Please help..Email ...
 
Notifications
Clear all

Please help..Email request and 2703?

9 Posts
5 Users
0 Likes
599 Views
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

I work for a company that hosts Exchange email for clients. One of our clients has recently had an employee leave their company and go to a competitor. They had reason to believe that the employee had been selling trade secrets to this competitor before leaving, and they've hired a third party investigator to do some work. (it's a major auditing firm.)

We have been asked to restore all of the employee's email for a possible criminal investigation by the EMPLOYER. Since then we have also had a request from the Auditor. This has happened within a two day timeframe.

My question is this

1.) Do we need to have a 2703 letter supplied to us for these records?
2.) Is the employers request for email sufficient enough without a subpoena?
3.) Does the ex-employee fall under the ECPA for email that they are wanting to restore (hence the question for the 2703 letter)?

And anything else you can supply me would be excellent!! I'm a forensics major, and this is my first real interaction with the legal aspect of this, so I don't want to do anything wrong.

Thanks for all of your help!

John

 
Posted : 07/11/2007 7:54 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Why not simply ask your company's legal counsel these questions?

 
Posted : 07/11/2007 8:23 pm
(@Anonymous)
Posts: 0
Guest
 

A question that needs to be answered is what, if any, Internet and email usage policy is in place at this client?

In most US localities (except, of course, California) employees generally have no expectation of privacy, but the prudent employer explicitly states this in some form of Acceptable-Use Policy which employees are required to read and sign.

Your company's attorney needs to ascertain from your client's legal- or HR department if, indeed, such a policy is in place and is uniformly enforced.

Keep us posted on this case!

 
Posted : 07/11/2007 8:24 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

That's the odd thing. We are a hosting company that "replaces" an IT department. We have clients who have their own policies, but we also have ours. Who's legal counsel would need to be contacted?

In other words, if we say we protect our clients email and the employer says the employee has no expectation of privacy, then who wins? I can get in touch with our company's lawyer, but I'm not sure they'll be able to help. I'll keep you posted!!

Thanks!

 
Posted : 07/11/2007 8:28 pm
(@Anonymous)
Posts: 0
Guest
 

In other words, if we say we protect our clients email and the employer says the employee has no expectation of privacy, then who wins?

At issue here is Did the employee sign a non-compete with her/his employer? Did s/he sign an AUP?

Your company is merely providing a service; in this case email-hosting. The legal battle will be between your client and their naughty former employee. As H implied in his above response, though, these are questions for your company's attorney(s) to sort out with your client's legal team.

*You* need to repeat the mantra, "Under advice of counsel…" and not make decisions that could put you in the witness stand unnecessarily.

 
Posted : 07/11/2007 8:44 pm
(@bgrundy)
Posts: 70
Trusted Member
 

1.) Do we need to have a 2703 letter supplied to us for these records?
2.) Is the employers request for email sufficient enough without a subpoena?
3.) Does the ex-employee fall under the ECPA for email that they are wanting to restore (hence the question for the 2703 letter)?

I'm no lawyer, but I think that unless you are a "governmental entity", you cannot compel *anything* under 18 USC 2703.

§ 2703. Required disclosure of customer communications or records
(a) Contents of Wire or Electronic Communications in Electronic Storage.— A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

AWTLPI has the answer. Does the company have a "banner" in place? Or a "user agreeement" that strictly states there's no expectation of privacy? That's the road you really need to go down.

That's the odd thing. We are a hosting company that "replaces" an IT department. We have clients who have their own policies, but we also have ours. Who's legal counsel would need to be contacted?

There really ought to be some contractual language that addresses this. I would think. But that's outside my frame of reference.

 
Posted : 07/11/2007 8:46 pm
 ddow
(@ddow)
Posts: 278
Reputable Member
 

Who's legal counsel would need to be contacted?

You can only depend on your own. The employer's attorney is there to represent and protect the employer, not you. To save your attorney's time and your money, I'd go in with both your policies and a copy of the employer's policies in question.

 
Posted : 07/11/2007 8:55 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Okay, I've contacted our legal counsel, and they're going to get back in touch with me. I'll let everyone know how it turns out. Currently, I'm exmerging their data out and creating a MD5 hash just in case it does turn out that they need it. I appreciate everyone's help in the matter!!

Thanks,

John

 
Posted : 07/11/2007 9:22 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Update

Lawyer states we do one of two things

1.) Have third party supply court order

or

2.) Have client provide us with a letter of indemnity should something happen after the allowance of them reading this person's email.

Thanks for everyone's help!
John

 
Posted : 08/11/2007 3:07 am
Share: