Most employees tend use the email account provided by their employer for the greater part of their email. With so many of our waking hours at work, and with out-of-hours access to our work account, many of Hong Kong's worker-drones view their 'corporate' email address as their primary personal identifier.
But our networked world offers virtually unlimited scope for unscrupulous, mentally disturbed or vengeful persons to commit wrongdoing and/or havoc. Email stalking is one such phenomenon. It is thought to be quite limited here in Hong Kong, but is regarded as a major problem for individuals (and enterprises) in the UK and the US.
I recently advised an individual faced with an unknown email stalker - he came to me because his employer was not providing effective assistance. I hope that employers reading this will consider how this column might shape their policies going forward.
What constitutes stalking?
The scenario follows a certain pattern, although there are many variants. An employee receives email from an unidentified source (probably a number of different free-to-use email accounts). The emails may first draw in the victim by referring to something in the person's past, in an attempt to elicit a response. Then follow various accusations (perhaps of a sexual nature and undoubtedly defamatory) which escalate in terms of ferocity - coupled with threats of what will happen if the person does not accede to the perpetrator's demands.
All of this takes place over the employee's work email address - it has nothing to do with his employment, but it is entirely unsolicited and carries on notwithstanding that the employee does not respond. The natural reaction of the victim is to close the available avenue of communication; but in reality this is not an option. There is no express provision in one's contract of employment that one will use the email account provided to you by your employer; but it is taken for granted that that personal identifier will remain with you for the length of your employment.
Whose fault is it?
So, what should the employer do? Is this a personal matter for the victim, which he must figure out for himself (using the resources of the world's police forces and such civil law suits as he can afford)? Or could the employer face liability for the ultimate results of nonintervention, which could be the premature end to the victim's contract of employment (a much wider publication of the libel than when the employer was first notified of the problem), or a grisly real-world encounter as threatened acts became reality?
Although I am not aware of any Hong Kong judicial precedent on the subject, it is clear to me that the employer cannot turn its back on this problem. Its IT department cannot say: "We are not allowed to block incoming email, from a known source, as that would be against freedom of speech" - that would merely evidence that the IT department has no handle on legal risk management. Its senior managers cannot say: "We will look into it, but we are powerless to do anything - we don't believe we have any legal responsibility." This is because once the operator of an IT system is notified that it is carrying illegal content, and has the means to prevent its continuance, there is quite some legal precedent that the operator may itself be liable to the victim if it does not take all reasonable steps of prevention within a reasonable time. Also, an employer owes a duty of trust and confidence to its employee.
No one is saying that the employer is responsible for tracking down the perpetrator, although in an extreme case the employer could be expected to decommission the victim's email account. But the employee can expect to receive the following:
• an attempt to block the offending material by commercially reasonable technical means, even if this involves modest financial outlay (if the use of the email account is a required part of the employment).
• quarantining/filtering of suspect emails - to the extent this would not cause a significant administrative burden on the employer; and of course full cooperation with the investigative authorities.
• pastoral support for the employee, and appropriate communications to other staff and customers to neutralise the impact of any threatened escalation.
In an extreme case I could envisage a situation where an employer, who had ignored requests for assistance over a long period but kept the email account open regardless, could possibly be liable for republishing the defamatory statements issued by the perpetrator.
The possibility of such liability can easily be avoided, however, by timely action once the threat is made known to the employer.
Peter Bullock is Head of Technology & Services Law, Asia Pacific and a Partner of Masons' International Law Firm.