Striking a Balance Between Employer Business
Interests and Employee Privacy: Using
Respondeat Superior to Justify the Monitoring of
Web-Based, Personal Electronic Mail Accounts
of Employees in the Workplace
by
Micah Echols*
I.
INTRODUCTION
Electronic mail (“e-mail”) is a convenient and financially beneficial tool
in the workplace.1 Although businesses that take advantage of e-mail have
experienced many benefits, these same businesses also face a number of disadvantages. One such disadvantage is the legal liability that employers may
face—under a vicarious liability theory—for the e-mail-related actions of
their employees.2 Due to this exposure, nearly eighty percent of employers
have turned to various methods of monitoring their employees, including direct e-mail monitoring.3 Traditionally, this type of monitoring has been limited to company, proprietary e-mail accounts, in which courts have routinely
held that an employee has no reasonable expectation of privacy.4
In response to the lack of privacy afforded company e-mail accounts,
many employees choose to conduct their personal affairs via web-based, personal e-mail accounts that are typically available through Internet access provided by the employer.5 But web-based accounts may not isolate an employer
from liability; most companies, therefore, seek the ability to monitor webbased, personal e-mail accounts as well.
Recent developments in monitoring technology available to employers
allow for the monitoring of most web-based, personal e-mail accounts, such
*
Mr. Echols is currently serving as the Judicial Clerk for the Honorable Sally
Loehrer, District Judge, Eighth Judicial District (Clark County), Las Vegas,
Nevada for the 2003–2004 term. He received his law degree earlier this year
from the J. Reuben Clark Law School at Brigham Young University.
1.
See Dennis Dorman, Email Overload; Some Solutions; Industry Trend or
Event, 4 INTELLIGENT ENTERPRISE, May 24, 2001, at 14.
2.
See, e.g., Booker v. GTE.Net LLC, 214 F. Supp. 2d 746, 750 (E.D. Ky. 2002)
(finding the employer not liable for the acts of two employees committed on an
e-mail account, but referring to the finding as a “close call”).
3.
American Management Association, 2001 AMA Survey: Workplace Monitoring
& Surveillance: Summary of Key Findings, 2001, available at http://www.ama
net.org/research/pdfs/ems_short2001.pdf (last visited Mar. 12, 2003).
4.
See discussion infra Part III.A.
5.
See Bob Sullivan, Who’s Spying on My Hotmail?, Aug. 28, 2002, available at
http://www.msnbc.com/news/800409.asp (last visited Feb. 19, 2003).
274
Computer Law Review and Technology Journal
[Vol. VII
as “Hotmail” and “Yahoo!”.6 Nevertheless, the same criteria that courts use
to uphold the employer monitoring of employee e-mail accounts on company, proprietary systems will most likely have the opposite effect on the
monitoring of web-based, personal e-mail accounts.7 As a result, controversy
remains regarding an employer’s possible liability for employees’ activities
on web-based, personal e-mail accounts that cannot be legally monitored.
This Article proposes that if courts use a respondeat superior approach,
employers will be able to legally take advantage of the new technology and
justifiably monitor employees’ web-based e-mail accounts when they are
used in the workplace. To explore the issue presented, Part Two will provide
the relevant background, an explanation of how e-mail accounts work, and
the perspectives of both employer and employee. Part Three will present four
cases discussing the analysis courts have applied to the monitoring of employee e-mail in the workplace on company, proprietary e-mail accounts.
Part Four will analyze issues related to web-based, personal e-mail accounts,
such as new monitoring technology, the traditional privacy analysis as it relates to the new monitoring technology, and the respondeat superior approach to the issue of employer monitoring of employees’ web-based,
personal e-mail accounts in the workplace. Part Five will comment on methods through which employer and employee can maintain their respective positions while avoiding conflicts. Part Six will argue that clear guidelines
should be adopted for e-mail monitoring, and that those guidelines should
balance the interests of employers and employees.
II. BACKGROUND
A. Statutory Background
1. Federal Wiretap Act8
The Federal Wiretap Act applies to wire communications, which are
defined as follows:
any aural transfer made in whole or in part through the use of
facilities for the transmission of communications by the aid of
wire, cable, or other like connection between the point of origin
and the point of reception (including the use of such connection in
a switching station) furnished or operated by any person engaged
in providing or operating such facilities for the transmission of
interstate or foreign communications or communications affecting
interstate or foreign commerce.9
6.
See id.
7.
See id.
8.
18 U.S.C. §§ 2510–2522 (2000).
9.
Id. § 2510(1).
2003]
Striking a Balance
275
The Wiretap Act makes it illegal to intentionally intercept or attempt to intercept any wire communications.10 But the Act allows exceptions either when a
person is a party to the conversation or when at least one party to the conversation has consented to interception, provided that, in either case, the interception is not in violation of law.11
2. Electronic Communications Privacy Act12
The Electronic Communications Privacy Act amended the Federal
Wiretap Act to include electronic communications, which are “any transfer
of signs, signals, writing, images, sounds, data, or intelligence of any nature
transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.”13
The Electronic Communications Privacy Act allows an exception for providers of such electronic communications “to record the fact that a wire or electronic communication was initiated or completed in order to protect [that]
provider.”14
3. Stored Communications Act15
The Stored Communications Act makes it unlawful for a person to intentionally access, without authorization, a facility through which an electronic communication service is provided, or to intentionally exceed an
authorization to access that facility and thereby obtain, alter, or prevent authorized access to the communication while it is in storage in the system.16
The Stored Communications Act carves out two liability exceptions: one for
the person or entity providing the communication service17 and another for
10.
Id. § 2511(1)(a).
11.
Id. § 2511(2)(d).
12. Pub. L. No. 99-508 (Oct. 21, 1986). Recent case law acknowledges that the
Electronic Communications Privacy Act was written prior to the advent of the
Internet and the World Wide Web and, therefore, until Congress brings the
laws in line with modern technology, protection of the Internet and other
electronic communications will remain a confusing and uncertain area of the
law. See Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 874 (9th Cir. 2002).
13. 18 U.S.C. § 2510(12) (2000) (The statute provides the following exceptions
from the definition of “electronic communications”: (1) any wire or oral communication; (2) any communication made through a tone-only paging device;
(3) any communication from a tracking device; or (4) electronic funds transfer
information stored by a financial institution in a communications system used
for the electronic storage and transfer of funds).
14.
Id. § 2511(2)(h)(ii).
15. 18 U.S.C. §§ 2701–2711 (2000).
16.
Id. § 2701(a)(1)–(2).
17.
Id. § 2701(c)(1).
276
Computer Law Review and Technology Journal
[Vol. VII
users of the service with respect to their own communications or those intended for them.18
4. USA PATRIOT Act19
In response to the terrorist attacks of September 11, 2001, Congress
enacted the USA PATRIOT Act. This Act amended both the Federal Wiretap
Act and the Stored Communications Act by liberalizing governmental power
to search wire, stored, and electronic information.20 In terms of the scope of
this paper, this Act is mentioned only to note that privacy in electronic mail
is generally being diminished in the public sector, a trend that will eventually
have repercussions in the private sector.
B. E-mail Accounts
1. Company, Proprietary E-mail Accounts
Company, proprietary e-mail accounts are for internal company communications and for communication with a company’s clients. Such accounts
are installed on a network using an e-mail program such as Microsoft Outlook or Novell GroupWise. The company network is wired through a company server, to which the employer has complete access.21 Every e-mail that
is sent or received on the company proprietary e-mail account is stored on the
company server, regardless of whether the employee deletes and purges the
18.
Id. § 2701(c)(2).
