1. No category

accessing employee e-mail, voice mail and internet

American Bar Association
Section of Labor and Employment Law
2002 Technology Committee
Midyear Meeting
ACCESSING EMPLOYEE E-MAIL,
VOICE MAIL AND INTERNET:
CHECKING YOUR PRIVACY RIGHTS AT THE FRONT DOOR
Douglas E. Dexter
O’Melveny & Myers
Embarcadero Center West
275 Battery Street
San Francisco, California 94111-3305
i
© 2002 American Bar Association
http://www.bnabooks.com/ababna/tech/2002/dexter.doc
TABLE OF CONTENTS
Page
INTRODUCTION: The Ever Growing Problem
FEDERAL SOLUTIONS
I. THE ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 1986
A. General Overview and Background......................................................................................2
B. Title I: The Prohibition Against Intercepting Electronic Communication............................3
C. Title II: The Prohibition Against Accessing Stored Electronic Communication..................5
D. The Exceptions for the Interception of and Access to Electronic Communication ..............6
E. Other Limitations.................................................................................................................11
F. Disclosure Under Title I and Title II ...................................................................................12
G. Damages Under the ECPA..................................................................................................13
II. THE FOURTH AMENDMENT
A. Public Employers: ...............................................................................................................13
B. Internet and E-mail Case Examples ....................................................................................14
C. Impact for Public Employer ................................................................................................15
STATE SOLUTIONS
I. CONSTITUTIONAL RIGHT TO PRIVACY
A. State Constitutional Provisions ...........................................................................................16
i
© 2002 American Bar Association
http://www.bnabooks.com/ababna/tech/2002/dexter.doc
II. COMMON LAW RIGHT TO PRIVACY
A. State Constitutional Right to Privacy..................................................................................16
B. Case Examples ....................................................................................................................17
C. Summary
III.
STATE STATUTES
A. Summary .............................................................................................................................18
B. Pro Employee ......................................................................................................................19
C. Pro Employer.......................................................................................................................20
D. Case Examples ....................................................................................................................20
THE CURE: A POLICY
I. WHY YOU NEED A POLICY
A................................................................................................................................................22
B................................................................................................................................................22
C................................................................................................................................................22
II. WHAT YOU SHOULD PUT INTO YOUR POLICY
A. Initial Questions ..................................................................................................................22
III. THE WRITTEN PRODUCT .....................................................................................................22
IV. GIVING EMPLOYEES NOTICE OF THE POLICY ....................................................................23
ii
© 2002 American Bar Association
http://www.bnabooks.com/ababna/tech/2002/dexter.doc
1
Accessing Employee E-Mail, Voice Mail and Internet:
Checking Your Privacy Rights at the Front Door
Doug Dexter
O’Melveny & Myers
INTRODUCTION: THE EVER-GROWING PROBLEM
With the successful, almost uneventful, advent of the twenty-first century, society is
driving full force on the vastly expanding information superhighway. But, as with any
expanding venture, many bumps have been encountered along the way. One of the biggest
roadblocks has occurred in the realm of employment law. With the increasing number of
companies providing their employees with E-mail, voice mail and Internet access, issues have
arisen as to what rights an employer has over these resources. Once again we are faced with the
age-old problem, employee vs. employer, but now there is an Orwellian twist. On one hand, the
employees claim that these mediums of communications are private and Big Brother, the
employer, should stay out. On the other hand, the employers argue that they need to monitor
these mediums not only to run a successful business, but also to ensure against potential liability
that may arise from an employee’s use of these systems. The following scenarios illustrate the
issues concerning the monitoring of E-mail, voice mail and employee Internet access:
‰
Securities Violations: An employee of a securities firm claimed to have evidence on his
voicemail of regulatory violations by a senior company official, and threatened to reveal
the information if any adverse personnel action were taken against him. He also refused
to disclose his voicemail password and threatened legal action if the company broke into
his voicemail to retrieve the information.
‰
Hostile Work Environment: Employers have been subject to race discrimination suits
based on racial E-mails sent on the companies’ systems around the office by other
employees.
‰
Employee Relations: In 1995, Michael Huffcut, a manager at a McDonald’s was fired
after exchanging impassioned voicemail messages with another employee with whom he
was having an extramarital affair. A co-worker retrieved the “steamy” romantic
messages and played them for Huffcut’s boss and wife. Huffcut sued McDonald’s and
the franchise owner under the Electronic Communications Privacy Act, a state anti-wire
tapping statute, and for various intentional torts. Huffcut sought $3 million dollars in
damages.
‰
Trade Secrets: In 1992, Eugene Wang, a vice-president at Borland International,
defected to a rival computer software maker, but not before allegedly forwarding trade
secrets via MCI Mail. Borland pressed charges against Wang based on the E-mails it
discovered by obtaining his password. Wang was indicted, but defended himself by
1
© 2002 American Bar Association
http://www.bnabooks.com/ababna/tech/2002/dexter.doc
accusing Borland of violating the Electronic Communications Privacy Act’s ban on
tapping messages sent on commercial E-mail lines.
While case law on the issue of monitoring employee E-mail, voice mail and Internet
access is relatively sparse, the cases that are out there provide some guidance as to how
employers should, and can, act in this increasingly sensitive area of electronic monitoring.
Undoubtedly, employees and their lawyers are also looking at the various legal avenues available
to them in order to combat “Big Brother.” As employer monitoring becomes more prevalent,
employees are looking for increased privacy protections under statutory and common law. The
following materials will help explain what steps an employer may be able to take, as well as the
legal roadblocks that may occur along the way.
FEDERAL SOLUTIONS: EXISTING LEGISLATION
•
The Electronic Communications Privacy Act of 1986
The Electronic Communications Privacy Act of 1986 [the “ECPA”] is the most current
and comprehensive piece of federal legislation dealing with the interception of and access to
electronic communications such as E-mail and voice mail. 18 U.S.C. §§ 2510-21, 2701-10,
3117, 3121-26 (1994).
General Overview and Background
‰
ƒ
Enacted in 1986, the ECPA amended Title III of the
Omnibus Crime Control and Safe Streets Act of
1968 [“Crime Control Act”]. The Crime Control
Act, in its original form, provided protection for the
“old fashion” means of communication, such as the
telephone, by placing restrictions on the
wiretapping and eavesdropping of these means of
communication. The ECPA, in essence,
modernized the Crime Control Act to expand the
restrictions to all forms of “electronic
communication,” including specifically E-mail and
voice mail transmissions. See 1986 U.S.C.C.A.N.
3555, 3568; 18 U.S.C. § 2511(1)(a).
ƒ
The ECPA can be broken down into two parts,
generally referred to as Title I and Title II. Title I
of the ECPA prohibits the interception of electronic
communications. See 18 U.S.C. § 2510, et seq.
Title II of the ECPA prohibits the unauthorized
access of stored communications. See 18 U.S.C. §
2701, et seq. The distinctions between the two
sections are critical in determining the damages
2
available to an individual, the admissibility of
evidence, and the ability of the government to
obtain certain information. See, e.g., United States
v. Smith, 155 F.3d 1051, 1056 (9th Cir. 1998)
(noting that Title II of the ECPA does not provide
an exclusion of evidence remedy), cert. denied, 119
S. Ct. 804 (1999).
3
‰
Title I: The Prohibition Against Intercepting Electronic
Communications.
(1)
Except as otherwise specifically provided in this
chapter any person who—
(a)
intentionally intercepts, endeavors to
intercept, or procures any other person to
intercept or endeavor to intercept, any wire,
oral, or electronic communication . . . .
shall be punished . . . or shall be subject to
suit . . . .
18 U.S.C. § 2511(1)(a).
ƒ
‰
What constitutes interception?
•
“Interception” is defined as “the aural or
other acquisition of the contents of any wire,
electronic, or oral communication through
the use of any electronic, mechanical, or
other device.” 18 U.S.C. § 2510(4).
•
The interception must be “intentional.” 18
U.S.C. § 2511(a).
•
Limitation on the term “intercept:”
Interception must be during transmission Under the
dictates of a search warrant, the Secret Service seized the
plaintiff’s computer hardware, which contained private Emails, in order to determine whether or not certain files
were stolen. The key issue before the court was whether or
not the act of seizing the computer with the stored E-mails
constituted an interception in violation of the ECPA. The
court held that it did not. After struggling with the
definitions under the ECPA, the court found that stored Emails could not be “intercepted” by the definition of the
term. See Steve Jackson Games, Inc. v. United States
Secret Service, 36 F.3d 457, 461-62 (5th Cir. 1994); see
also Wesley College v. Pitts, 974 F. Supp. 375, 385-87 (D.
Del. 1997) (finding that electronic communications already
4
in storage cannot be intercepted under Title I), aff’d, 172
F.3d 861 (3d. Cir. 1998).
‰
Voice Mail v. E-mail Interception A co-worker gained
access to another employee’s voice mail system and
discovered that the employee may have committed
securities fraud. The co-worker recorded the message,
which ultimately started an SEC investigation and led to
the indictment of the employee. The indicted employee
attempted to suppress the voice mail as evidence claiming
that it was obtained in violation of the ECPA.
The issue before the court was whether or not the retrieval
of the voice mail in issue was an interception under Title I
of the ECPA. The court found that while the statute did not
indicate that a stored electronic communication, such as Email, can be “intercepted,” the language of the statute
indicated that wire communications, such as voice mails,
could be intercepted even when they were in storage. Thus,
the interception of wire communications does not need to
be contemporaneous with the transmission. See Smith, 155
F.3d at 1059 (finding that the voice mail message was
impermissibly intercepted and subject to exclusion under §
2515 of the ECPA).
ƒ
What does this section mean? This section
prohibits an employer from intentionally listening
to, or obtaining the contents of, the communications
of another individual, such as telephone calls and
voice mail messages during the transmission of the
message. Thus, this could apply to an employer
who intentionally listens to an employee’s
telephone calls or voice mails. However,
employees have not been successful in applying this
provision to E-mail.
Both Steve Jackson Games and Wesley College indicate that the
interception of an employee’s E-mail will only violate Title I of the ECPA
if the employer intercepts the E-mail while the message is “en route.” Emails that are already in “storage” cannot be deemed intercepted under
Title I of the ECPA. Therefore, an employee contesting an employer’s
accessing of the employee’s stored E-mail must look to Title II of the
ECPA for guidance. However, as Smith suggests, an employer can be
found liable for accessing an employee’s voice mail when it is in transit
5
and when it is in storage. See Tatsuya Akamine, Proposal for a Fair
Statutory Interpretation: E-Mail Stored in a Service Provider Computer is
Subject to an Interception under the Federal Wiretap Act, 7 J.L. & POL’Y
519 (1999) (illustrating the various judicial distinctions between the term
intercept and recommending a consistent reading of interception for Email and voice mails).
‰
(a)
Title II: The Prohibition Against Accessing Stored
Electronic Communications.
Offense.—Except as provided in subsection (c) of
this section whoever—
(1)
intentionally accesses without authorization
a facility through which an electronic
communication service is provided; or
(2)
intentionally exceeds an authorization to
access this facility;
and thereby obtains, alters, or prevents authorized
access to a wire or electronic communication while
it is in electronic storage in such a system shall be
punished . . . .
18 U.S.C. § 2701(a).
ƒ
What is unauthorized access? The courts have
found that unauthorized access occurs where an
individual gains entry to a stored communications
facility and retrieves the stored electronic
communication. See Bohach v. City of Reno, 932
F. Supp. 1232, 1236 (D. Nev. 1996); cf. United
States v. Smith, 155 F.3d 1051, 1058-59 (9th Cir.
1998) (finding that the mere entry into a stored
communications facility constituted unlawful
access), cert. denied, 119 S. Ct. 804 (1999).
However, the holding of Smith may effectively
restrict the use of Title II to E-mails and not voice
mails. See id. at 1059 (finding that voice mails,
unlike E-mails, already in storage, can be
intercepted under Title I).
6
‰
ƒ
What does this provision mean? Title II prevents
employers from accessing stored communications,
such as E-mails and voice mails, unless the
employer falls under one of the ECPA’s exceptions.
ƒ
Securities Industry: Certain rules and regulations
within the securities industry require the retention
of outgoing communications, such as E-mails.
Exchange Act Rule 17a-4(b)(4) requires brokers to
retain all communications sent and received
“relating to his [or her] business as such” for three
years. See 17 C.F.R. § 240.17a-4 (1999); see also
Reporting Requirements for Broker Dealers Under
the Securities Exchange Act, Exchange Act Release
No. 34-38245, 1997 WL 46859 (Feb. 5, 1997)
(finding that the contents of the E-mail should be
reviewed in order to determine if it is “business as
such”). The NASD requires the retention of
correspondence of “registered representatives
relating to its investment banking or securities
business . . . .” See NASD Manual (Conduct Rules)
R. 3010(d)(3).
The Exceptions for the Interception of and Access to
Electronic Communications: An employer will be held
liable under Title I of the ECPA for the interception of the
electronic communications of an employee, and Title II of
the ECPA for the unauthorized access of stored electronic
communications, unless the employer falls within one of
three exceptions:
•
The Consent Exception: An exception allowing interception or
access if one of the parties to the communication consents. See 18
U.S.C. §§ 2511(2)(d); 2701(c)(2).
•
The Business-Extension Exception: An exception allowing
interception if done by a device provided by the communications
provider or subscriber and done in the interceptor’s ordinary
course of business. See 18 U.S.C. § 2510(5)(a)(i).
•
The Provider Exception: An exception allowing providers of wire
or electronic communications services to monitor their lines to
ensure adequate service. See 18 U.S.C. §§ 2511(2)(a)(i);
2701(c)(1).
7
ƒ
The Consent Exception: The ECPA provides that
a person will not be liable for intercepting an
electronic communication if one of the parties
consents to the interception before the
communication is made. See 18 U.S.C. §
2511(2)(d).
•
Notice: Employer notified employees that it
would monitor their business telephone
calls, and would only monitor the
employee’s personal calls to determine
whether or not they were business related.
Employer monitored a conversation between
two employees regarding a job interview
one of them had with another company. The
employee brought suit under the ECPA.
The key issue for the court was whether or
not the employer’s notice to the employees
that their business calls were monitored fell
under the consent exception to the ECPA.
The court found that it did not.
The court determined that the employer’s policy constituted
employee consent only to the monitoring of business calls, but did
not extend to personal calls. The court found that “knowledge of
the capability of monitoring alone cannot be considered implied
consent” and that courts will imply consent only when the
employee knew or should have known of a policy of constantly
monitoring calls, or importantly, when the employee conducts a
personal conversation over a line that is explicitly reserved for
business. See Watkins v. L.M. Berry & Co., 704 F.2d 577, 581
(11th Cir. 1983).
•
8
Implied Consent: Employee consent can be
implied, but the prevailing cases indicate
that the employee must receive some type of
implicit notice. The courts will look at the
surrounding circumstances to determine
whether or not the employee knew or should
have known that the communications were
monitored. See, e.g., Deal v. Spears, 980
F.2d 1153, 1157 (8th Cir. 1992) (noting that
an employee obviously did not have notice
of the employer’s monitoring because the
true purpose behind the monitoring of the
employee’s calls was to investigate a
burglary); Griggs-Ryan v. Smith, 904 F.2d
112, 118 (1st Cir. 1990) (finding that
plaintiff had notice of the monitoring where
landlady informed him that she was going to
start monitoring phone calls); Bohach v.
City of Reno, 932 F. Supp. 1232, 1237 (D.
Nev. 1996) (indicating that consent to have
stored communications accessed could be
implied by an employee’s use of a companyowned computer); Simmons v.
Southwestern Bell Tel. Co., 452 F. Supp.
392, 396 (W.D. Okla. 1978) (implying
consent where plaintiff made personal calls
on phone lines reserved for business that
plaintiff knew were monitored for quality
control), aff’d, 611 F.2d 342 (10th Cir.
1979).
‰
Securities Industry: Implied consent to monitor employee
phone calls and E-mails can be found in the monitoring
requirements for the various exchanges. For example, the
NASD and the NYSE require firms to implement review
policies for outgoing correspondence, including electronic
communications such as E-mail, with the public. See NASD
Manual (Conduct Rules) R. 3010(1)-(2); NYSE Rules of Board
(Communications with the Public) R. 472. Under the NASD
rules, these communications include: advertisements, sales
literature and correspondence, including electronic
communications. See R. 2210(a).
•
9
Impact for Employers: Employee consent
will not easily be found in regard to E-mail
and voice mail monitoring unless the
employee gives actual consent, or the
circumstances illustrate that the employee
knew about the monitoring. While implied
consent could be found with respect to
broker-dealers given the NASD and NYSE
regulations, employers can increase the
likelihood that implied consent will be found
if they place employees on notice of
electronic monitoring by adopting a
comprehensive electronic communications
policy and abiding by the policy’s limits.
See Watkins, 704 F.2d at 585 (indicating
that implied consent will not be found when
monitoring exceeds the terms of the
company policy).
ƒ
The Business-Extension Exception: The ECPA
prohibits a person from “willfully us[ing] . . . any
electronic, mechanical, or other device to intercept
oral communication[s].” 18 U.S.C. § 2511(1)(b).
However, the ECPA exempts the use of electronic
devices to intercept communications by a
“subscriber or user” furnished to them by a
“provider of wire or electronic communication
service” in the ordinary course of business. See 18
U.S.C. § 2510(5)(a). This exception also exempts
interceptions made by a “provider of . . . [an]
electronic communication service” in the ordinary
course of its business. See id.
•
‰
In order to be eligible for this exception, an
employer must first show that the
intercepting device it used is an instrument
used in the ordinary course of business. See
18 U.S.C. § 2510(5)(a). The most usual
example of this is monitoring employee
phone calls in the ordinary course of
business with telephonic equipment
provided by the phone company or other
service provider. See, e.g., Sanders v.
Robert Bosch Corp., 38 F.3d 736, 740-41
(4th Cir. 1994) (finding that a “voice logger”
was not an instrument used by the employer
in the ordinary course of business because it
did not “further the employer’s
communication system”); see also Deal v.
Spears, 908 F.2d 1153, 1158 (8th Cir. 1992)
(finding that in order to prevail under this
exception, “the intercepting equipment must
be furnished to the user by the phone
company or connected to the phone line, and
it must be used in the ordinary course of
business”).
Assuming that the intercepting device used by the employer to monitor is
equipment used within the ordinary course of its business, the courts
10
will analyze whether the actual monitoring itself is in the ordinary
course of business. The courts have applied a context or a contentbased analysis to determine if the actual monitoring is being made
within the ordinary course of business. If the monitoring is not made
within the ordinary course of business, the employer’s actions will not
fall under this exception.
•
Context-Based: Courts applying the
context-based analysis have focused on the
surrounding circumstances of the actual
interception. One key factor that the courts
have looked at is whether or not the
employee had notice of the monitoring.
o Notice of Business-Related
Employer Policy: An employer set
up a telephone monitoring system to
monitor its employees’ business
transactions. After providing notice
to the employees, and after no
employee protested, the telephone
company installed the system. Later,
an employee brought suit alleging
that the employer violated the federal
wiretapping law. The court
determined that the employer’s
action fell squarely within the
business-extension exception
because the installation was fully
disclosed in advance to the
employees and was for a legitimate
business purpose. See James v.
Newspaper Agency Corp., 591 F.2d
579, 582 (10th Cir. 1979).
o Scope of Policy: Suspicious that an
employee had helped to aid in the
robbery of the employer’s store, the
employer monitored the employee’s
calls at work with a recording
device. The employee was
terminated when the employer
recorded her selling one of its
products at a discounted rate. The
employee brought suit alleging that
11
the employer violated the federal
wiretapping laws. The court found
that the interception of these calls did
not fall within the business-extension
exception, and thus, held the
employer liable under the act. The
court determined that because the
majority of the calls intercepted were
personal calls, not business-related
calls, the exception did not apply.
