Tags:







What are the legal ramifications of accidently sharing email addresses in Canada?
June 23, 2009 3:32 PM   RSS feed for this thread Subscribe

A couple of people at my company have accidently sent emails to groups of contacts using the To: field rather than the Bcc: field against company policy. What are the legal ramifications?

It's important to know that the company is located in Canada.

We've had two incindents like this in the past couple of weeks with two different employees who manage two separate (but not mutually exclusive) lists. Do we need to worry about the legal ramifications of these completely unintentional events? Of course, apologies have been offered to all parties involved.

On a separate note how can I prevent this from happening again? We use Outlook 2003/Exchange. Is there any way to pop up a warning message when the To: field contains more than, say, 5 people? Alternatively should I switch to some sort of mailing list manager that will, by design, always send via Bcc: or one email at time?
posted by talkingmuffin to computers & internet (15 comments total)
Server side the only limit is Maximum Recipients (default - 5000, lower this if you haven't) under Message Delivery Properties in ESM. That limit applies to all recipients whatever field they're in. You could setup a QBDL, you'll need to add Contacts for external SMTP addresses, and instruct the employees to use that.
posted by IanMorr at 3:45 PM on June 23


Do we need to worry about the legal ramifications of these completely unintentional events?

The legal ramifications are nil. Consider two things: 1.) there is probably no clear legislation outlawing what is essentially emailing people, and 2.) in order for someone to bring suit, they would have to show damage.

I doubt either of these applies. Even in Canada.
posted by wfrgms at 4:34 PM on June 23


Do we need to worry about the legal ramifications of these completely unintentional events?

Did you reveal a trade secret or confidential information? For instance, does one of the emails on the list reveal that you're working with someone on a project that was supposed to be confidential?
posted by mr_roboto at 5:27 PM on June 23


IANARGVBP (I am not a really good Visual Basic programmer), but here's one thing you can add to their Outlook program.

Open up their Outlook, and within the main window click on the Tools menu item, then Macro, then Visual Basic Editor. Or, you could do Alt-F11

This will bring up a VB editor, and you should see an item in the left-hand list called ThisOutlookSession. Click on it, and then to the right is the big area to enter text, paste the following bold text:



Private Const MaxSafeToRecipientCount = 5

Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)
Dim tempTo As String
Dim tempToArray() As String

tempTo = Item.To
tempToArray = Split(tempTo, ";")

If UBound(tempToArray) + 1 > MaxSafeToRecipientCount Then
Prompt$ = "You have " + Format$(UBound(tempToArray) + 1) + " To recipients. Are you sure you don't want to use Bcc?"
If MsgBox(Prompt$, vbYesNo + vbQuestion + vbMsgBoxSetForeground, "Check for To/Bcc") = vbNo Then
Cancel = True
End If
End If

End Sub


Now, close this window. This code will check to see if they have more than 5 addresses in the To field of the email. If so, it will display a dialog box making sure they don't want to use Bcc. If they click Yes, the email will send. If they click No, it won't.

There are two pain-in-the-assness things about this code. First, every time they start Outlook it will ask if they want to Enable Macros, and they have to click the enable button. Second, when they click No on the warning box, they'll most likely lose focus of their email window they wanted to send - they'll have to find it on their task bar again (but it didn't really send).

If you want to change the count, just modify the Private Const MaxSafeToRecipientCount = 5 line to be whatever number you want instead of 5.

I think there is a way to get rid of the Macro warning when you open Outlook, and there may be a way to control the window-focus issue. But, see the acronym at the beginning of my post - I'm not that great of a VB programmer since I mostly use other languages.
posted by JibberJabber at 5:51 PM on June 23 [1 favorite has favorites]


Also...if you have a VB programmer at your company, you can do a lot more fancy things than this simple warning dialogue.

For example, instead of just giving them a warning you could have the code copy the addresses from the To to the Bcc if that's what they want. Also, you could even write code that will take your list of addresses, and split the email into a separate one for each person, using their address in the To and not use Bcc all together. This way, when they receive the email that recipient's name shows up in the To field since some companies, recipients, etc have an issue for mass-Bcc's like this.
posted by JibberJabber at 5:59 PM on June 23


Um, yes - switch to a newsletter manager. Constant Contact and iContact can both handle multiple lists. There is just no reason for this to ever happen. And it does piss off your clients. We just had a MAJOR upstream provider do this to us yesterday in the midst of a renegotiation of our contract. Not cool and we are very much using this to our advantage when we talk about their professionalism, reliability and security.
posted by FlamingBore at 6:15 PM on June 23


What legal ramifications are you expecting to potentially befall you?
posted by gjc at 7:01 PM on June 23


What legal ramifications are you expecting to potentially befall you?