19. Pub. L. No. 107-56 (Oct. 26, 2001) (Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Act). The USA PATRIOT Act amended the Electronic Communications
Privacy Act, giving less protection to stored electronic communications such as
voice-mail. See H.R. Rep. 107-236(I), at 54 (2001). This amendment
memorializes the view courts have adopted with respect to e-mail—that the
wiretap statutes are violated only when the communication is intercepted
simultaneous to the transmittal. See, e.g., Steve Jackson Games, Inc. v. United
States Secret Serv., 36 F.3d 457, 458 (5th Cir. 1994).
20. One of the tools authorized and developed under this Act is the FBI’s DCS1000, commonly known as Carnivore. Carnivore is a computer program that
allows the FBI to monitor the content of e-mails by attaching to an Internet
Service Provider. See Marcia Coyle, Debating the Intrusive Teeth of a “Carnivore”, 24 NAT’L LAW J., Oct. 15, 2001, at A9; see also Congress Must Attach
a Leash to Carnivore, SAN JOSE MERCURY NEWS, Jan. 3, 2002 (commenting on
the new FBI technology, “Magic Lantern,” which can bypass encrypted e-mail
by secretly recording a suspect’s keystrokes). See generally Manton M. Grier,
Jr., The Software Formerly Known as “Carnivore”: When Does E-mail Surveillance Encroach Upon a Reasonable Expectation of Privacy?, 52 S.C. L.
REV. 875 (2001).
21.
See Bohach v. City of Reno, 932 F. Supp. 1232, 1234 (D. Nev. 1996) (“E-mail
messages are, by definition, stored in a routing computer.”).
2003]
Striking a Balance
277
e-mail from his individual computer.22 Additionally, the employer has unfettered access to the stored e-mails in the folders of any employee e-mail account on the company server, even if the employee has protected his folders
by password.23 Since the company network is by definition a restricted network, Internet access from another network and another server, such as from
an employee’s home Internet Service Provider, will not provide access to the
company proprietary e-mail account unless the company specifically creates
a parallel web-based, company e-mail system for the purpose of allowing
employees to communicate company business from their residences without
extending the network to all of their houses.24
2. Web-based, Personal E-mail Accounts
Web-based, personal e-mail accounts of employees are accessible
through the Internet. If an employer provides Internet service through its
company server, the employee may access a web-based e-mail account from
a workplace terminal. One significant difference between the company, proprietary e-mail account and the web-based, personal e-mail account is that emails sent and received on the web-based account are not automatically
stored on the company server. But a history of websites visited by the employee is stored on the company server. Moreover, the e-mails sent and received from the web-based account are stored on the server of the Internet
company; e-mails sent and received on a Hotmail account, for example, are
stored on the Hotmail server. But because the employer provides the Internet
access, the employer has the ability to block whatever websites it wishes,
thereby blocking employee use of web-based e-mail accounts. Nevertheless,
the number of websites offering e-mail accounts is far too great for employers to block all of them. Further, though an employer may learn through a
company server that an employee has visited a particular website, it is impossible for the employer to determine whether the employee has created a webbased, personal e-mail account on that site.
C. Perspectives
An employer favors monitoring whenever it faces potential liability because of the actions of its employees. Conversely, an employer favors privacy when it cannot be held liable for the actions of its employees. But when
liability is uncertain, an employer will seek to protect its own interests. Since
liability is a highly factual inquiry and is determined only after an employee
22.
See McLaren v. Microsoft Corp., 1999 Tex. App. LEXIS 4103, at *2–3 (Tex.
App. May 28, 1999).
23.
See id.
24.
See Smyth v. Pillsbury Co., 914 F. Supp. 97, 98 (E.D. Pa. 1996) (referring to an
e-mail system in which an employee at home was able to communicate to a
company supervisor over the company e-mail system).
278
Computer Law Review and Technology Journal
[Vol. VII
has acted, it is impossible for an employer to grant employees the complete
privacy they would like and still avoid its own liability.
1. Employer Perspective
Although e-mail and other electronic technologies are a great asset to
companies, three main concerns accompany the benefits. Rather than removing the technology altogether, over seventy-seven percent of major U.S.
firms have decided to record and review employee communications, including e-mail, to mitigate their liabilities.25
First, employers rank legal liability as the number one reason for monitoring employee e-mail.26 Lawsuits against employers associated with e-mail
include fraud, libel, sexual harassment, racial harassment, securities fraud,
and trespass.27
Employers rank company security as the second-most important reason
for monitoring employee e-mail.28 While companies may not face legal liability in this area, violations of theft, misappropriation of trade secrets, embezzlement, and copyright infringement will continue to damage companies
absent monitoring of employees’ e-mail activities.29
The third concern is productivity; inappropriate or personal use of email on company time, employers argue, adversely impacts desired efficiency. This argument, though, only applies to hourly wage earners. While
salaried employees may waste time while at work, they are required to meet
a certain level of productivity. According to a recent study, employees spend
approximately ten hours per week, or one-fourth of a work week, online
sending personal e-mails and visiting Internet sites unrelated to work.30
2. Employee Perspective
In addition to the general argument that most people prefer privacy over
surveillance, there are numerous arguments against monitoring employee e25.
See 2001 AMA Survey, supra note 3.
26.
See Computer Forensics, Employee Privacy: Should Your Firm Monitor
Email? HR Says Yes, HR WIRE, Nov. 15, 1999.
27.
See Erin M. Davis, The Doctrine of Respondeat Superior: An Application to
Employers’ Liability for the Computer or Internet Crimes Committed by Their
Employees, 12 ALB. L.J. SCI. & TECH. 683, 696 (2002).
28.
See Computer Forensics, supra note 26.
29.
See Davis, supra note 27, at 696.
30.
See Jay P. Kesan, Cyber-Working or Cyber-Shirking?: A First Principles Examination of Electronic Privacy in the Workplace, 54 FLA. L. REV. 289, 314
(2002) (citing Frank C. Morris, Jr., The Electronic Platform and Critical Employment Related Issues in the New Millennium, ALI-ABA, Current Developments in Employment Law 1071, 1071 (July 27, 2000); Amy Rogers, You’ve
Got Mail But Your Employer Does Too: Electronic Communication and Privacy in the 21st Century Workplace, 5 J. TECH. L. & POL’Y 1, 20 (2000)).
2003]
Striking a Balance
279
mail in the workplace. If an employee does not have privacy in the workplace, he may feel that his employer does not trust him.31 This perceived lack
of trust lowers employee morale and erodes mutual respect between employer and employee. Without mutual respect, employees do not have an
incentive to optimize production.
Stress, depression, and anxiety often result from employer monitoring of
e-mail and other electronic communications in the workplace, especially if
such monitoring is conducted unfairly.32 It is estimated that employee stress
costs employers fifty to seventy-five billion dollars annually in the form of
increased absenteeism, turnover, poorer management, lower productivity,
higher health care costs, and the avoidance of e-mail altogether.33
Furthermore, a new study reveals that the loss of productivity due to email use in the workplace is not as great as previously believed.34 At least
seventy-five percent of employees spend an hour or less per day using email; twenty-five percent spend less than fifteen minutes.35 In fact, sixty percent of Americans who use e-mail while at work receive no more than ten
messages on an average day.36 The same study also indicates, however, that
managers and high-level directors often spend more than two hours daily on
e-mail, with many spending more than four hours daily.37
III.
COMPANY, PROPRIETARY E-MAIL ACCOUNTS
A. Case Law
With the proliferation of e-mail in the workplace, an emerging body of
case law that grapples with the issue of employee privacy has developed. As
is evident from the following cases, not all courts are in accord as to the
degree of privacy that should be afforded employees or as to the extent of
employer liability resulting from the use of company e-mail accounts.
1. Smyth v. Pillsbury Company38
Michael Smyth was employed by the Pillsbury Company as a regional
operations manager. Pillsbury maintained a proprietary e-mail system to promote internal corporate communications. Pillsbury assured its employees that
31.