The court also noted that the
employer did not make any effort to
ensure the calls recorded were
business-related in order to limit the
interception of personal calls. See
Deal, 980 F.2d at 1158-59.
•
Content-Based: Courts applying the
content-based analysis have focused on
whether the intercepted communication is a
“business” communication and, thus,
lawfully intercepted. As a general rule, an
employer can lawfully intercept businessrelated communications; however, the
employer is limited to monitoring personal
calls to the extent necessary to determine if
the content of the calls is business-related.
o Personal v. Business Related
Monitoring: The monitoring of an
employee’s personal calls is in the
ordinary course of business when
necessary to guard against the
unauthorized use of the telephone;
however, the employer must cease
listening to the call once the personal
nature of the call is determined.
Therefore, recording of an
employee’s phone call concerning
the employee’s interview with
another company did not fall within
the ordinary course of business
exception since it was a “personal
matter, neither in pursuit nor to the
12
legal detriment of” the business. See
Watkins, 704 F.2d at 582-84.
o The Fifth Circuit found that a
supervisor’s monitoring of a business
call where an employee divulged
trade secrets was permissible and
within the ordinary course of
business. The court stressed,
however, that its decision would
have been different had the
supervisor monitored a personal
portion of any conversation or had
the supervisor engaged in a general
practice of surreptitious monitoring.
See Briggs v. American Air Filter
Co., 455 F. Supp. 179, 181 (N.D. Ga.
1978), aff’d, 630 F.2d 414, 420 (5th
Cir. 1980).
o The monitoring of telephone
conversations between co-employees
concerning “scurrilous remarks”
about supervisory employees was
permissible. The court found that
the conversations were not personal
because they occurred between coemployees during office hours and
they involved remarks about
“supervisory employees in their
capacities as supervisors.” The court
determined that an employer had a
legal interest in the “potential
contamination of a working
environment.” Epps v. St. Mary’s
Hosp., Inc., 802 F.2d 412, 416-417
(11th Cir. 1986).
•
13
Impact for Employers: The extent to which
the business-extension exception applies to
employer monitoring of E-mail is unclear.
Historically, this exception was used to
uphold the monitoring of employee phone
calls within the ordinary course of the
employer’s business. However, the statute
was amended to include language which
exempts interceptions made by a provider of
an “electronic communications service”
made within the ordinary course of business.
Arguably, this may include the providers of
an E-mail system. However, there is debate
over whether or not an employer would
qualify as a “provider” of its internal E-mail
system, and how the requirement that the
intercepting device be a form of telephonic
equipment would apply to E-mail.
ƒ
The Provider Exception: The provider exception
exempts system providers from the ECPA’s
prohibitions on both access to and disclosure of
intercepted communications.
•
The ECPA provides that:
[i]t shall not be unlawful under this chapter for an operator of a
switchboard, or an officer, employee, or agent of a provider of
wire or electronic communication service, whose facilities are
used in the transmission of a wire communication, to intercept,
disclose, or use that communication in the normal course of his
employment while engaged in any activity which is a necessary
incident to the rendition of his service or to the protection of the
rights or property of that service.
18 U.S.C. § 2511(2)(a)(i).
•
Providers are also exempted from the
ECPA’s prohibition against accessing and
disclosing stored communications as well.
See 18 U.S.C. § 2701(c)(1).
•
Impact on Employers: The service provider
exception would permit employer
monitoring of electronic communications
where an employer was found to be a
“provider” of its E-mail system, and where
the monitoring was within the ordinary
course of business. However, there is little
law on the subject. While courts most likely
would find that public companies such as
A.O.L. and Prodigy are service providers,
there is debate over whether or not an
14
employer would be a “provider” of its
internal e-mail system. However, one court
has determined, albeit in dicta, that the
ECPA is not violated “‘if the person or
entity providing a wire or electronic
communication’ intentionally examines
everything on the system.” Flanagan v.
Epson America, Inc., No. BC007036, 5-6 &
n.1 (Cal. Sup. Ct. Jan. 4, 1991).
The investigation by a public employer of a police officers’ alleged
misuse of the department’s computerized, alphanumeric paging
system, which included retrieving messages stored on the system,
fell within the provider exception to the ECPA. The court found
that the police department, as system provider, “was free to access
the stored messages as it pleased.” Bohach v. City of Reno, 932 F.
Supp. 1232, 1237 (D. Nev. 1996); see also, United States v.
Monroe, No. 99-0536, 2000 WL 276509, *4 (C.A.A.P. Mar. 13,
2000) (noting in dicta that the Government’s actions were
permissible under the ECPA because it was “the provider of [an]
electronic communications service . . . [and was] specifically
exempted from any statutory liability for unlawful access to stored
electronic communications.”).
‰
Other Limitations: The ECPA protects only electronic
communications that “affect[] interstate or foreign
commerce.” 18 U.S.C. § 2510(12). Thus, it is questionable
as to whether or not the ECPA covers local intra-company
E-mail systems at all. Congress has specifically noted,
however, that wire communications such as voicemail
systems affect interstate or foreign commerce and,
therefore, are in the protection of the statute. See 1986
U.S.C.C.A.N. 3555, 3568.
‰
Disclosure under Title I and Title II:
ƒ
Title I of the ECPA prohibits a person from
intentionally disclosing the contents of an electronic
communication that the individual knows was
intercepted in violation of the statute. See 18
U.S.C. § 2511(1)(c).
•
15
Exclusion: For example, in the United
States v. Smith, the court found that
information of a securities violation
obtained from an illegally intercepted voice
mail would have been excluded from
evidence had the contents of the voice mail
been the only way the SEC had known about
the violation. While the court allowed the
evidence of the violation into trial, the court
excluded the actual voice mail message. See
155 F.3d 1051, 1059 (9th Cir. 1998) (finding
that § 2515 of the ECPA requires the
exclusion of illegally obtained
communications from evidence), cert.
denied, 119 S. Ct. 804 (1999).
•
Application of Smith to E-mail: The
holding of Smith states that E-mails cannot
be intercepted under Title I of the ECPA
once they are in storage. Therefore, the
exclusion of evidence remedy under § 2515
of the ECPA would not apply to E-mail.
Furthermore, Title II of the ECPA does not
have an exclusion of evidence remedy.
ƒ
Title II of the ECPA prohibits a provider of
electronic communications services to the public
from disclosing the contents of any electronic
communication in storage. See 18 U.S.C. §
2702(a)(1). However, one court has found that an
internal E-mail system does not qualify as a public
provider system and is not subject to the ECPA.
See Andersen Consulting LLP v. UOP, 991 F.
Supp. 1041, 1043 (N.D. Ill. 1998) (finding that
providers of electronic services are not liable under
the ECPA for disclosing the contents of an E-mail
unless they provide service to the general public and
a corporation’s internal E-mail system was not a
public electronic system).
