Legal disclaimers for email messages are appearing more frequently as organizations recognize the need to exercise control over corporate communications. I'm referring to the two kilobytes of legalese bloat appended to the tail of an email message that proclaims "this message is privileged and confidential!" and blather on, explaining that, if mis-delivered, the recipient should notify the sender, destroy the copy, keep whatever he might have read confidential, degauss the hard drive on which the copy was stored...
Being a long-time advocate of secure email, any time I read a legal disclaimer, I try not to laugh at the futility here, or at best, the misplaced notion of trust. Email is fundamentally like a post card. Postal handlers, the mail boy, or anyone who happens to see the post card as they pass by your office desk can read it.
David Steele, a colleague and attorney, made some helpful observations about attaching such disclaimers to the tail of your mail in a thread on a public list. David explains that the flaw in this practice is obvious. "...Putting disclaimers at the bottom of an email means that the reader has to read down the email to get to the part that says 'this is confidential and don't read it if you're not the intended recipient."
David's solution? "Whenever I send something that is really confidential, I put the notice at the top of the email, with the statement PRIVILEGED AND CONFIDENTIAL COMMUNICATION in all caps as well. I then add a bunch of blank lines to make sure the message is well below the notice. This, in my view, achieves the requirement of providing the notice before the information is read". This practice gives early notice and provides the reader with an opportunity to stop scrolling before reading the correspondence, but it doesn't alter the fact that the message has been disclosed to unintended recipients: for this, you need secure (encrypted) mail.
Many employees pay little attention to the details of a disclaimer policy. They were told to attach disclaimers to faxes and the "right for fax, right for email" logic has proven expedient for many organizations. Unfortunately, the tendency among employees is to attach the disclaimer to every message. I suspect this is because disclaimer policies are simply implemented badly: IT or employees configure mail clients to attach it to every message sent.
The carpet-bomb approach defeats the purpose of legal disclaimers. David Steele weighs in that, "if you use the notice on everything you send out, regardless of whether or not it is confidential, then the notice will become too diluted and have less or no effect when something that is confidential gets sent out to the wrong party." David's message is clear: use it judiciously.
We now have two elements of a best practice when applying legal disclaimers. If you choose to use a disclaimer, (1) place it at the top of your messages and (2) apply it only when you are sending a message that merits this special consideration.
David offers this example of a disclaimer:
PRIVILEGED AND CONFIDENTIAL COMMUNICATION This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
If you find this too stuffy and are enough of a counter-corporate culture creature, you could try this version:
This is email. Treat it like a Post Card. While the probability of intentional interception is low, anyone can read it during transit, anyone may have changed it along the way, or anyone may be impersonating me, the purported sender. You may not even be an intended recipient. If this mail or any attachment was delivered to you, and contained malicious code, it probably did *not* come from me, so please don't send me an email with the subject line "your email contained a worm".
I'll save a discussion on the challenge of attaching legal disclaimers to Tweets and instant messages for a future post.