See Kesan, supra note 30, at 319.
32.
See id. at 320.
33.
See id.
34.
See Wired News, Study Refutes E-mail Myth, ASSOCIATED PRESS, Dec. 9, 2002,
available at http://www.wired.com/news/technology/0,1282,56781,00.html
(last visited Feb. 15, 2003).
35.
See id.
36.
See id.
37.
See id.
38. 914 F. Supp. 97 (E.D. Pa. 1996).
280
Computer Law Review and Technology Journal
[Vol. VII
e-mail communications could not be intercepted and used against its employees as grounds for termination or reprimand. While Smyth was using the
Pillsbury e-mail system from his home, he exchanged e-mails containing unprofessional comments with his supervisor. Smyth had relied on the company
e-mail policy and assurances from his superiors in believing that his e-mails
would be confidential, but his e-mails were in fact intercepted and he was
later terminated.
The Smyth court first pointed out that an employer can terminate an atwill employee for any reason, unless the reason is against public policy.39
The court also explained that Smyth’s situation did not fit into the any of the
clearly mandated exceptions;40 other exceptions could be taken, however,
from legislation, administrative rules, regulation, or judicial decisions on a
case-by-case basis.41
Accordingly, Smyth asked the court to recognize a public policy exception for termination in violation of an employee’s right to privacy.42 The
claim of “invasion of privacy,” also known as “intrusion upon seclusion,”
was a tort then recognized under Pennsylvania law.43 Pennsylvania had
adopted the Restatement approach to “intrusion upon seclusion”: “One who
intentionally intrudes, physically or otherwise, upon the solitude or seclusion
of another or his private affairs or concerns, is subject to liability to the other
for invasion of his privacy, if the intrusion would be highly offensive to a
reasonable person.”44
Applying this law to the facts, the Smyth court found that the plaintiff
failed to state a claim upon which relief could be granted because there was
no “reasonable expectation of privacy in e-mail communications voluntarily
made by an employee to his supervisor over the company e-mail system notwithstanding any assurances that such communications would not be intercepted by management.”45 The court further reasoned that, once the e-mail
was sent, Smyth lost any reasonable expectation of privacy.46 In dicta, the
court commented that even if Smyth had a reasonable expectation of privacy
in his e-mail communications, a reasonable person would not consider Pillsbury’s interception of the communications to be a “substantial and highly
39.
See id. at 99.
40.
See id. (explaining that Pennsylvania courts have recognized three such exceptions: (1) serving on jury duty; (2) having a prior conviction; and (3) reporting
violations of federal regulations to the Nuclear Regulatory Commission).
41.
See id.
42.
See id. at 100.
43.
See id. (citing Borse v. Piece Goods Shop, Inc., 963 F.2d 611 (3d Cir. 1992)).
44.
Id. (quoting RESTATEMENT (SECOND)
45.
Id. at 100-01.
46.
See id. at 101.
OF
TORTS § 652B).
2003]
Striking a Balance
281
offensive invasion of his privacy.”47 As a final note, the Smyth court stated
that Pillsbury’s interest in preventing inappropriate or illegal activity over its
e-mail system outweighed any privacy interests that Smyth may have had in
the e-mail communications.48
2. McLaren v. Microsoft Corporation49
Microsoft suspended Bill McLaren from his employment pending an
investigation into allegations of sexual harassment and what Microsoft referred to as “inventory questions.” During the course of the investigation,
McLaren requested access to his work e-mail so that he could disprove the
allegations. McLaren also requested that no one tamper with his workstation
or his e-mail. As a precaution, Microsoft restricted McLaren’s access to his
e-mail, permitting him to access a particular message only by requesting it
from Microsoft officials. Later that month, Microsoft terminated McLaren’s
employment with the company.
In his complaint against Microsoft, McLaren alleged, as his sole cause
of action, a claim for invasion of privacy based on the belief that Microsoft
had broken into his personal e-mail files, which were protected by password,
and disclosed the information contained within to third parties.50 Although
McLaren conceded that Microsoft had the capability to decrypt his password,
he asserted that there was a reasonable expectation of privacy in his personal
files because they were guarded by password.51 Microsoft filed a special exception to McLaren’s petition, contending that Texas law did not recognize
“any right of privacy in the contents of electronic mail systems and storage
that are provided to employees by the employer as part of the employment
relationship.”52 Accordingly, the trial court ordered McLaren to replead his
petition to eliminate all statements claiming tortious invasion of privacy in
connection with the facts alleged therein.53
47.
See id. (noting that, unlike a personal property search or urinalysis, electronic
communication does not require the disclosure of personal information and,
therefore, does not create an expectation of privacy).
48.
See id.
49. No. 05-97-00824-CV, 1999 Tex. App. LEXIS 4103 (Tex. App.—Dallas, May
28, 1999, no pet.).
50.
See id. at *2.
51.
See id. at *2–3.
52.
Id. at *3.
53.
See id. at *4. The appellate court noted that Texas law recognizes four distinct
torts, any of which constitutes an invasion of privacy: (1) intrusion upon the
plaintiff’s seclusion or solitude or into his private affairs; (2) public disclosure
of embarrassing private facts about the plaintiff; (3) publicity which places the
plaintiff in a false light in the public eye; or (4) appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness. See id. at *8.
282
Computer Law Review and Technology Journal
[Vol. VII
On appeal, the Dallas Court of Appeals considered whether McLaren
met the two elements for an invasion of privacy cause of action: “(1) an
intentional intrusion, physically or otherwise, upon another’s solitude, seclusion, or private affairs or concerns, which (2) would be highly offensive to a
reasonable person.”54 The appellate court rejected McLaren’s contention that
his personal files in the company, proprietary e-mail account, protected by
password, were similar to a personal locker, locked with a personal lock,
provided by an employer.55 The court pointed out that a locker would contain
only personal items of the employee; the e-mail messages contained on the
company computer, on the other hand, were not McLaren’s personal property.56 Moreover, unlike the discrete physical location of a locker and its
contents, an e-mail message could be accessed from a variety of locations,
including from a third party, since e-mail messages were first transmitted
over the network server.57 Like the Smyth court, the McLaren court concluded in dicta that, even if it had found that McLaren had established a
reasonable expectation of privacy in his e-mail messages, a reasonable person would not consider Microsoft’s interception of these communications a
very offensive invasion.58 Further, McLaren’s personal e-mails were relevant
to the investigation into sexual harassment and inventory questions, thereby
giving Microsoft a business interest in the e-mails.59
3. Garrity v. John Hancock Mutual Life Insurance Company60
Nancy Garrity and Joanne Clark were employees of John Hancock Mutual Life Insurance Company for twelve and two years respectively. These
two employees exchanged sexually explicit jokes with coworkers on the
company, proprietary electronic mail system. After a fellow employee received one such e-mail and complained to the company, management
searched the e-mail folders of the plaintiffs and those of the employees the
plaintiffs regularly e-mailed. Based on the information uncovered from the
investigation, the company determined that plaintiffs had violated its e-mail
policy, which prohibited “[m]essages that are defamatory, abusive, obscene,
54.
See id. at *9 (citing Valenzuela v. Aquino, 853 S.W.2d 512, 513 (Tex. 1993)).
55.
See id. at *10-12 (discussing K-Mart Corp. Store No. 7441 v. Trotti, 677
S.W.2d 632 (Tex. App.—Houston [1st Dist.] 1984), writ ref’d n.r.e., 686
S.W.2d 593 (1985) (finding that when an employee uses his own lock on the
employer-owned locker, the employee has an expectation that the locker and its
contents will be free from intrusion and interference)).
56.
See id. at *11.
57.
See id. at *11–12 (quoting Bohach, 932 F. Supp. at 1234 (“E-mail messages
are by definition ‘stored in a routing computer.’”)).