ƒ
Exceptions: A public provider can disclose the
contents of an intercepted communication or a
communication in electronic storage where:
o one of the parties to the communication gives consent;
o an authorized person needs to review the communication to
forward the message to its destination;
o disclosure is “necessarily incident to the rendition of the
16
service or to the protections of the rights or property of the
provider of that service;” or
o the information is disclosed to a law enforcement agency
and was “inadvertently obtained” by the provider and
appears to “pertain to the commission of a crime.” See 18
U.S.C. §§ 2511(3)(b)(i)-(iv); 2702(b)(1)-(6).
‰
Damages under the ECPA
ƒ
ƒ
•
Title I: Interception
•
Criminal Penalties: A violation of Title I
may result in a fine or a prison sentence of
no more than five years. See 18 U.S.C. §
2511 (4)(a).
•
Civil Penalties: A successful plaintiff may
receive damages the greater of: (1) the
actual damages plus any profits made by the
violator; (2) $10,000; or (3) $100 a day for
each violation. See 18 U.S.C. § 2520(c).
The ECPA further allows a prevailing
plaintiff to recover punitive damages,
attorneys’ fees and other reasonable
litigation costs. See 18 U.S.C. § 2520(b).
Title II: Access
•
Criminal Penalties: A violation of Title II
may result in a fine or imprisonment for no
more than two years, depending on the
malicious nature of the act. See 18 U.S.C. §
2701(b)(1).
•
Civil Penalties: A successful plaintiff may
recover: (1) actual damages, and (2) any
profits made by violator, which will be no
less than $1000. The plaintiff may also
recover compensatory and punitive
damages, as well as attorney’s fees. See 18
U.S.C. § 2707.
The Fourth Amendment
The rights of the people to be secure in their persons, houses,
17
papers, and effects, against unreasonable searches and seizures,
shall not be violated . . . .
U.S. CONST. amend. IV.
‰
‰
Public Employers: For a public employer, the Fourth
Amendment may raise additional areas of concern in
relation to an employer’s ability to monitor an employee’s
E-mail, voice mail or Internet access.
ƒ
The Supreme Court has determined that public
employees have, to a certain degree, a reasonable
expectation of privacy in the workplace. See
O’Conner v. Ortega, 480 U.S. 709, 719-20 (1987).
In making the
determination as to whether or not an employee has
a reasonable expectation of privacy, the Court will
weigh the employee’s privacy right with the
employer’s legitimate need to control and manage
the work environment. See id.
ƒ
However, based upon the Supreme Court’s edicts,
courts have generally permitted employee searches
under the Fourth Amendment, particularly when the
company rules permit the search or when a
company policy bans the conduct being
investigated. See, e.g., American Postal Workers
Union v. United States Postal Serv., 871 F.2d 556,
560 (6th Cir. 1989) (upholding locker searches
based on a union contract); Chicago Firefighters
Union, Local 2 v. Chicago, 717 F. Supp. 1314, 1319
(N.D. Ill. 1989) (enforcing job regulations that
stated employee lockers were subject to search).
Internet and E-mail Case Examples:
ƒ
No expectation of privacy in Internet use where
known policy: Government office monitored its
employees’ Internet connections with a “firewall.”
During a routine check on the system, an employee
noticed that defendant had made many visits to sexrelated Internet sites. During an investigation on
the defendant’s Internet usage, the government
employer found that the defendant had accessed
several web pages depicting child pornography. At
trial for receipt of child pornography, the defendant
18
moved to suppress the evidence under the Fourth
Amendment arguing that he had an expectation of
privacy in his Internet use. The court disagreed.
The court determined that because the government
employer had a known office “practice or
procedure” allowing it to audit employee Internet
use, the defendant could not claim to have a
reasonable expectation of privacy in his Internet
use. Furthermore, in balancing the employer’s
ability to supervise and control the office with the
defendant’s expectation of privacy, the court found
that the government’s need to conduct the
investigation outweighed the defendant’s privacy
right. See United States v. Simmons, 29 F. Supp.
2d 324, 327-28 (E.D. Va. 1998), aff’d in part,
remanded in part by No. 99-4238, 2000 WL 223332
(4th Cir. Feb. 28, 2000).
ƒ
Expectation of privacy in private service provider:
An Air Force Colonel subscribed to America Online
[“AOL”] for E-mail services. During an FBI search
to uncover the transmission of child pornography on
the Internet, it was uncovered that the Colonel may
have received these pornographic E-mails. The Air
Force searched the Colonel’s quarters and seized his
computer. Three computer files were pulled from
the Colonel’s computer and admitted into evidence
as depicting child pornography. The Colonel was
court-marshaled. The court found that the Colonel
had a reasonable expectation of privacy in his AOL
E-mail system. Applying the Fourth Amendment
balancing test, the court determined that it was
reasonable for an individual to believe that the
police would not intercept E-mails sent through a
private E-mail provider such as AOL. The court,
however, indicated that this expectation of privacy
was limited to E-mails sent from person-to-person,
not those sent to public chat rooms. See United
States v. Maxwell, 45 M.J. 406, 417-19 (C.A.A.F.
1996). But see, United States v. Monroe, No. 990536, 2000 WL 276509, * 4 (C.A.A.F. Mar. 13,
2000) (finding that an individual did not have a
reasonable expectation of privacy in e-mail where
Government both owned and operated the system
19
and had a clear policy informing users that their Emails could be monitored).
‰
Impact for Public Employers: Simmons indicates that an
employee, using the employer’s computer system, does not
have a reasonable expectation of privacy in his or her
Internet use. This becomes even more compelling where
the employee knew that the employer had a policy of
monitoring Internet use. This same rationale should apply
to employee E-mails as well. If the employer had a policy
of checking or monitoring E-mails sent on a companyowned computer, and followed the parameters of the
policy, the employee probably would not have a reasonable
expectation of privacy in the communication. Maxwell,
however, limited this rationale and held that an individual
does have a limited expectation of privacy in his or her Emails sent through a private service, such as AOL, on a
home computer.
20
STATE SOLUTIONS
Not only do employers have to contend with the ECPA and the Fourth
Amendment in regard to monitoring employee E-mail, voice mail and Internet access, but
employers must also realize that these situations can trigger state statutory and common
laws as well. While the ECPA offers some protection to employees, the crucial arena
where an employee’s privacy rights are protected is often within state law.
I.
Constitutional Right to Privacy
A.
State Constitutional Provisions: Several states have explicitly guaranteed the
right to privacy in their constitutions. See ALASKA CONST. art. I, § 22; ARIZ.
CONST. art. II, § 8; CAL. CONST. art. I, § 1; FLA. CONST. art. I, § 23; HAW. CONST.
art I, § 6; ILL. CONST. art. I, § 6; LA. CONST. art. I, § 5; MONT. CONST. art. II., §
10; S.C. CONST. art. I, § 10; WASH. CONST. art. I, § 7.
