which it takes place. Thinking forensically does not come naturally to most people. Indeed, it has been widely noted that people in organi- zations do not always understand the choices facing them as ethical choices at all. Patricia Werhane has called the failure to connect values to actual conduct a failure of the “moral imagi- nation.”21 I suggest that people with limited moral imagination also have difficulty seeing and understanding how their actions relate to an overall course of conduct and how it is connected to the conduct of others. The following e-mail, for example, seems uncontroversial on its face:
To: Marty Bahamonde Date: August 31, 2005, 12:24
Thanks for the update. Anything specific I need to do or tweak?
Michael Brown
The assessment changes upon reading the original message from Bahamonde to which Federal Emergency Management chief Brown responded:
To: Michael Brown Date: August 31, 2005, 12:20
Sir, I know that you know the situation is past critical. Here are some things you might not know.
Hotels are kicking people out, thousands gathering in the streets with no food or water. Hundreds still being rescued from homes.
290 BUSINESS AND SOCIETY REVIEW
The dying patients at the DMAT tent being medivac. Esti- mates are many will die within hours. Evacuation in process. Plans developing for dome evacuation but hotel situation adding to problem. We are out of food and running out of water at the dome, plans in works to address the critical need.
FEMA staff is OK and holding own. DMAT staff working in deplorable conditions. The sooner we can get the medical patients out, the sooner we can get them out.
Phone connectivity impossible.22
Brown is reported to have sent other flippant e-mails in response to communications about the Katrina disaster as well.23 Ulti- mately he became the subject of a Congressional investigation into his leadership.
Thinking “forensically” is not unlike other thought experiments that encourage people to take an objective view of their own actions, such as “How would you feel if your conduct were pub- lished on the front page of The New York Times?” or “How would you feel if someone did that to you?” Thinking forensically requires the deliberator to consider their e-mail as one piece of evidence, and to link it with other e-mails, and the underlying conduct.
Once this evidence is laid out and considered, it is easier to take an objective point of view. Thus, thinking forensically helps to develop a sensitivity not only to the ethical import of one’s email, but of one’s conduct as a whole. My purpose here is not to suggest that you should hide things or write dishonest e-mails. Rather, it is to encourage you to be aware of the impli- cations of your e-mail, as well as your actions. It is crucial that we recognize that we may not be the only ones interpreting our e-mail. Given this, as people living in a world where e-mail has become an everyday part of our communications, it is incum- bent upon us to understand that e-mail can be very different from other forms of communication. We need not only to act legally and professionally when drafting and sending e-mail, we also need to heighten our ethical sensibilities, because the implications of e-mail can be far more weighty than they might at first appear.
Thank you.
291JENNIFER M. MOORE
NOTES
1. This article is based on a lecture given at Bentley University, sponsored by the Verizon Foundation.
2. See, for example, New York General Obligations Law 5-701. 3. For more information, please see the following: Weiss, Debra
Cassens, “Did Lawyer’s E-Mail Goof Land $1B settlement on the New York Times Front Page?” ABA Journal (Online), February 6, 2008, http:// www.abajournal.com/news/lawers_e_mail_goof_lands_on_nyts_front_
page; Weiss, Debra Cassens, “New York Times Reporter Says Lawyer’s E-Mail Goof Not a Big Blunder.” ABA Journal (Online), February 11, 2008, http://abajournal.com/news/nyt_reporter_says_lawyers_e_mail_ goog_not_a_big_blunder/.
4. “Oops,” The New Yorker, June 30, 2003. 5. http://www.snopes.com/embarrass/e-mail/skadden.asp 6. Sissela Bok, Secrets: On the Ethics of Concealment and Revelation
(Vintage Books 1993), pp. 18–22. 7. Kim Lane Scheppele, Legal Secrets: Equality and Efficiency in the
Common Law, University of Chicago Press (1988), p. 17 and n. 30. 8. The law does not require that the corporation actually receive a
benefit, or that the employee act primarily in order to benefit the corpo- ration. Criminal liability for an employee’s actions may be imputed to the corporation even if the corporation did not gain from the conduct, and even if the conduct violated company policy. Zero v. United States, 689 F. 2d 238, 242 (1st Cir. 1982) (holding that employee must have been “motivated at least in part by an intent to benefit the corporation.” United States v. Bainbridge Mgmt., 2002 U.S. Dist. Lexis 16686 at *15 (N.D. III Sept. 5, 2002).
9. See Zambroski, Ray, “Think before you send.” Communication World, May 1, 2006.
10. The Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999).
11. 45 C.F.R. 164.501. See http://www.hhs.gov/ocr/hipaa/ privacy.html.
12. Muro v. Target Corp., 2007 WL 1630407 (N.D. Ill. Nov. 28, 2006). See also Legal Alert: Court Holds Forwarding Privileged Legal Advice to Employees Not Directly Concerned with its Subject matter May Waive
Privilege, [email protected]/news. 13. 2007 Electronic Monitoring and Surveillance Survey, AMA and
ePolicy Institute, AMA Press Release, February 28, 2008, http://
292 BUSINESS AND SOCIETY REVIEW
press.amanet.org/press-releases/177/2007-electronic-monitoring- surveillance-survey/. The survey also reports that 28 percent of responding companies said they had fired employees for misusing e-mail, and 30 percent had fired employees for misuse of the Internet.
14. Ibid. 15. According to the AMA Survey, some employers monitor telephone
calls and voice mails as well as e-mail and Internet activity. Forty-five percent monitor time spent and numbers called, and another 16 percent record phone conversations. An additional 9 percent monitor employees’ voice mail messages. The survey reports that most employers notify employees of phone and voice mail monitoring. Ibid.
16. See Damon Darlin and Kurt Eichenwald, “H.P. Said to Have Studied Infiltrating Newsrooms,” The New York Times, September 20, 2006.
17. See Indictment, United States of America v. Ebbers, S3 02 Cr. 1144 (BSJ), Southern District of New York, ¶ 41(f).
18. Using Employees’ E-mail Against Them, Forbes, July 10, 2008; See also Top Ten Smoking Gun E-mails. http://www.forbes.com/2008/ 06/20/employee-internet-security-lead-cx_tw_0620e- mail.html?partner=e-mail.
19. See Judge Scheindlin’s Opinion in Zubulake v. UBS Warburg LLC (“Zubulake IV”), 220 F.R.D. 212, 216-217 (S.D.N.Y. 2003).
20. Beltran, Luisa, “Executive of audit firm gives testimony that bol- sters account given by Duncan last week,” reported on CNNMoney (Online) under title “Andersen Exec: Shredding Began After E-Mail,” January 21, 2002. http://money.cnn.com/2002/01/21/companies/enron_odom/.
21. Werhane, Patricia H., Moral Imagination and Management Decision-Making (Oxford: Oxford University Press, 1990).
22. See “FEMA E-Mails,” The New York Times (nytimes.com), October 20, 2005, for links to e-mails. See also “Worker Tells of Response by FEMA,” The New York Times (nytimes.com), October 21, 2005.
23. Bliss, Jeff, Bloomberg News, “Brown e-mails joked during crisis: Messages reveal ex-FEMA chief ’s concern with image,” Chicago Sun Times, November 4, 2005.
293JENNIFER M. MOORE