58.
See id. at *13.
59.
See id.
60. No. 00-12143-RWZ, 2002 U.S. Dist. LEXIS 8343 (D. Mass. May 7, 2002).
2003]
Striking a Balance
283
profane, sexually oriented, threatening or racially offensive.”61 A violation of
this company policy was punishable by disciplinary action, including termination.62 The company policy also reserved a right for John Hancock to access all e-mail files, which it did in this instance.63 As a result of what the
company discovered in the e-mail files, the plaintiffs were terminated.
The plaintiffs argued that, although John Hancock had reminded its employees to know the company e-mail policy and had warned of former employees that had been disciplined for policy violations, they could not easily
find the policy on the company Intranet or decipher it.64 Additionally, plaintiffs stated that John Hancock led them to believe that the e-mails were private because the messages were protected by personal passwords.65
First, the Garrity court determined that, despite plaintiffs’ belief that
their e-mail communications were private, there was no reasonable expectation of privacy in those e-mails.66 This conclusion was based partly on the
fact that once the e-mails were sent, the messages could be forwarded to
anyone.67 Relying on McLaren, the Garrity court also stated that creating
passwords or personal folders did not create a reasonable expectation of privacy because all e-mail messages were transmitted over the company network and stored for possible viewing by a third party.68
Similar to the reasoning in Smyth and McLaren, the court in Garrity
reasoned that even if plaintiffs had established a reasonable expectation of
privacy in their work e-mail, John Hancock’s business interests would likely
trump plaintiffs’ privacy interests.69 Under Title VII of the Civil Rights Act
of 1964 and under Massachusetts law, John Hancock was required to take
affirmative steps to “maintain a workplace free of harassment and to investigate and take prompt and effective remedial action when potentially harassing conduct is discovered.”70
Garrity and Clark next argued that John Hancock violated the Massachusetts Wiretap Statute, which was patterned after the Federal Wiretap Statute.71 The language of the Massachusetts statute prohibits interception of
61.
Id. at *2.
62.
See id.
63.
See id.
64.
See id. at *2.
65.
See id. at *3.
66.
See id. at *4.
67.
See id. (citing Smyth, 914 F. Supp. at 97).
68.
See id. at *5–6.
69.
See id. at *6.
70.
See id.
71.
See id. at *7.
284
Computer Law Review and Technology Journal
[Vol. VII
wire and oral communications.72 Basing its reasoning on a Fifth Circuit case,
the Garrity court found that there was no wiretap violation because the
wrongful interception must occur during transmission; in this case, plaintiffs’
e-mails were intercepted from a server where the e-mails were stored after
reception.73 Finally, the Garrity court noted that John Hancock would be
further insulated from liability through the ordinary business exemption,
which protects the practice of an automatic e-mail back-up system.74
4. TBG Insurance Services Corporation v. Superior Court75
This case involved the review of a California Superior Court’s refusal to
compel production of an employer-owned computer, which was being held
by the employee at his home. Robert Zieminski worked as a senior executive
for TBG Insurance Services Corporation. For purposes of employment, TBG
supplied Zieminski with a computer at the office and another computer at
home. Pursuant to this arrangement, TBG required Zieminski to sign a company policy in which he agreed that he would use both computers “for business purposes only and not for personal benefit or non-Company purposes.”76
In the agreement, Zieminski also consented to company monitoring of electronic and telephonic communications.
TBG terminated Zieminski’s employment when it discovered that he
had repeatedly accessed pornographic websites on his work computer. According to Zieminski, the pornographic sites had simply “popped up” on his
computer.77 Zieminski sued TBG for wrongful termination.78 After answering the lawsuit, TBG sought to discover the files stored on Zieminski’s company home computer. Any incriminating stored files on the company
72.
See MASS. ANN. LAWS ch. 272, § 99 (Law. Co-Op. 1992).
73.
See Garrity, 2002 U.S. Dist. LEXIS 8343, at *7–8 (citing Steve Jackson
Games, Inc. v. United States Secret Serv., 36 F.3d 457, 461-62 (5th Cir. 1994)).
See also Fraser v. Nationwide Mut. Ins. Co., 135 F. Supp. 2d 623, 634-35 (E.D.
Pa. 2001) (holding, inter alia, that employer did not violate federal statutes by
reading employee’s stored e-mail because the federal statutes only prohibited
interception and access of communications while in the course of
transmission).
74.
See id. at *8–9 (citing Restuccia v. Burk Tech., Inc., No. 95-2125, 1996 Mass.
Super. LEXIS 367, at *2–6 (Mass. Super. Aug. 12, 1996) (protecting employer
from liability for reading employee e-mails according to the ordinary business
exemption of backing up all e-mails sent within the company and justifying
employer’s termination of employees for excessive chatting on the company email system, regardless of the content of the conversations)).
75. 117 Cal. Rptr. 2d 155 (Cal. Ct. App. 2002).
76.
Id. at 157.
77.
Id. at 158.
78.
See id.
2003]
Striking a Balance
285
computer at Zieminski’s home, TBG reasoned, would resolve the factual
question of intent.
Zieminski contended that his constitutional right of privacy precluded
TBG from forcing him to turn over the home computer containing his personal files.79 Zieminski also set forth the argument that “it was universally
accepted and understood by all that the home computers would also be used
for personal purposes as well.”80
The California appellate court found that Zieminski did not establish the
elements of the invasion of privacy cause of action because his home computer was the property of TBG and because he had consented to monitoring.81 Further, a combination of reasons led the court to conclude that
Zieminski voluntarily waived whatever right of privacy he might otherwise
have had in the information stored on his home computer.82 The court held,
therefore, that the home computer was discoverable, and that the trial court
should compel production.83
B. Summary
The test for analyzing employee claims against employers for monitoring e-mail in the workplace centers on whether the employee has a reasonable expectation of privacy in the e-mails in question84 and whether the
alleged intrusion would be highly offensive to a reasonable person.85
As this issue relates to employee use of company, proprietary e-mail
accounts, courts have overwhelming ruled in favor of the employer. The
courts have based their reasoning on the following factors:
(1) There is no reasonable expectation of privacy in e-mail sent or received on the company e-mail system;86
(2) Once e-mails are sent, they can be forwarded to anyone;87
79.
See id.
80.
Id. at 158–59.
81.
See id. at 160–61 (“When affirmative relief is sought to prevent a constitutionally prohibited invasion of privacy, the plaintiff must establish “(1) a legally
protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of
privacy.”) (citing Hill v. Nat’l Collegiate Athletic Ass’n, 865 P.2d 633, 654
(Cal. 1994)).
82.
See id. at 164.
83.
See id. at 164–65.
84.
See id. at 160.
85.
See Smyth, 914 F. Supp. at 100 (citing RESTATEMENT (SECOND)
§ 652B).
86.
See id. at 101.
87.
See Garrity, 2002 U.S. Dist. LEXIS 8343, at *4.
OF
TORTS
286
Computer Law Review and Technology Journal
[Vol. VII
(3) Company interception of e-mail communications is not a substantial
and highly offensive invasion of employees’ privacy;88
(4) The company’s interests in preventing inappropriate or illegal activity over its e-mail system generally outweigh employee privacy
interests;89
(5) Employers are able to decrypt employees’ personal passwords;90
(6) In order to trigger federal protection, electronic communications
must be intercepted simultaneous to transmittal;91
(7) E-mails are “backed-up” on company servers, a practice that is permissible according to the ordinary business exemption;92
(8) The employer owns the computer and e-mail system;93
(9) The employee has consented to be monitored.94
IV.
WEB-BASED, PERSONAL E-MAIL ACCOUNTS
Since most employees have become aware that employers monitor company e-mail systems, the trend for employees has been to move personal and
potentially offensive activities to web-based, personal e-mail accounts. The
following case demonstrates why strict employer monitoring of employee
use of the company, proprietary e-mail accounts is not sufficient to protect
itself from liability.