‰
Illinois: The Illinois Constitution specifically protects
“interceptions of communications by eavesdropping devices or
other means” within the right to privacy. See ILL. CONST. art.
I, § 6.
These constitutional protections generally apply to state action only. See, e.g.,
Luedtke v. Nabors Alaska Drilling, Inc., 768 P.2d 1123 (Alaska 1989).
California is a notable exception. See Hill v. NCAA, 865 P.2d 644 (Cal. 1994)
(state constitutional right of privacy applies to private actors). The California
Constitution guarantees all individuals an “inalienable right to privacy.” Courts
have interpreted this state constitutional right to prevent employer conduct such as
drug testing and searches of employee lockers. The key issue is whether a
“reasonable person” would have an expectation of privacy. If an employee has
such a reasonable expectation of privacy, the employee can sue for violation of
his or her privacy. To avoid such liability, therefore, employers must take steps to
reduce the expectation of privacy. Again, notice and acknowledgment of an
electronic monitoring policy probably will be sufficient to establish that, in light
of such a policy, no reasonable employee could have an expectation of privacy in
electronic or wire communications.
II.
Common Law Right to Privacy
A.
State Recognized Common Law Privacy Rights: Some states have recognized
that the common law right to privacy extends to the workplace. In the context of
E-mail and voice mail interception, this common law right to privacy is the right
against “unreasonable intrusion upon the seclusion of another,” which holds that
“one who intentionally intrudes, physically or otherwise, upon the solitude or
seclusion of another, or his private affairs or concerns, is subject to liability to the
21
other for invasion of his privacy, if the intrusion would be highly offensive to a
reasonable person.” Restatement (Second) of Torts § 625B (1977).
‰
B.
ƒ
Because an “invasion” can be non-physical, the tort
protects an individual against electronic
eavesdropping. See id. cmt. 6. Liability may exist
even where the invasion is not surreptitious, and the
employer need not publicize the improperly
obtained information. See id. cmt. 9.
ƒ
Elements for Privacy Claim: An employee must
show that the employer committed a highly
offensive intentional intrusion into a private matter.
In order to demonstrate this, the employee must
show that a subjective expectation of privacy
existed and that this expectation was reasonable.
Often, the reasonableness of the intrusion will
depend on the degree of intrusion, the context,
conduct and circumstances surrounding the
intrusion, as well as the motives and objectives
behind the intrusion. See, e.g., Miller v. NBC, 232
Cal. Rptr. 668, 679 (Ct. App. 1986).
Generally, the courts have found that an individual has a
reasonable expectation of privacy against the “intrusion” of
electronic surveillance, such as telephone monitoring. See, e.g.,
Billings v. Akinson, 489 S.W.2d 858, 861 (Tex. 1973); Nader v.
General Motors Corp., 255 N.E.2d 765, 770 (N.Y. 1970).
Case Examples: The following cases provide insight as to how state courts have
applied the right to privacy to E-mail issues.
1.
No privacy in communication on company system: Employer assured
employees that its internal E-mail system was privileged and confidential.
Employer also informed employees that their E-mails would not be
“intercepted,” or used to take an adverse employment action against an
employee. When the employer thereafter accessed an employee’s E-mail
and terminated the employee for unprofessional comments made in the
communication, the employee argued that his termination was in violation
of public policy because he had a right to privacy under Pennsylvania law.
While the court noted that Pennsylvania did recognize the right to privacy,
an employee must demonstrate that the invasion was “highly offensive” to
a reasonable person. In the case before it, the court found that “unlike
urinalysis and personal property searches, we do not find a reasonable
expectation of privacy in e-mail communications voluntarily made by an
employee to his supervisor over the company e-mail system
22
notwithstanding any assurances that such communications would not be
intercepted by management.” Essentially, an employee using an
employer’s E-mail system does not have a reasonable expectation of
privacy in the contents of his E-mail messages. Furthermore, the
employer’s accessing the employee’s E-mail could not be considered
“highly offensive” by a reasonable person. See Symth v. Pillsbury Co.,
914 F. Supp. 97, 100-01 (E.D. Pa. 1996).
2.
C.
III.
Password does not equal privacy: Employee was terminated due to a
sexual harassment investigation. The employee requested access to his Email in order to disprove the allegations. The employer denied the
request. Employee brought suit alleging that his employer had invaded his
privacy by accessing his personal computer folders where he stored his Emails, which could only be accessed by a network password and an
additional personal password assigned by the employee. The employee
argued that he had a reasonable expectation of privacy in these folders
because they were “protected” by a personal password. The court
determined that an employee did not have a reasonable expectation of
privacy in his E-mails, because the “e-mails contained on the company
computer were not [his] personal property, but were merely an inherent
part of the office environment.” An employee, the court reasoned, should
not have a reasonable expectation of privacy in a company-owned
computer. Finally, the court determined that even if the employee could
show that he had a reasonable expectation of privacy, the employer’s
access of his E-mail was not “highly offensive.” See McLaren v.
Microsoft Corp., No. 05-97-00824-CV, 1999 WL 339015 (Tex. Ct. App.
May 28, 1999).
Summary: In general, it appears that an employee will have a difficult time
establishing that he or she has a reasonable expectation of privacy in
communications made on a company-owned system. However, because there is
limited case law on the subject, an employer should be cautious before monitoring
employee communications. An employer most likely would not violate an
employee’s right to privacy where the employer has a known policy of monitoring
the employees’ communications, and restricts the use of these systems for
business purposes only. However, an employer should be careful when dealing
with computer passwords. While the Pennsylvania and Texas courts did not find
that a password was indicative of privacy, some courts might find the use of a
personal password reinforces the employee’s argument that a reasonable person
would have believed the communications to be private.
State Statutes
A.
In addition to the common law invasion of privacy, forty-eight states and
the District of Columbia have enacted statutes similar to the federal Wiretap and
23
Stored Communications Acts.1 (The two exceptions are South Carolina and
Vermont). Many of these states have adopted the one party consent, "business
extension" and "provider" exceptions found in the federal statute. Thirteen states
require that prior consent must be given by all parties to the communication.2
Twenty-two states and Washington, D.C. have not enacted a "business extension"
exception or explicitly restrict the "provider" exception to communication
common carriers.3
B.
Pro-Employee Because the ECPA does not preempt state law that offers more
protection to an individual, some states have enacted laws that provide more
broad protection.
1.
For example, some states require that all parties consent to the interception
before the “consent exception” will apply. See, e.g., Cal. Penal Code §
631(a); Fla. Stat. Ann. § 934.03 (2)(d); 720 Ill. Comp. Stat. § 5/14-2 (West
1998), amended by 1999 Ill. Legis. Serv. P.A. 91-657 (H.B. 526) (West
2000). Statutory exceptions and (unpublished) court decisions, however,
appear to indicate that employer monitoring of workplace e-mail most
likely does not violate either statute. The eavesdropping provision
contains a key exception when parties to a communication reasonably
expect to be overheard.
