Malware

Does offensive spam open us up to a lawsuit?

Like it or not, spam is a way of life. While the battle between spammers and inbox users continues to rage, organizations generally do their best to try to stop the onslaught. In general, only a fraction of spam gets through filters, but can those spam filter failures create legal liability for an organization?

Today, I received an email from a user indicating that the "enlargement" message she received in her work email inbox was offensive and could be considered sexual harassment.  Our spam filters are actually pretty good and block most, if not all, of the content that would be offensive to most people, but there will always be outliers.  We do host our own mail servers and have an on-site spam solution that has proven to be very, very good.

That said, no matter what steps are taken, some spam will still slip through.  How often do you or your users get messages from "their" bank or PayPal indicating that their accounts are about to be closed?  How many times have you won the Spanish lottery?  How many former Nigerian presidents have contacted you personally entrusting you with their vast wealth?

You get the idea.

No matter how good spam filters are, spammers find ways to stay one step ahead of the technology.  My response to this particular user was that our spam filters catch the vast majority of inbound spam but are not perfect.  For the occasional message that does get by, users should make use of the delete key.

The user in question, though, is one that generally enjoys being difficult, so I anticipate that this is not the end of the road for this situation.  Some of our users are under the impression that a spam filter is an absolute guarantee that all inboxes will be spam free, regardless of how much communication is sent out to the contrary.  From everything I've seen and read, I doubt that a sexual harassment/hostile work environment case in this instance would get very far.  First, the organization makes a serious, good faith effort to block messages that could be considered offensive.  Second, a single email message in someone's inbox hardly represents a "pattern" that could be used to prove a hostile working environment.

Short of simply disabling Internet mail from making its way to this user's inbox, what are your suggestions for the best way to handle a situation like this?  Do you think something like this could open the organization up to a lawsuit brought by an employee?

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

42 comments
DonD01
DonD01

I would think the converse is more likely - a spam filter that incorrectly blocks important communications that are not spam. Our company's ISP is routinely filtering out legitimate messages...sometimes even from my own secretary....others from a client whose company name includes the word 'financial' - which means that, at a minimum, I don't get those communications for at least a day (when the daily list of blocked messages turns up) or, at worst, I never get them at all, since after scanning through 50-100 blocked messages...ones eyes glaze over.

pgit
pgit

Like you said, there's no pattern, the mail does not originate from the company or anyone in it, and there are well beyond good faith efforts in place, and an obviously concerned and dedicated IT staff trying their dog-gone-est to keep this from happening. If you did no filtering but still ran a mail server, yeah, you could be liable. But say you have a small office, no internal mail server... every man (or woman)for his(her) self. The business cannot be held liable for activity originating from a third party's hardware.

pyang
pyang

If users do not understand that SPAM filtering is a best effort at preventing these types of messages from getting across, I would suggest that for the particular difficult user, he/she needs to consent to having everyone of their e-mails read, and pay out of pocket for someone to do the reading. That would be the extreme case of filtering, and would guarantee that no unwanted message every makes it through. However, in their consent they need to be made aware that any personal e-mail messages would also be read by someone, which if the content is inappropriate could also lead to termination of employment.

joshuabj
joshuabj

Some states have now passed laws that by default a party automatically loses a suit if email is requested that cannot be found. Just in case. You may want to check the laws. However, I also don't think that this person could find a lawyer to fight this one. It's a bit ridiculous.

gmp.junk
gmp.junk

I think I read somewhere that you can pass email through gmail and take advantage of their relatively good (imho) filters.

gddik
gddik

ha???rass ??? ???/h????r??s, ??h??r??s/ [huh-ras, har-uhs] ???verb (used with object) 1. To disturb persistently; torment, as with troubles or cares; bother continually; pester; persecute. 2. To trouble by repeated attacks, incursions, etc., as in war or hostilities; harry; raid. Based on the above Random House Unabridged Dictionary definition of harrassment, a single e-mail hardly qualifies, and I doubt if any lawyer worthy of the name would entertain suing a company on that basis. The employer seems to be doing about as much as it's possible to do to prevent SPAM, so that doesn't leave much room for a challenge, either. Throw the claim out, and politely tell the employee to add a dose of realism to her cynicism.

joe
joe

Change her email address. Only new spam will find her after that. In a few weeks, when her inbox is full again, change her email address again. At this point, explain to her that someone she gave her new email address to has a compromised computer, and encourage her to use her email account for "company business only." Rinse, lather, repeat.

gahmusic
gahmusic

What's to stop the company or the private individual for that matter sueing their ISP for delivering this spam?