A. Booker v. GTE.net LLC95
In Booker, two employees of Verizon, an Internet Service Provider
company, in an effort to avoid detection, created a dummy, web-based e-mail
account under the name of Jarmilia Booker, an employee of the Kentucky
Attorney General’s Office. With this dummy account, the employees responded to a customer complaint regarding problems connecting to the Internet using Verizon’s service. Verizon conceded that the employees’ e-mail
was “rude and critical of the recipient.”96 When the customer complained,
Booker was questioned by her superiors at the Attorney General’s Office. It
was later determined that Booker did not send the e-mail in question and that
the web-based e-mail account did not belong to her.
88.
See Smyth, 914 F. Supp. at 101.
89.
See id.
90.
See McLaren, 1999 Tex. App. LEXIS 4103, at *2–3.
91.
See Garrity, 2002 U.S. Dist. LEXIS 8343, at *7–8.
92.
See id. at *8–9.
93.
See TBG Ins. Servs., 117 Cal. Rptr. 2d at 159–61.
94.
See id. at 163-64.
95. 214 F. Supp. 2d 746 (D. Ky. 2002).
96.
Id. at 747.
2003]
Striking a Balance
287
In addition to bringing suit against the individual employees of Verizon,
Booker brought suit against Verizon under vicarious liability and respondeat
superior theories.97 Booker alleged five causes of action against the employer
for the employees’ actions: (1) violation of Washington state statutes prohibiting unsolicited or misleading electronic mail; (2) failure to supervise; (3)
intentional infliction of emotional distress (“outrage”); (4) civil conspiracy;
and (5) defamation/libel.98
The court first delineated the intentional infliction of emotional distress,
civil conspiracy, and defamation/libel claims as being of a respondeat superior nature and thus requiring a plaintiff to show intent of the employees, not
the employer.99 The statutory violations and failure to supervise claims, on
the other hand, were applicable directly to the employer and required the
plaintiff to show intent on the part of the employer.100
In analyzing the respondeat superior claims, the court presented the
question of whether the tortious acts were performed in the scope of employment.101 The court noted that intentional torts are generally considered to fall
outside of the scope of employment, but commented that “this rule is far
from categorical.”102 The Booker court adopted the view from the United
States Court of Appeals for the Sixth Circuit, which stated:
To determine whether a particular employee action is within the
scope of employment, Kentucky courts consider the following: (1)
whether the conduct was similar to that which the employee was
hired to perform; (2) whether the action occurred substantially
within the authorized spacial and temporal limits of the employment; (3) whether the action was in furtherance of the employer’s
business; and (4) whether the conduct, though unauthorized, was
expectable in view of the employee’s duties.103
The Booker court first pointed out that the employees were employed to
respond to customers by e-mail, but not in the manner that they did.104 Because of this fact, the scope of employment inquiry did not help to resolve
the overall question of liability. The court next affirmed that the action “occurred substantially within the authorized spatial and temporal limits of the
employment.”105 Third, the court determined that the e-mail was not sent “in
97.
See id. at 748.
98.
See id.
99.
See id. at 749.
100. See id.
101. See id.
102. See id.
103. Id. (quoting Coleman v. United States, 91 F.3d 820, 823–24 (6th Cir. 1996)).
104. See id. at 750.
105. Id.
288
Computer Law Review and Technology Journal
[Vol. VII
furtherance of the employer’s business” because it encouraged the customer
to switch to a different Internet Service Provider.106 Regarding the fourth
prong, the court concluded that “creating false third-party e-mail accounts
and sending intentionally offensive e-mails is not expected from company
employees.”107 Although it was a “close call,” the court found that the employees acted outside the scope of their employment.108
Booker’s other claims—failure to supervise and statutory violations—
were attributable directly to the employer.109 With respect to the failure to
supervise (or “negligent supervision”) claim, the court reasoned that, although the plaintiff claimed that the employer owed a duty to supervise its
employees, the plaintiff did not allege that the employer knew or should have
known that the offending employees would act as they did, a crucial element
of the prima facie case.110 The statutory claims also failed because a requisite
element was the intent of promoting the employer’s business, an allegation
that was already disproved.111 Consequently, the employer was neither vicariously liable for the acts of its employees, nor directly liable according to the
alternative theories of liability.112
B. New Monitoring Technology
As illustrated in Booker, when Internet access is available in the workplace, the potential remains for employees to commit acts on web-based,
personal e-mail accounts that could possibly make employers vicariously liable. New monitoring technology allows employers to monitor such e-mail
accounts in an effort to thwart ongoing illegal employee activities.
Booker demonstrates that a single e-mail communication may be the
basis of a lawsuit. Monitoring may not necessarily prevent a lawsuit. But if
the cause of action is sexual harassment, the employer may avoid liability
based on just one e-mail if it (1) had a written sexual harassment policy, and
(2) immediately and effectively responded to the complaint.113 E-mail can
also be directed against the employer, such as when company trade secrets
are stolen. Therefore, employer monitoring of web-based, personal accounts
in the workplace would still be justified.
106. Id.
107. Id.
108. Id.
109. See id. at 750-51.
110. See id. at 751.
111. See id.
112. See id.
113. See Faragher v. City of Boca Raton, 524 U.S. 775, 778 (1998); see also Burlington Indus., Inc. v. Ellerth, 524 U.S. 742, 745 (1998).
2003]
Striking a Balance
289
1. Spyware
Spyware was originally created to monitor Internet use for the purposes
of marketing.114 While a user surfs the Internet, programs such as “Gator”
and “BonziBUDDY” are often secretly installed onto the user’s computer,
monitoring surfing patterns, keystrokes, and other information.115 In addition
to retrieving confidential corporate information, spyware programs also drain
network bandwidth, thereby causing system slowdowns.116 These programs
were the forerunners for spyware that monitors web-based, personal e-mail
accounts.
2. eBlaster
Software such as eBlaster 3.0 spyware, created by the SpectorSoft Corporation, allows a user to receive a secret, undetected copy of any e-mail sent
or received from the subject’s web-based e-mail account, such as “Hotmail”
or “Yahoo!”.117 The user of the software does not necessarily need to be on
the same network. A parent at work, for example, can monitor the e-mail use
of his child at home.118 Because of this function, an employer monitoring an
employee’s web-based, personal e-mail account in the workplace could possibly abuse the monitoring by reaching into the employee’s e-mail activity at
the employee’s home if the employee uses the same web-based account both
at work and at home.119
Because the secret copy is sent during the transmission of the e-mail,
even the manufacturer characterizes the new software as “almost a wiretap.”120 Privacy advocates believe that, even when this software is used in the
workplace, it violates employees’ reasonable expectations of privacy because
they take an extra step to protect their privacy by creating a personal e-mail
account that is not controlled by the employer.121 Supporters of the software
contend that the software is not illegal in the workplace because employers
can monitor whatever they want on company computers.122
114. See ITsecurity.com, Websense Launches New Database Category to Combat
Security Threat: Spyware Found to Create Security Holes and Severely Drain
Corporate Bandwidth, M2 PRESSWIRE (London) Nov. 25, 2002, available at
http://www.itsecurity.com/tecsnews/nov2002/nov213.htm (last visited Feb. 18,
2003).
