• United States



sarah d_scalet
Senior Editor

Don’t Read This

Feb 13, 20033 mins
CSO and CISOData and Information Security

Feb. 13, 2003Of all the ineffectual e-mail disclaimers I see, one I received earlier this week takes the prize for self-defeating impotence. A public relations flak wrote me trying to get publicity for a security conference. His was the standard spiel: the whos who would be there, the whats that would be learned, the wheres and whens and whys. But at the bottom of the message, I found this disclaimer:

CONFIDENTIALITY: The information contained in this E-mail message is intended only for the personal and confidential use of the designated recipient(s) named above. This message is intended to be a confidential communication and may involve information or material, which is protected under state or federal privacy laws.

The disclaimer droned on a while longer in deep legalese and horrid grammar

nothing that that e-mail users haven’t learned to ignore long ago. But here’s the ludicrous part: The information was, in fact, intended to be spread far and wide, yet the disclaimer supposedly forbade me from doing that.

Despite the fact that most such disclaimers would hold up in court about as well as a piece of linguini cooked al dente, a startling number of e-mails these days arrive festooned with legal verbiage longer than the message itself. Inserted at the bottom of the e-mail (although I know of one clever law firm that inserts a line up top instructing recipients to “Please see Confidentiality Notice before reading e-mail”), the disclaimer is usually trying to accomplish one of two things. Often it is an attempt to keep the information from falling into the wrong inboxnever mind that it’s being transmitted in a medium that even my six-year-old niece knows is as private as a postcard. And sometimes it is meant to absolve the sender of any liability for damage caused by viruses contained in any attachments.

Companies will have adequate luck with the latter, assuming of course that the virus was not intentionally inserted by the sender. But as for the “confidentiality” notices, they often fail to do anything more than irritate the recipient and make the sender look foolish. Slapping a carelessly written disclaimer on every outgoing message is not a way to improve security. Anyone who thinks it iswell, I’m sure you have an associate in Nigeria awaiting your help thawing out some frozen assets.

“If the sender marks even his holiday greeting e-mails as confidential, why should any recipient understand that any of this sender’s communications are intended to be confidential?” asks Wayne D. Bennett, co-chair of the Commercial Technology Practice at Bingham McCutchen LLP. In general, for a confidentiality notice to stick, he says that: 1) there should be a confidentiality agreement in place between the sender and recipient before the information is transmitted; 2) the disclaimer should make the e-mail confidential “pursuant” to this agreement; and 3) only e-mails containing confidential information should be marked as such.

“An unsolicited e-mail marked ‘confidential’ from someone the recipient does not know will not typically bind the recipient to confidentiality,” Bennett says. His e-mails to me, by the way, contained no disclaimer.

All of which is to say, your first reaction to all this legal yapping is probably right on target: Ignore itit doesn’t matter anyway.

What’s the worst confidentiality notice you’ve read this week? Send it to me at