Oz_Media
Oz_Media

Seen this case tried a couple of times now. The company is not at fault if the company is proactive and uses a proper SPAM filter and manages, updates it regularly. If the company does nothing about it, it is deemed negligence to provide a safe and hassle free workplace. NOTE: Simple filtering/blocking with Outlook or Exchange is not usually seen as 'proactively managing' spam, using a proper filtering and heuristic system such as GWAVA will be deemed effective action.

asjeff
asjeff

Nope - even in the US it would be a far stretch of the imagination to think that a judge would agree to a lawsuit (harrassment or otherwise) because some spam has managed to get by the mail filters. And if I were you I would tell your user to go ahead and try and with any luck you'll get rid of the miserable *&$%". :)

CharlieSpencer
CharlieSpencer

Assuming you have a Legal department. If not, I'd start Googling for similar case. I'd also contact the local university; ask for the law school and someone familiar with workplace discrimination, and the business college and someone who knows labor relations.

Tony Hopkinson
Tony Hopkinson

arguing that you shouldn't receive any spam, 'offensive' or otherwise, is total nonsense. So from a legal point you are out by millions. :p A few scares of this regard in my opinion wouldn't be a bad thing. This sort of spam is effectively a product mass mailing, and spammers do it in general because some one pays them to. Occasionally we are offered an individual spammer to vilify, the companies who pay them, never.... That however would take us into a legal minefield for businesses, mass mailing = spam, and the lawyers would have a field day defining unsolicited. As for your employee. Unless everyone public in the company got the same email, check her browsing habits at work. May be it was solicited.....

.Martin.
.Martin.

It could, but it probably wouldn't last long. If I were you I would sit the person down and try and show here that a SPAM filter can not always be perfect (relate it to something they know about).

TexasJetter
TexasJetter

"by default a party automatically loses a suit if email is requested that cannot be found" I have not heard that one . . . I know if you cannot produce emails that would fall within your email retention policy you can cause a "spoliation" judgment, but that does not necessitate the loss of suit (may incur a fine thought). Of course it depends on your industry and what you are required to keep. But this topic is on email retention, not sexual harassment based on ineffective SPAM filtering.

chetilove
chetilove

Also remember, people can pretty much attempt to bring litigation to almost anyone for any reason & consequently you will have to spend $$ on your defense. I would definitely keep good documentation on how you are handling spam & in particular a paper trail of communication with this user concerning the matter.

Oz_Media
Oz_Media

A dictionary definition of harassment is not applicable when it is clearly and specifically defined in the telecommunications act. SPAM laws (applicable in most but not yet all states) actually ensure the employee a 'non-hostile' working environment. A company must take all 'reasonable' measures to protect employees from offensive correspondence, whether by email, telephone etc. The best thing to do in thsi case is Google the users email address, if it turns up on a dozen or so websites, you know that it was used inappropriately by the user and has been scoured by bots, in most companies putting the employees at fault for using a business email address for personal reasons.

dkeefer69
dkeefer69

I agree, if the organization is acting in a responsible manner there should be no question. You simply cannot stop all spam from reaching a user's inbox. To say the organization could be liable for sexual harrassment (in this example) is akin to saying the postal service is responsible for junk mail or the telephone company is responsible for telemarketing campaigns. If the employer (or hosting company) is utilizing spam filters, content filters or other solutions to prevent as much as possible it is acting in a responsible manner. If an example like this were to reach a court what would be next - suing free e-mail hosting companies like gmail or yahoo?

Mycah Mason
Mycah Mason

This is the perfect solution to the problem as far as I can see 1) It doesn't put you at risk of any other legal problems (like firing her by giving her bad reviews etc.) 2) It specifically addresses the SPAM problem. Since it's a brand new email address none of the spammers will have it yet. 3) Most importantly - it puts the burden or this rediculous situation back on the shoulders of the person complaining about the spam. This means that the company is doing everything it can to stop her from getting spam and drives home the point that you have to balance blocking spam with letting legitimate email through ...so it will never be perfect. After she deals with all the administrative overhead of constantly changing her email address (notifying everyone of the change etc.) I'm pretty sure that she would change her tune. Also, it would of course be a good idea to monitor her network activity etc. as others have recommended to ensure she is not using company resources that violate company policy. Especially if you are worried about a lawsuit, it would help your case if you could prove that were true.

dkeefer69
dkeefer69

We did that with a user in the past, but they were obviously giving their e-mail to the wrong parties. It didn't take long for the spam to start flowing again. Currently, we are blocking nearly 80% (for every good message, there are almost 4 bogus ones) of all traffic flowing through our domain. The amount of spam is ridiculous and we are still not catching it all. I do not know what the solution is, but to add possible liability to companies is not the answer unless they are not doing anything.

