Disclaimers and email signatures
I recently participated in an interesting thread about legal disclaimers for email messages. I'm referring to the two kilobytes of legalese bloat that proclaim the message is privileged and confidential and that, if mis-delivered, the recipient should notify the sender, destroy the copy, keep whatever he might have read confidential...
Being a long-time advocate of secure email, any time I read a legal disclaimer, I try not to laugh at the futility here, or at best, the misplaced notion of trust. Anything privileged or confidential should never be sent in unencrypted, unsigned email. That's obvious.
What, exactly, do folks expect when they attach a lengthy statement that essentially says, "I sent something confidential and privileged, and if by some random act of mail routing, you've received this and are not the intended recipient, please take time out of your busy day to let me know, and by the way, you're now accountable for keeping this information confidential, under my implied threat of legal action."
If imposing a gag act on individuals were this simple, I can't help but think that Rumsfield, Ashcroft and crew should routinely preempt negative news stories by "accidentally" blind-copying reporters with the exact accounts of incidents the Bush administration would choose to keep quiet.
David Steele, a colleague and attorney (he's actually a computer guy first, attorney second, so he's OK), made some amusing observations about such disclaimers, including, "...putting them at the bottom of the email means that the reader has to read down the email to get to the part that says 'this is confidential and don't read it if you're not the intended recipient." David suggests, "whenever I send something that is really confidential, I put the notice at the top of the email, with "PRIVILEGED AND CONFIDENTIAL COMMUNICATION" in all caps as well (and in bold, if I'm bold enough to send email in HTML), and then I add a bunch of blank lines to make sure the message is well below the notice. This, in my view, achieves the requirement of providing the notice before the information is read."
For many attorneys and corporate execs, it really doesn't matter that this behavior is, well, pointless. They were told to do this with faxes, and it's a small not quantum leap of misperception to think, " right for fax, right for email".
If you were to use a disclaimer, it would make sense to apply it only when you were sending something truly privileged and confidential, right? Wrong. What's the point of doing something pointless unless you do it in a big way? First, you'd actually have to *think* about what you're about to send before firing it off. Second, you'd have to spend time choosing between basic and disclaimer signatures. Too much room for error. But David Steele makes the interesting point that, "if you use the notice on everything you send out, regardless of whether or not it is confidential, then the notice will become too dilute and have less, or no effect, when something that is confidential gets sent out to the wrong party."
In an act of generosity rarely exhibited by attorneys, David offers this example of a disclaimer:
PRIVILEGED AND CONFIDENTIAL COMMUNICATION
This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential information that is legally privileged. If you are not the intended recipient or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please: (1) immediately notify me by reply e-mail, or by collect telephone call; and (2) destroy the original transmission and its attachments without reading or saving in any manner.
I personally find this too stuffy. My choice would be:
This is email. It's like a Post Card. While the probability is low:
- Anyone can read it.
- Anyone may have changed it.
- Anyone may be impersonating me, the purported sender.
- You may not even be an intended recipient.
- If this mail or any attachment managed to meet your antispam
criteria, was delivered to you, and contained malicious code, it
probably did *not* come from me, so please don't send me one
of those dopey, "your email contained a worm" messages.
Have a worry-free day:-)
Archived at http://www.securityskeptic.com/arc20040401.htm#BlogID238
by Dave Piscitello