Defamation? Accidental contracts? Bet you didn't realise email was so tricky, says John Warchus
Q: We are a medium-sized construction organisation increasingly using email in our day to day business — what are the main legal/commercial dangers of using email and how can we take practical steps to minimise the risks?

A: One of the most serious dangers is that employees may, unwittingly, conclude binding legal contracts through the careless use of email communications. Under English law, a binding contract is generally in existence once a clear offer has been accepted and this principle applies as equally to email as it does to any other form of communication.

Employees in your organisation must be aware of this risk. I also suggest that if there are negotiations taking place by email, the initial email should clearly state that a binding contract will only be concluded once a hard copy document has been physically signed and that emails have a "subject to contract" statement which would generally mean that a binding contract is not concluded by accident.

An associated problem is that of employees who enter into contracts outside their scope of authorisation. Although not yet tested in the English courts, you should consider adding to the normal disclaimers on an email footer that the sender is only authorised to enter contracts up to £x (or similar limitation) — this would help with the argument that the other party was aware that the employee could not enter a valid contract for higher sums.

Defamation
Due to the informal nature of emails and the speed with which they are written and sent, this is a particular problem. In the Western Provident Association v Norwich Union case, the latter settled a defamation action by paying approximately £400,000.

Experts estimate that 80% of all security breaches are caused by an organisation’s own staff acting maliciously or carelessly

For the purpose of defamation, the relevant "publication" took place as soon as the defamatory message had been sent internally and it was not relevant that it was not initially seen by Western Provident themselves. The other practical point to emphasise is that deleting such emails does not remove them from the computer's hard disk and, if proceedings are commenced, the claimant will be able to obtain a disclosure order to obtain copies of incriminating material. While there are potential defences to defamation under the Defamation Act 1996 and the new EU Directive on e-commerce which is to be introduced shortly, the recent decision of Godfrey v Demon Internet indicates that the defence is limited: as soon as an organisation is put on notice that it has created or is publishing defamatory content, that organisation must either decide to resist the allegation or to remove the incriminating material immediately.

Aside from legal liability, emails can have attachments containing software viruses which, if opened, can infect your organisation's IT systems and disable them. It is therefore important that technical security procedures such as anti-virus software programs are employed and that employees are educated into not opening suspicious attachments. There should be a clear procedure in place stating to whom such messages can be forwarded for checking.

IT security experts refer to the "80/20 rule" which is reference to the estimate that 80% of all security breaches are caused by an organisation's own staff acting maliciously or carelessly and only 20% of security breaches are due to the malicious acts of outside hackers.