Lazarus439
Lazarus439

I don't want my ISP reading my email any more than it already does. It annoys me that I can't get it to stop adding '--SPAM--' to the header of any email message it happens not to like. If the ISP becomes responsible, i,e, could be sued, for delivery SPAM, we've just put them in the thought police business. I for one want the ISP to provide me with reliable bandwidth and to keeps its fingers out of what I do with it.

Oz_Media
Oz_Media

I have yet to see an ISP that would be responsible for 'delivering' spam. They don't interact with or filter mail, that would be infringing on people's right to privacy.

BradTD
BradTD

That's exactly what I was thinking. I think I'll sue my ISP for the spam I get at home. How about $1000 per offensive message receieved? I could put them out of business and make millions. (For those who don't get it, that was sarcasm. I'm in agreement with those who think the lawsuit-happy nature of our society has gotten disgusting.)

mmgrady
mmgrady

There is a reasonable stance to take that states you are using a system that filters X%. As long as X% is in a reasonable industry wide range, you should not be deemed to be negligent. With that being said, there is always someone out there who states, well if you used this or did that, it would be better. This is a slippery slope argument that leads us to the mess we are in legally in this country (US). The number of stupid lawsuits is almost always based upon a slippery slope agreement and this is where stuff like this creates trouble. The question becomes what is reasonable, when have you expended enough energy and when do you need to do just a little more. My advice is to report the conversation to her boss and right up the chain if you don?t feel they will handle situation. This person does not need to be working in the company and should be fired before she creates way more problems than she is worth.

nick
nick

In Australia the laws around Workplace Health and Safety would give this person a chance of a lawsuit. However the case is unlikely to get to Court if the employer is taking "reasonable" steps to prevent the incoming SPAM with up to date filters and has good security policies and pro actively manages and monitors those filters. I have dealt with a similar situation. The firm spent a reasonable amount of money upgrading SPAM and content filters and they were really running well. Yet we still had one person who received a SPAM message infrequently and complained bitterly. I always sent an e-mail reply back explaining how we filtered SPAM and statistics on the filters. It never shut that person up though.

eric.sorrentino
eric.sorrentino

You find a way to terminate that user. That kind of easily offended person is a lawsuit in progress. He/she is merely looking for an excuse to file

sidekick
sidekick

I'm not a legal person, but if the company did not send the message, and none of the employees sent the message, then the company should not be liable, IMHO. If you hear someone on the street shouting, do you sue the company for not having more soundproof windows? This person sounds like one of those people who's not happy unless she's miserable.

SKDTech
SKDTech

that the user doesn't have a leg to stand on and any lawyer that didn't convince her of this or, barring that, laugh her out of his office should be disbarred. But I too often hear about successful suits in which the defendant did nothing wrong and should have had nothing to worry about to think that you have nothing to worry about. Would the user win if she found a lawyer willing to bring suit against the company? Not likely, but the company would still have incurred the costs associated with defending themselves in court.

dougwills
dougwills

Just wondering if anyone has tried this idea with a twist. What if we were to give our users many email addresses (can this be automated somehow) using a core email address and versioning number. Give out one version per contact. Rule sets can certainly be created to direct email appropriately, but it then becomes relatively easy to track down offending email addresses/infected contacts and make adjustments as necessary. Other than the overhead, why not? And yes, I understand the pain to implement this, that's why I am suggesting that it needs to be an automated process of some sort.

JamesRL
JamesRL

My ISP has a pretty good SPAM filter. If they receive what they think is SPAM, they quarentine it and send me an email which allows me to see the sender's information, the title of the email, and other header info. I can chose to either have it delivered or deleted. James

Oz_Media
Oz_Media

That doesn' tqualify as just cause in Canada, Employment Standards woul dhave her draggign yuo to court and suing teh company in a heartbeat for wrongful dismissal. I don' tknow how you guys can work in such unstable workplaces. I agree she is a problem and needs to be dealt with, but th typical US comment, "show her the door" , just doesn't fly in other free countries. Our labour laws are there to protect employees form being abused by the employer.

cartmit
cartmit

It may take some time, but turn off her email, give her poor reviews, then fire her with cause.

andrew.lumwan
andrew.lumwan

I used to run our Anti Sapm solution which is actually pretty good. however a small percentage of spam will leak through. When people used to kvetch to me and they wouldn't accept the reasoned responses of the issues involved and why spam still ocurred; I would then offer them the guaranteed way to alleviate all their spam issues (at work anyway), the kvetcher would start to get excited thinking now they'd gotten somewhere, until they realised I was proposing to disable/delete their email account. The kvetcher would then shut up and go away and I wouldn't hear from them again.