The OP's list might reveal names of people taking a form of medication. The reveal might intrude on people's privacy. On a lesser note, the reveal might leave them open to spamming.

The first two are particularly volatile. Imagine for a moment that all people on the list are taking medication for a condition best kept private. Imagine as well people who are account holders for a particular bank and whose email address is now revealed.

This slipup can open the company to all sorts of legal trouble.
posted by seawallrunner at 7:19 PM on June 23


Engage your company's legal counsel and PR folks. There may not be steps to take, but they appreciate a heads-up as soon as any incident (even one perhaps as harmless - or not - as this may be).

Also, someone mentioned Constant Contact. Also check out MailChimp and SilverPop. Maintaining this stuff out of house is, yes, costly; it can save a lot of customer relationships and possibly legal money in the long-term, though. And all of the services do great automated mail merge and list management, as well as tracking of opens and clicks.Totally worth it.
posted by sadiehawkinstein at 8:16 PM on June 23


I am not the OP's lawyer. I think this is very questionable advice, especially without knowing more. I was thinking exactly of seawallrunner's scenario, which did in fact happen early in the decade when Eli Lilly accidentally released the email addresses of 600 people who take Prozac. Lilly was charged by the FTC for violating its own privacy policies and later reached a settlement. This was serious business.

So note that Lilly was not charged with violating any particular privacy laws (though perhaps it could have been), but rather for failing to live up to its own privacy policy. This is an enforcement tactic which has been used before. So if the OP's company has a privacy policy which says something vague like "We promise to keep your information secure," revealing customer emails (even if there is nothing inherently sensitive about them, as with the Prozac case) could be construed as a breach.

I second sadie's advice to bring this to the company's counsel, or if you don't know who that is, your boss.
posted by Conrad Cornelius o'Donald o'Dell at 10:02 PM on June 23


The legal ramifications are nil.

Really? It's okay to reveal to every other member of this group of people that I presumably don't know that:

i) what my name is
ii) what my e-mail address is
and most importantly:
iii) that I have dealings with the company
iv) that I am associated with whatever the e-mail is about (medication, people involved in a complaint, job candidates)

Sounds quite serious to me. Ask the company lawyer.
posted by devnull at 2:38 AM on June 24


Beyond the sharing of email addresses there is very little personal information revealed and it is not (thank the gods) of a sensitive nature. We do have a privacy policy in place that states that we will not share email addresses with anyone outside of the organization. Like I said though, this was all done accidentally with no malicious intent and no disclosure of sensitive info.

JibberJabber, I will look into implementing the VB functions that you provided and get back to you. Looks to be very useful.

I appreciate all of the advice.
posted by talkingmuffin at 8:28 AM on June 24


Beyond the sharing of email addresses there is very little personal information revealed

You revealed who has a business(?) relationship with the company.

We do have a privacy policy in place that states that we will not share email addresses with anyone outside of the organization.

You don't need a privacy policy: the law will cover this. You should ask your lawyer if you are allowed to share data with your customers about other customers - you almost certainly aren't.

For example, say you bought a new tyre from me. Would it be okay for me to tell my customers that talkingmuffin bought a new tyre from me? Probably not. What about something other than a new tyre? Ask your lawyer!
posted by devnull at 1:30 AM on June 25


For example, say you bought a new tyre from me. Would it be okay for me to tell my customers that talkingmuffin bought a new tyre from me? Probably not.

I don't know about Canada, but I don't think this is usually a problem in the U.S. Companies sell customer lists all the time, especially in bankruptcy (example).
posted by Conrad Cornelius o'Donald o'Dell at 1:30 AM on June 26


I've found the relevant piece of legislation for the province I live in. I don't believe the law has been violated because of the following language:

"personal information" means information about an identifiable individual and includes employee personal information but does not include

(a) contact information, or

(b) work product information;"

As far as I can see an email address does not allow you to identify an individual. Names were not released as part of the email that was sent so I think we're in the clear. Thanks for the advice everyone.
posted by talkingmuffin at 10:21 AM on July 3


« Older Is there any kind of critical ...   |   How do I learn to smell like m... Newer »

You are not logged in, either login or create an account to post comments