115. See id.
116. See id.
117. See Sullivan, supra note 5.
118. See id.
119. See id.
120. Id.
121. See id.
122. See id.
290
Computer Law Review and Technology Journal
[Vol. VII
C. Traditional Privacy Analysis Applied to Monitoring of
Web-based, Personal E-mail Accounts
When the traditional privacy analysis is applied to the practice of monitoring web-based, personal e-mail accounts in the workplace, employers do
not have such a strong legal position as they do when monitoring only company, proprietary e-mail accounts.123 While the new monitoring technology
may not affect many of the factors of legal analysis, employer monitoring
may not be justified in every situation and may actually impinge employees’
interests. As a result, it is very likely that the new monitoring technology will
be deemed illegal. On the other hand, the employer cannot simply discard the
new monitoring technology unless it wishes to face possible liability in situations similar to Booker. In the following parts of this Article, each of the
factors courts have used to justify monitoring on the proprietary, company email system will be analyzed in light of the new monitoring technology as
applied to the web-based, personal e-mail accounts of employees.
1. There is no reasonable expectation of privacy in e-mail sent
or received on the company e-mail system
As pointed out in the Sullivan article, there may be a reasonable expectation of privacy in web-based, personal e-mail accounts. When an employee
takes an extra step to protect his privacy, he manifests an expectation of
privacy and a reasonable person would most likely believe that there is at
least a higher degree of privacy in web-based, personal e-mail used in the
workplace than in company, proprietary e-mail.124
2. Once e-mails are sent, they can be forwarded to anyone
Once e-mails are sent on a web-based, personal e-mail account, they can
still be forwarded to anyone. This capability justifies lessening the employee’s expectation of privacy in web-based, personal e-mail, especially if
the employee sends an e-mail from a web-based account to a company, proprietary account. An e-mail can be the basis of liability at the point at which
it enters the company e-mail system.125 Similar reasoning has been employed
in Fourth Amendment jurisprudence. Specifically, a search does not occur
when information is freely viewable to the public because once information
is openly released, it can be learned by anyone.126
123. See supra discussion, Part III.A. & Part III.B.
124. See Sullivan, supra note 5.
125. See Garrity, 2002 U.S. Dist. LEXIS 8343, at *4.
126. See, e.g., United States v. Miller, 425 U.S. 435, 442-43 (1976) (financial
records); Smith v. Maryland, 442 U.S. 735, 743-44 (1979) (pen registers);
United States v. Meriwether, 917 F.2d 955, 959 (6th Cir. 1990) (electronic
pagers); California v. Greenwood, 486 U.S. 35, 40 (1988) (trash).
2003]
Striking a Balance
291
3. Company interception of e-mail communications is not a
substantial and highly offensive invasion of employees’
privacy
The fact that an e-mail is intercepted when it was thought to be private
and unreachable is much more offensive than traditional monitoring of a
company, proprietary e-mail system. This factor does not favor the employer
since, according to the first factor, the employee may have a higher expectation of privacy in a web-based, personal e-mail account. Accordingly, intrusion upon an e-mail account that is held at a higher level of privacy will
result in a higher level of offensiveness, perhaps rising to the level of a substantial invasion of an employee’s privacy.
4. The company’s interests in preventing inappropriate or illegal
activity over its e-mail system generally outweigh
employee privacy interests
Of all the factors considered by a court, the factor that could exclusively
justify employer monitoring of employee web-based e-mail is the company’s
interest in avoiding legal liability. If all other analyses are viewed through
this factor, it is the argument of this Article that the employer will be legally
justified in monitoring employee web-based e-mail accounts when they are
used in the workplace. The new monitoring technology does not downplay
this factor used to justify monitoring.
5. Employers are able to decrypt employees’ personal passwords
Employers have technology that enables them to decrypt the personal
passwords of employees’ e-mail folders, and this practice has been justified
in part because the employer owned the e-mail system.127 But employees
would argue that taking an extra step to create a personal e-mail account on
the Internet creates a higher reasonable expectation of privacy; it stands to
reason, then, that just because employers may have the ability to decrypt
personal passwords of web-based, personal e-mail accounts does not necessarily mean that they may legally do so. Hence, the ability that an employer
has to decrypt passwords is less meaningful when there is actually a reasonable expectation of privacy in the e-mail, or even if there is simply a higher
expectation of privacy.128
127. See McLaren, 1999 Tex. App. LEXIS 4103, at *2-3.
128. See Sarah DiLuzio, Workplace E-mail: It’s Not as Private as You Might Think,
25 DEL. J. CORP. L. 741, 758 (2000) (arguing that encryption of e-mail in the
workplace would create a reasonable expectation of privacy, but is unlikely to
be implemented). But see Orin S. Kerr, The Fourth Amendment in Cyberspace:
Can Encryption Create a “Reasonable Expectation of Privacy?”, 33 CONN. L.
REV. 503, 517-18 (2001) (arguing that there is no reasonable expectation of
privacy in encrypted e-mail).
292
Computer Law Review and Technology Journal
[Vol. VII
6. In order to trigger federal protection, electronic
communications must be intercepted simultaneous to
transmittal
Since the seminal case of Smyth v. Pillsbury Co.,129 courts have universally held that in order to trigger protection of the Federal Wiretap Act and
its amendment under the Electronic Communications Privacy Act, the communication must be intercepted simultaneous to its transmission.130 Opponents of this line of reasoning argue, however, that it is meaningless to make
a distinction between e-mail messages sent, received, and en route because
they all occur within a split second of each other.131
This rule of law, in light of recent monitoring technology, makes it difficult for employers to legally monitor employees’ personal, web-based e-mail
accounts because, according to the operation of new spyware technology, emails would be intercepted during transmission.132 This poses a problem, as
personal, web-based e-mail accounts are presumptively for the use of personal e-mail. Thus, using the traditional privacy analysis for monitoring of
web-based e-mail in the workplace as it pertains to new monitoring technology, employers will likely face liability for invasion of privacy.
7. E-mails are “backed-up” on company servers, a practice that
is permissible according to the ordinary business
exemption
When e-mail is sent on a web-based, personal account, a company only
records which websites have been visited. The record of e-mails sent and
received is stored on the website server, not on the company server.133 Nevertheless, with new monitoring technology, employers will know when employees send and receive personal e-mails on their web-based accounts.134
Technically, the web-based e-mails will be backed-up on the company server
because a secret carbon copy will be sent to a company supervisor’s e-mail
129. 914 F. Supp. 97.
130. See, e.g., Fraser, 135 F. Supp. 2d at 634–35 (“[I]nterception of a communication occurs when transmission is interrupted, or in other words when the message is acquired after it has been sent by the sender, but before it is received by
the recipient. The point in time when the message is acquired is the determining factor for whether or not interception has occurred. The Wiretap Act provides protection for private communication only during the course of
transmission.”).
131. See Benjamin F. Sidbury, You’ve Got Mail . . . and Your Boss Knows It: Rethinking the Scope of the Employer E-mail Monitoring Exceptions to the Electronic Communications Privacy Act, 2001 UCLA J.L. & TECH. (2001).
132. See Sullivan, supra note 5 (“[T]he moment a spy subject sends or receives an
e-mail, a copy of the correspondence is forwarded to the spy.”).
133. See discussion supra Part II.B.2.
134. See Sullivan, supra note 5.
2003]
Striking a Balance
293
account, which will then register the e-mail on the company server.135 So
again, courts will be faced with measuring “ability” as it relates to “legality.”136 But it is not clear whether the ordinary business exemption will protect businesses that utilize the new monitoring technology, unless the
employer uses a back-up system that automatically stores all computer files,
including an employee’s e-mail messages.137
8. The employer owns the computer and e-mail system
Employers have been completely justified in examining anything on its
proprietary computers and e-mail system; it is not so clear, though, whether,
when an employee accesses a website that is protected by password, the employer has the right to examine information beyond the password, because
the employer does not own the website. The relevant question then becomes
whether the employer’s ownership of the computer and the network outweigh the employee’s privacy interest in information that is beyond the ownership of the employer. What was once a clear-cut answer has become a
factor in a balancing test.