Oz_Media
Oz_Media

But in the workplace the company is responsible for taking all fair measures to protect the employee from such exposure. But if you use a good spam filter and show that it is managed and updated properly, you have taken all reasonable steps to prevent it.

psonoda
psonoda

I would let the individual know that there are three possible solutions. First, eliminate the email. Second, go through all the persons email before it is sent to them (Read all the persons mail) This can be done by you or supervisor. This would also include a review of all email before it is sent. (We wouldn't want to allow any behavior that would cause future spam emails) Third, deal with it. Obviously if a large amount of emails comes in we need to block it, but people need to be reasonable.

dougwills
dougwills

I just know that when I know who the spam is coming from, I have a chance to do something about it. With a strong spam filter and a good rule set, and I've already eliminated all but a few of spam messages each day. If I knew who those remaining spam messages were coming from (because I know who gets what email account), I could either help them get rid of the spam, adjust my rule sets or spam filter, or simply get rid of the contact altogether if it isn't important to me. I probably wouldn't want something as mundane as a consitently increasing number added to my email, but maybe some random text that my computer would control/create. I don't know - probably not worth it for the little time I currently worry about this issue.

TexasJetter
TexasJetter

If I follow you correctly then you are suggesting creating addresses user1@ thru user10@ for each individual. You can easily alias the address to just plain user@ so the end person does not have to keep up with what address is currently being used. One of the issues I would see is that addresses get discovered, so even an address that is not used will eventually get SPAM. So once they get discovered then the user might receive multiple copies of the same SAPM . . . . if my reasoning is correct.

Oz_Media
Oz_Media

The will filter out RBL's and known offenders, as almost any ISP will, but they are not 'responsible' for doing so. In this case, most spam mail still gets through (as with Telus, Shaw etc.), and you can also request that ALL mail regardless of source is forwarded without their scanning. My point is that they can't be responsible for checking your email, heirsitic scans are not allowed by ISP's, so they can only block KNOWN offensive senders that are blacklisted and noted/registered by the CRTC. I had to wade through all this crap with friend who operates a large, business class ISP out here, when I worked in telecom and they are pretty heavily regulated as to what is deemed privacy invasion and what is not.

Oz_Media
Oz_Media

Turn off her email, so you have failed to provide her with the tools to do her job in a fair and efficient manner. Can't fire for that, but she can sue the company for hindering her right to a fair working environment. Poor reviews? Based on what, heresay? again not legal in most developed countries. Fire her with cause, yeah, you'd still need to find cause, in canada anyway. I think that you can fire someone for not being a white, Christian female with big boobs in the US though.

Tony Hopkinson
Tony Hopkinson

Constructive dismissal...... Much easier to win and generally much more expensive. Especially when you have email evidence that this course was suggested and a set of BS reviews. I've never had spam addressed specifically to my company email. I've had it as one individual on a group after some prick exposed their contact list, with my company account in it. I'd be looking at browsing habits and what this person is using her company address for. I suspect a few unsubtle enquiries might shut her up real quick.....

techrepublic.posting
techrepublic.posting

Now, I know this isn't exactly on topic, but I thought I'd share it in any case. I know that in the classic meaning, if you get a message from recruiters it may not be spam, but I've had a few that just won't get the message (despite the Federal CANSPAM law of 2004). So that I started to do, is find every possible e-mail for their company, and simply re-forward their e-mail to all of them, including, and especially any of the uppy-ups (e.g. CEO, BOD, etc) that I can find). The forwarded e-mail has a automatic statement in it that says I told them to stop contacting me, but failed to do so. In one case, I contacted the company a month or so later, and asked for this person (just testing things). I was told that he got fired, because he kept sending e-mails when told not to! Oh well, it was his own fault he got fired!

Drew@Omaha
Drew@Omaha

I think it boils down to whether or not the employer is making a reasonable effort to filter spam. I've had employees complain about 'porn' type spam and I've offered two solutions: 1) disable incoming e-mail 2) set the spam filter to the maximum level of aggressiveness. Beyond that, I don't know what more someone can ask. I really hate those challenge / reply systems though I suppose something like that could be used.

Editor's Picks