Earlier this week, Harvard University acknowledged the fact that, in the wake of last summer’s cheating scandal that rocked the campus, it had secretly searched the e-mail accounts of 16 Resident Deans. The e-mail search was undertaken last August in an effort to determine who had leaked to the media a “confidential” internal e-mail regarding the cheating and also to determine whether any personal student information had been leaked. Harvard did not acknowledge the fact that it had searched the e-mails until this week, seven months after the searches and only after the Boston Globe broke the story. In the days since Harvard’s surreptitious e-mail search became public, the University has fallen under enormous criticism from faculty, administrators and privacy advocates, all of whom feel blindsided and violated by the University’s unannounced and undisclosed search of electronic data. But Harvard’s approach highlights the interesting and complex issues surrounding the competing concerns companies and institutions have in both conducting thorough internal investigations while, simultaneously, protecting the privacy interests of their employees in the digital age.
Harvard determined it needed to conduct an internal investigation when it discovered that the media had access to a “confidential” e-mail from the University’s administrators to its Resident Deans addressing the potential penalties to be imposed on the students who had cheated, the timing of those penalties both generally and as they related to student athletes’ attempts to save a year of athletic eligibility, and identifying the course—“Introduction to Congress”—in which the University believed the cheating had occurred. It does not appear that the e-mail identified any of the students accused of cheating, however, the University was concerned that student information also could have been disclosed. In order to determine which of the Resident Deans leaked the e-mail, Harvard conducted the undisclosed e-mail search in a limited and narrow way: it reviewed only the subject line of the Resident Deans’ e-mails in order to determine which, if any of those Resident Deans had forwarded the e-mail. The search did not include a review of the contents of any e-mail.
In getting to the bottom of its inquiry, did Harvard need to conduct an e-mail search? Couldn’t it have accomplished the same goals without resorting to what some believe is a full-blown invasion of privacy? Set forth below are some initial thoughts on the lessons companies and institutions should learn from Harvard’s methods in conducting this internal investigation.
Expectation of Privacy in E-Mails on Employer-Based E-mail Accounts
Notwithstanding the uproar of the Harvard faculty, it should be noted, both in the context of Harvard’s investigation and internal investigations generally, that most employers make explicit through institution-wide policies that employees do not have a reasonable expectation of privacy in their work-based e-mails and that those e-mails are free to be searched by the employer. Indeed, Harvard’s internal policy permitted the University to search the e-mail accounts of the Resident Deans without informing them first (Harvard, however, does require that its full-time faculty be given notice of any e-mail search). Thus, like most employers conducting an internal investigation, Harvard was not prohibited from conducting its e-mail search.
Why Would Harvard Search E-Mails Instead of Interviewing the Resident Deans?
A growing criticism of Harvard’s approach centers on whether Harvard could have stopped short of a secret e-mail search to determine the source of the leak. Why didn’t the University just interview the 16 Resident Deans, thereby conducting a search in a way that would have limited the privacy intrusion? Fundamentally, from Harvard’s perspective, its decision to search e-mail subject lines, rather than interview 16 Resident Deans, reflected a cost-effective and efficient way to investigate and determine the source of the leak. Moreover, perhaps Harvard’s approach reflected a concern that if the Resident Deans were on notice of the investigation and were called in for interviews, they would, for some reason, be less than candid regarding their responsibility in forwarding the confidential e-mail, or, even worse, attempt to delete the forwarded e-mail, thereby creating even bigger problems for themselves and the University. In other words, perhaps Harvard believed a quick, simple and limited e-mail search would nip this problem in the bud and allow the University to confront the alleged source of the leak in the most streamlined way possible. But, as noted below, this approach, while efficient and arguably appropriate in light of the University’s authority to search these e-mails, does not come without serious consequences and backlash in the digital age.
The Investigation Overshadowed The Conduct Under Investigation
Any internal investigation should, of course, ensure that the investigation gets to the root of the problem; the investigation should not, by contrast, create new and additional problems that end up eclipsing the original problem. While a search of the subject headings of the Resident Deans’ e-mails likely was the most simple and streamlined method of conducting this investigation, in conducting the investigation this way, Harvard ignored the potential for an intense media fallout associated with its privacy intrusions, including accusations that Harvard “hacked” the e-mail accounts of its staff. This fallout arguably has now overshadowed the underlying cheating scandal, has positioned Harvard as insensitive with respect to the protection of digital information, and has frayed the relationship between the University and its faculty.
In the digital age, where an employer’s access to information is readily accessible and searchable, employers conducting internal investigations have great tools at their disposal to conduct thorough investigations. Yet, they must use those tools wisely or risk the backlash Harvard is now facing. While employers can and often should review e-mails in the course of internal investigations without giving notice to its employees, one wonders whether Harvard could have prevented this backlash simply by informing its Resident Deans of the nature of the limited search shortly after the University conducted the search. That approach would have both enabled Harvard to conduct an effective investigation and allowed it to get out in front of this story, thereby minimizing the risk that its investigation would be characterized as “hacking” instead of “investigating.”
To read more from Benjamin Fischer, please visit www.maglaw.com