9. The employee has consented to be monitored
The Smyth court ruled that, regardless of what the company officials had
stated, the employer was free to monitor the company, proprietary e-mail
accounts of its employees.138 Similarly, the plaintiffs in Garrity signed a
company policy and were able to view the policy on the company
database.139 The employee in TBG Insurance Services signed a company policy that computer use was for business purposes only and that the employer
could monitor the electronic communications of its employees.140 Since each
of these cases involved the company, proprietary e-mail system, it cannot be
assumed that general consent to monitor will also cover the web-based, personal e-mail accounts. The spyware that allows monitoring of such personal
accounts is a new innovation, with which many employees are not familiar;
this type of monitoring, therefore, will most likely need specific consent. As
such, absent specific consent to monitor web-based, personal e-mail ac135. See id.
136. See O’Connor v. Ortega, 480 U.S. 709, 717 (1987) (stating that constitutional
protection against unreasonable searches by the government does not disappear
merely because the government has the ability to make reasonable intrusions,
but that some government offices may be so open to fellow employees or to the
public that no expectation of privacy is reasonable.).
137. See Restuccia, at *2–3 (commenting on the ordinary business exemption as
requiring all e-mails to be captured and stored).
138. See Smyth, 914 F. Supp. at 101.
139. See Garrity, 2002 U.S. Dist. LEXIS 8343, at *2.
140. See TBG Ins. Servs., 117 Cal. Rptr. 2d at 157.
294
Computer Law Review and Technology Journal
[Vol. VII
counts, an employer will likely face liability for use of the new monitoring
technology on these types of e-mail accounts.
D. The Respondeat Superior Approach to Employer Liability for
Monitoring Employee E-mail
1. Respondeat superior and vicarious liability
The most widely adopted definition of respondeat superior is found in
the Restatement (Second) of Agency:
(1) Conduct of a servant is within the scope of employment if, but
only if: (a) it is of the kind he is employed to perform; (b) it occurs substantially within the authorized time and space limits; (c)
it is actuated, at least in part, by a purpose to serve the master, and
(d) if force is intentionally used by the servant against another, the
use of force is not unexpectable by the master.
(2) Conduct of a servant is not within the scope of employment if
it is different in kind from that authorized, far beyond the authorized time or space limits, or too little actuated by a purpose to
serve the master.141
The doctrine of respondeat superior provides a framework through
which an employer, despite using new technology, can avoid liability for
monitoring employee e-mail on web-based, personal accounts.142 It is
counter-intuitive to hold an employer liable for illegal acts committed by
employees over e-mail through respondeat superior without providing the
employer with the means to monitor any and all types of e-mail that could be
the basis of liability.
For example, although the reasoning in Booker led to a finding that the
employer was not liable for the acts committed by its employees, the court
referred to the finding as a “close call.”143 Additionally, intentional torts committed by employees were not held to fall categorically outside the scope of
employment.144 Ultimately, the finding of no liability was based on the content of the e-mail, which was deemed “most certainly not sent in furtherance
of Verizon’s business.”145 Also, the court was persuaded to hold the em141. RESTATEMENT (SECOND)
OF
AGENCY § 228 (2002).
142. See generally Erin M. Davis, supra note 27, at 713 (applying the theory of
respondeat superior to employer liability for computer and Internet based
crimes).
143. See Booker, 214 F. Supp. 2d at 750.
144. See id. at 749 (“While it is quite true that, as a general rule, intentional torts are
deemed to fall outside the scope of employment, this rule is far from
categorical.”).
145. See id. at 750. The court also noted that that the e-mail encouraged the recipient
to switch from Verizon to a different service. Id.
2003]
Striking a Balance
295
ployer not liable because the creation of false third-party e-mail accounts and
the intentional sending of offensive e-mails was not expected from company
employees.146 It follows that, after facing the Booker situation, it would be
more foreseeable to have a future occurrence of an e-mail with only slightly
different content, especially without safeguards such as monitoring of employee web-based e-mail in place. In this situation, the very factors that
worked in favor of the Booker employer might easily be turned upside down
according to the facts since the rule is not categorical.
Because of the ability employees have in their web-based, personal email accounts to circumvent protections that employers enjoy in monitoring
company, proprietary e-mail accounts, courts should apply respondeat superior to the traditional privacy analysis of electronic communications in the
workplace. This approach would allow employers to maintain their business
interests by legally taking advantage of new technology for monitoring employees’ web-based e-mail accounts without facing the liability that would
normally attach under the traditional privacy analysis. Such an approach
would necessarily minimize the increased expectation of privacy that employees may have in their web-based, personal e-mail accounts when they
are used in the workplace.
2. Within the scope of employment
As pointed out in Booker, in determining the liability of the employer in
vicarious liability cases, the first inquiry is whether the employee acted
within the scope of his employment.147 According to the Restatement definition of respondeat superior148 and the Booker holding, when an employee
acts outside the scope of his employment, his acts cannot be attributed to the
employer for purposes of liability. As in Booker, most plaintiffs can easily
prove the first two prongs of the “scope of employment” test.149 Liability,
then, usually turns on the last two prongs.
a. Whether the action is actuated by a purpose to serve the
employer
The Booker court found that the two employees did not act with a purpose to serve the employer because the content of the e-mail encouraged the
customer to switch to a different Internet Service Provider.150 This finding
seems clear in a third-party plaintiff case, but such a finding may not be so
clear in e-mail harassment and discrimination cases in which the plaintiff is a
co-worker of the employee tortfeasor.
146. See id.
147. See id. at 749.
148. See RESTATEMENT (SECOND)
OF
AGENCY § 228.
149. See Booker, 214 F. Supp. 2d at 750.
150. See id.
296
Computer Law Review and Technology Journal
[Vol. VII
Many companies maintain e-mail systems to encourage employees to email each other for business purposes and thereby improve internal corporate
communications. In addition, many companies encourage their employees to
e-mail in order to build camaraderie. Therefore, when employees e-mail each
other, these actions are actuated by a purpose to serve the employer. The
limits on the content of these e-mails are not as clear as in the Booker situation, especially when employees communicate from one web-based e-mail
account to another. When employees communicate exclusively by web-based
e-mail, they are virtually undetected by the employer unless monitoring is
allowed. Moreover, if legally prohibitory language is contained in the emails, questions of notice and foreseeability arise.
b. Whether the employee action is foreseeable to the employer
The Booker court found that intentionally sending offensive e-mails was
not expected of company employees, especially those working in customer
service.151 Yet Booker would have had a valid claim if she was able to prove
that Verizon had failed to supervise its employees.152 Booker alleged that
Verizon had a legal duty to supervise its employees, but failed to allege that
Verizon knew or should have known that the offending employees would act
as they did.153 Thus, the court was not required to analyze Booker’s claim for
negligent supervision.
While an employer could claim ignorance of discrimination of a coworker in the workplace, a court may be reluctant to allow an employer to do
nothing if an employee’s civil rights are violated. Nevertheless, it would be
very difficult for an employer to detect discrimination carried out over webbased, personal e-mail accounts. A hostile work environment in such a scenario could be avoided if the employer simply had the legal ability to monitor
its employees’ web-based e-mail accounts.154
On the issue of liability alone, one could argue that an employer, by not
monitoring web-based, personal e-mail accounts, could argue lack of notice
and not be found liable for any civil rights violations. But while intentional
torts committed by employees are usually not within the scope of employ-
151. See id.
152. See id. at 751.
153. See id.
154. See, e.g., Crawford v. Medina Gen. Hosp., 96 F.3d 830, 834-35 (6th Cir. 1996)
(requiring that to prove a hostile environment cause of action in an ADEA (The
Age Discrimination in Employment Act) context, a plaintiff must show (1) he
is in the protected class–40 years or older; (2) he was subject to harassment in
words or actions based on age; (3) the harassment had the effect of unreasonably interfering with the employee’s work performance and creating an intimidating hostile or offensive work environment; and (4) there exists some basis
for liability of the employer).