2.
In several states, an employer must give its employees advance notice of
its intention to monitor, such as a written policy, before monitoring an
1
See Ariz. Rev. Stat. § 13-3012 (1993); Cal. Penal Code § 631 (Deerings 1998); Colo. Rev. Stat. Ann. § 18-9-305
(West 1993); Del. Code Ann. tit. 11, §§ 2402, 2422 (1999); Conn. Gen. Stat. Ann. § 31-48d (West 1999); D.C. Code
Ann. § 23-542 (1993); Fla. Stat. Ann.§ 934.03 (1996); Ga. Code Ann. § 16-11-66 (Miche 1996); Haw. Rev. Stat. §
803-42 (1993); Idaho Code §§ 18-6702, 18-6720 (West 1997); 720 Ill. Comp. Stat. § 5/14-2 (West 1998), amended
by 1999 Ill. Legis. Serv. P.A. 91-657 (H.B. 526) (West 2000); Kan. Stat. Ann. §§ 21-4001, 22-2514 (West 1995);
La. Rev. Stat. Ann. § 15:1303 (1992); Md. Code Ann., Cts. & Jud. Proc. § 10-402 (1995); Mass. Gen. Laws ch. 272,
§ 99 (1999); Minn. Stat. § 626A.02 (1993); Miss. Code Ann. § 41-29-531 (1993); Neb. Rev. Stat. § 86-702 (1999);
Nev. Rev. Stat. § 200.620 (1993); N.J. Stat. Ann. § 2A:156A-4 (1994), amended by 1999 N.J. Sess. Law Serv. Ch.
151 (Assembly 3014) (West 1999); N.M. Stat. Ann. § 30-12-1 (Miche 1994); N.Y. Penal Law § 250.00 (McKinney
2000); N.D. Cent. Code § 12.1-15-02 (1993); Ohio Rev. Code Ann. § 2933.52 (Anderson 1994); Okla. Stat. tit. 13, §
176.4 (1993); R.I. Gen. Laws § 11-35-21 (1993), amended by 1999 R.I. Pub. Laws Ch. 99-167 (99-H-5593) (West
1999); Tex. Penal Code Ann. § 16.02 (West 1994); Utah Code Ann. § 77-23a-4 (1994); Va. Code Ann. § 19.2-62
(Miche 1994); W. Va. Code § 62-1D-3 (1994); Wis. Stat. § 968.31 (1993); Wyo. Stat. Ann. § 7-3-602 (Miche 1994)
.
2
California, Connecticut, Delaware, Florida, Georgia, Illinois, Maryland, Massachusetts, Michigan,
Montana, New Hampshire, Pennsylvania, and Washington all require both parties' consent to the monitoring. See
Cal. Penal Code §§ 631(a), 632(a) (West 1996); Conn. Gen. Stat. § 52-570d (1997); Del. Code Ann. tit. 11, §
1336(b) (1995); Fla. Stat. ch. 934.03(2)(d) (1995); Ga. Code Ann. § 16-11-66(a) (1996); 720 Ill. Comp. Stat. § 5/142 (West 1993); Md. Code Ann., Cts. & Jud. Proc. § 10- 402(c)(3) (1995); Mass. Gen. Laws Ann. ch. 272 99(B)(4)
(West 1990); Mich. Comp. Laws Ann. § 750.539c (West 1991); Mont. Code Ann. § 45-8- 213(c) (1995); N.H. Rev.
Stat. Ann. § 570-A:2 (1986); 18 Pa. Cons. Stat. Ann. § 5703-04 (West 1995); Wash. Rev. Code Ann. §
9.73.030(1)(b) (West 1988).
3
Alabama, Delaware, the District of Columbia, Georgia, Idaho, Indiana, Iowa, Kentucky, Louisiana, Maine,
Minnesota, Mississippi, Missouri, New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma,
Pennsylvania, Rhode Island, South Dakota, and Texas.
24
employee’s electronic communications. See, e.g., Conn. Gen. Stat. Ann. §
31-48d (requiring an employer to give employees prior written notice of
monitoring policy; however, allows monitoring where employee is
violating the law); Colo. Rev. Stat. Ann. § 24-72-204.5 (requiring a state
employer to detail in a policy the employer’s ability to monitor the
employees’ E-mail).
C.
Pro-Employer Some states have enacted laws that are pro-employer. See, e.g.,
Neb. Rev. Stat. § 86-702(2)(a) (1999) (allowing employers the right to intercept,
disclose and use electronic communication in the ordinary course of business;
expressly exempting employers from wiretap statute).
‰
Case Examples
ƒ
California enacted its own wiretapping law that
provides a private cause of action for illegal
interceptions of private wire communications. See
Cal. Penal Code § 631.
•
Two customer service representatives were
placed on final warning after their
supervisor printed out their E-mail
messages, which contained inappropriate
jokes and language about the supervisor.
The employees complained and were
terminated. The employees sued under §
631, but the court dismissed the action. The
court determined that the plaintiffs did not
have a reasonable expectation of privacy in
their E-mail messages, particularly because
they signed a computer user registration
form which stated company policy that
employee and contractor use of companyowned computer software was restricted to
company business. Finally, the court
determined that the use of a password did
not raise a material issue as to whether the
employees’ expectation of privacy was
reasonable. See Bourke v. Nissan Motor
Corp., No. B068705 (Cal. Ct. App. July 26,
1993).
•
An employee found her supervisor reading
all of the employees’ E-mail going, or
originating from, outside the company. As
the individual in charge of the company’s E-
25
mail system, the employee had assured some
700 employees that their E-mail messages
were private. The employee complained to
her supervisor and sought an E-mail account
number to which her supervisor would not
have access. Subsequently, the employee
was fired for insubordination. The
employee sued her employer under
California law. A class of the company’s
employees also sued for invasion of privacy.
The California court, however, found that
the employees did not have a reasonable
expectation of privacy in the E-mail
messages and dismissed the suit. See Shoars
v. Epson America, Inc., No. BC73243 (Cal.
Ct. App. 1991); review denied, No.
S040065, 1994 Cal. LEXIS 3670 (Cal. June
29, 1994); Flanigan v. Epson America, Inc.,
No. BC007036, slip op. (Cal. Super. Ct. Jan.
4, 1991).