2003]
Striking a Balance
297
ment, “this rule is far from categorical.”155 Additionally, while turning a
blind eye may be successful in a limited number of factual scenarios, it will
do nothing to prevent the myriad of other types of crimes, such as misappropriation of trade secrets committed over web-based, personal e-mail accounts.156 In such damaging e-mail crimes as securities fraud, there is no way
to completely turn back the clock, yet monitoring of employee web-based email accounts could effectively minimize these described risks.
3. Exception to the Federal Wiretap Act
As discussed above, many of the criteria courts rely on to justify employer monitoring of employee use of the company, proprietary e-mail system will actually favor the employee when new monitoring technology is
utilized to monitor web-based, personal e-mail accounts.157 This heightened
expectation of employee privacy is diminished, however, when courts consider that web-based accounts create potential vicarious liability for employers. And this potential liability increases when employers choose not to
monitor. While almost all of the factors can be explained in this way to justify monitoring the web-based e-mail account, the issues surrounding the
Federal Wiretap Act need additional explanation.
eBlaster software creates an undetected, secret carbon copy e-mail that
is sent to the user of the software, presumably during the transmission of the
e-mail, which is in violation of the Federal Wiretap Statute, unless the e-mail
is business related.158 But according to the language of the Federal Wiretap
Act, there are exceptions either when a person is a party to the conversation
or when at least one party to the conversation has consented to interception.159 The Stored Communications Act also provides exceptions for (1) “the
person or entity providing a wire or electronic communication service”;160
and (2) “a user of that service with respect to a communication of or intended
for that user.”161
If an employer is to take advantage of the exemption from the Federal
Wiretap Act for business related e-mail, the employer will have to initially
monitor each e-mail from the web-based account to determine if the individual e-mail is business related, which means that all e-mails will be read. In
addition, a strict construction of an agency theory would make the agentemployee one and the same with the principal employer, thereby making the
employer a party to all conversations the employee has while in the work155. See Booker, 214 F. Supp. 2d at 749.
156. See discussion supra Part II.C.A.1.a–b.
157. See discussion supra Part IV.C.1–9.
158. See discussion supra Part IV.C.6.
159. See 18 U.S.C. § 2511(2)(d).
160. Id. § 2701(c)(1).
161. Id. § 2701(c)(2).
298
Computer Law Review and Technology Journal
[Vol. VII
place, and a “user” of the web-based e-mail account. Finally, specific consent
to monitor the employee’s web-based, personal e-mail account may be
gained from the employee, which would provide a third theory of exemption
from the Federal Wiretap Act.
V. AVOIDING CONFLICTS BETWEEN EMPLOYER
AND
EMPLOYEE
The controversy surrounding employer monitoring of employee e-mail
in the workplace will persist; nevertheless, steps can be taken to alleviate
conflicts between the competing interests of each party.
A. Separate Computers in Non-work Areas for Use During Nonwork Time
For businesses that do not rely on the Internet for distributing job assignments, an easy way to eliminate e-mail problems is to not install Internet
browsers on workstation computers, thereby removing the threat of employee
activities on personal, web-based e-mail accounts. Further, companies could
continue to maintain their proprietary e-mail systems for company use and
monitor employee e-mail according to the current state of the law. As a benefit to employees, the employer could create a separate network of computers
with Internet browsers but without company e-mail. This setup would prevent the possibility of copying and pasting confidential or offensive information from company e-mail to personal e-mail. Employees would still have the
opportunity to enjoy the Internet during non-work times, such as before and
after work and during lunch and other breaks. Such a configuration would
favor employers in the second prong of a scope of employment test—
”whether the action occurred substantially within the authorized spatial and
temporal limits of the employment”162—thereby making employees ultimately liable for their own crimes.
For businesses that rely on the Internet for job assignments, software is
available that can monitor user patterns, enabling an employer to find out
which sites employees are visiting and how often they are visited; such
software thus allows the employer to investigate web-based e-mail use.163
Once the employer concludes that the frequently-visited websites are not
work-related, it can use its technology to block those sites.
B. New Technology Inhibiting E-mail Functions
New technology like the e-mail policy solution created by Omniva Policy Systems allows companies to “exchange secure, confidential emails
within and beyond the corporate boundaries without requiring any special
software, downloads, or additional steps to read the protected email
162. See Booker, 214 F. Supp. 2d at 749.
163. See Jay P. Kesan, supra note 30, at 331-32 (citations omitted).
2003]
Striking a Balance
299
messages.”164 The Omniva system allows for the following functions and email policies:
• Confidentiality—Messages can be sent as ‘company confidential’ and
cannot be read outside the company or as ‘do not forward’ and cannot
be read by anyone but the original recipients;
• Retention—Messages and attachments can be set to expire after a
specified amount of time in compliance with corporate policies. After
expiration, these messages are deleted, including all copies of the
message–wherever they reside;
• Privacy—Omniva Policy Manager Enterprise Edition allows users to
easily block the ability to copy and paste, as well as print a
message.165
This technology decreases the need for strict employee monitoring,
while allowing employers to enjoy the financial benefits of company e-mail.
Moreover, the misappropriation of confidential company information will not
be so easily perpetuated.
C. Employee Purchases Own Computer and Uses Own Network
Courts have often relied on the argument that an employer can freely
view any files stored on a company-owned computer.166 Interestingly, the
fact that an employee owns the computer from which e-mail messages are
sent does not determine whether the sent messages can be monitored.167 The
dispositive element for determining the propriety of monitoring is the ownership of the computer where e-mail messages are stored. But when e-mail
messages are sent, the dispositive element is the ownership of the network
connection. Depending on his desire to protect personal e-mail messages, an
employee can purchase a laptop to bring to work and store personal e-mail
files, or he can connect to the Internet using an alternate network connection,
perhaps a wireless connection, to keep his sent e-mail messages confidential.
D. Electronic Communications Company Policy
An employer should require specific consent from its employees to
monitor company, proprietary e-mail accounts and web-based, personal email accounts.168 A company policy should not be simply read and signed by
the employee but should be first explained by the employer before signing;
the employee should then be reminded often of the policy so that there can be
164. ITsecurity.com, Omniva Unveils Omniva Policy Manager Enterprise Edition
for Secure Email Policy, Aug. 25, 2002, available at http://www.itsecurity.com/
tecsnews/aug2002/aug152.htm (last visited Feb. 26, 2002).
165. Id.
166. See TBG Ins. Servs., 117 Cal. Rptr. 2d at 160–61.
167. See Smyth, 914 F. Supp. at 98.
168. See discussion supra Part IV.C.9.
300
Computer Law Review and Technology Journal
[Vol. VII
no mistake. For purposes of notice and enforcement, the main points of the
electronic communications policy could be displayed at a log-in screen each
time employees’ computers are activated.
VI. CONCLUSION
Although employers maintaining company, proprietary electronic mail
systems face many liabilities for the acts of their employees, the overall financial benefits outweigh those liabilities. To limit their liabilities, companies engage in monitoring of employee e-mail use of company, proprietary email accounts. Since many employees have moved their personal e-mail activity and potentially threatening activity to web-based, personal e-mail accounts, new technology has evolved to allow employers to monitor
employees’ web-based e-mail accounts. Applying the traditional line of reasoning in balancing employer interests and employee privacy, courts would
most likely find the new monitoring technology illegal. But when the employees’ expectations of privacy are viewed through the respondeat superior
doctrine, the new monitoring technology apparently serves a legitimate, legal
purpose. Employers and employees have competing interests regarding the
issue of e-mail in the workplace, but firm guidelines and policies can result
in compromises in which respective interests are served and conflicts are
avoided.