ƒ
Employer had interoffice E-mail system that
required use of a password to access. However,
employer’s supervisors could access the E-mail
files. Supervisor accessed two employees’ E-mail
accounts and found messages referring to the
supervisor’s extra-marital affair with another
employee. The two employees were terminated for
“excessive” use of the E-mail system. The
employees sued, alleging a violation of the
Massachusetts wire tapping laws and an invasion of
privacy. The court found that the employer did not
violate the wire tapping law. Specifically, the court
found that an employer, or provider of an E-mail
system, can utilize the system in the ordinary course
of business. The court found that the employer did
not unlawfully intercept the employee’s E-mails,
but was backing-up the system in the ordinary
course of its business. The court did, however,
recognize that the employees may have a privacy
right in their files and declined to grant summary
judgment. See Restuccia v. Burk Techs., Inc., No.
95-2125, 1996 Mass. Super LEXIS 367 (Super. Ct.
Aug. 13, 1996).
26
PROPOSED LEGISLATION
I.
Federal: Presently, the ECPA is the only piece of federal legislation dealing specifically
with the subject of protecting electronic communications. While several pieces of federal
legislation have been proposed over the past few years, none have been enacted
successfully. However, this unsuccessful legislation may offer some guidance as to what
the future law on electronic message protection might look like.
A.
The Privacy for Consumers and Workers Act (“PCWA”) [16 H.R. 1900,
103rd Cong., 1st Sess. (1993)]. The PCWA was introduced in the Senate and in
the House, but both versions died in subcommittee at the end of the 103rd
Congress. Groups such as the ACLU and the Electronic Frontier Foundation
continue to press for legislation.
1.
Impact of the PCWA: Although the PCWA was mostly aimed at
curtailing video and audio surveillance of employees’ on-the-job
activities, it also would have drastically limited an employer’s ability to
monitor E-mail and voice mail communications.
a.
Continuous Monitoring: Although continuous electronic
monitoring is permitted, the employer would not be allowed to
review the data except in certain limited circumstances, such as
when the employer already has reason to believe the data has some
bearing on the employee’s work.
b.
Periodic or Random Monitoring: Random electronic monitoring
would be virtually prohibited, except for monitoring of new
employees and monitoring “work groups” with prior notice.
c.
Investigations: Electronic monitoring without prior notice would
be permitted in connection with investigations of violations of the
law or willful gross misconduct, but only after the employer
completed a written statement describing the conduct to be
monitored and the reasons for the monitoring.
d.
Notice Requirements: Any electronic monitoring, other than in
connection with an investigation as described above, would require
prior notice to employees and even prospective employees of the
forms of monitoring, the data to be collected, the days and times of
monitoring, and the uses to be made of the information collected.
e.
Exemptions: Banks, securities firms, and other financial
institutions, as well as intelligence contractors, would be exempt
from the provisions of the PCWA. In addition, an employer who
has an immediate business need for specific data can gain access to
27
it without prior notice, if the employee who maintains it is
unavailable.
f.
B.
II.
Penalties: Employers could be fined up to $10,000 for each
violation.
The Telephone Privacy Act of 1993 (“TPA”) [S. 311, 103rd Cong., 1st Sess.
(1993)]. The TPA was introduced as an amendment to the ECPA, but died in
subcommittee at the end of the 103rd Congress. The TPA would have granted a
person the right to intercept a wire or oral communication where all of the parties
to the communication have given prior consent, or where such persons are
employers engaged in the lawful electronic monitoring of their employees’
communications made in the course of the employees’ duties.
State Legislation. State law most likely will begin to dominate the realm of monitoring
electronic communications. The most recent example of such state initiative was in
California. In 1999, a California bill passed both the Senate and the House that
prohibited an employer from “secretly monitoring” an employee’s E-mail without first
notifying the employee of the monitoring with a written policy. See S. 1016 (Cal. 1999).
The bill, however, was vetoed by the Governor.
While the bill was vetoed, the specific provisions of the bill offer an interesting
insight to the future restrictions that may be placed on an employer:
‰
Prohibiting an employer from “secretly monitoring” an employee’s Email. This “secret monitoring” included inspection, review and retention
of the E-mails.
‰
Requiring an employer who elected to monitor an employee’s E-mail to
give notice to the employees of this practice by “hardcopy or electronic
notice.” Furthermore, the bill would have required actual employee
consent to the monitoring.
28
THE CURE: A POLICY
The statutes and case law indicate that there are ways for an employer to
effectively monitor an employee’s E-mail, voice mail and Internet access without
violating the law. The most effective way this can be achieved is by enacting a policy
detailing your intentions with regard to monitoring your employees’ E-mail, voice mail
and Internet access, and following that policy.
I.
II.
Why you need a policy?
A.
A policy gives employees notice that their electronic communications are not
private. This can help to demonstrate consent to the monitoring and can render an
employee’s expectation of privacy in their communications unreasonable.
B.
Fairness. If you choose to monitor your employee’s electronic communications,
it is fair that you let them know. This notice may help to curb any type of morale
problems that may occur if the employees learn that you are surreptitiously
monitoring their communications.
C.
Some states, including Connecticut, require a written policy.
What you should put into your policy?
A.
III.
Initial Questions: First, plan out what you really want to do. In making this
determination, take the following questions into consideration:
1.
Should E-mail and Internet access be limited to business purposes only?
2.
Do you intend to monitor these forms of communication? If so, how, and
to what extent? Arguably, you should only monitor for business purposes
to stay within the protection of the law.
3.
Do you want to give employees passwords?
The Written Product
‰
Inform employees that their E-mails, voice mails and Internet access are not private,
regardless of the use of a password on any of these systems.
‰
You should indicate that this consent to access and disclosure of the employees’
messages will be by authorized firm employees for any lawful purpose.
‰
An employee should be subject to discipline for retrieving another employee’s Email, voice mail or electronically stored documents for any reason other than
specified legitimate business purposes, such as evaluating the effectiveness of
electronic mail; providing assistance in performing departmental duties when
employees are otherwise unavailable; finding lost messages; conducting an
29
investigation into suspected criminal acts, breaches of security, or violations of
corporate policies; complying with subpoenas or other process; and recovering from
system failures or other emergencies.
IV.
‰
Remind employees that the use of company equipment to make offensive or
discriminatory comments, vulgarities, obscenities or jokes is prohibited. Remind
employees that this prohibition relates to accessing offensive Internet sites as well.
‰
Remind employees that the company may store or retain the employees’ E-mail
messages for a certain amount of time, and that these messages may be accessed.
‰
Describe how and why you intend to monitor the various electronic communications.
‰
Make employees aware that use of the company equipment is for business purposes
only. Any communications made on these systems are property of the company.
Giving employees notice of the policy.
‰
Ideally, you should place your policy in your employee handbook and post the policy
around the office as well.
‰
Use on-screen prompts to remind employees that use of the computer is for business
purposes only.
‰
It may also be a good idea for you to have your employees acknowledge that they
have received notice of the policy.
‰
Provide routine training on the permitted use of electronic communications systems.
30

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz