THE MAGAZINE

Mindful Monitoring

By Ian D. Meklinsky and Anne Ciesla Bancroft

Employee Protection
Employees may be protected from an employer’s electronic monitoring under three categories. First, employees may seek protection under either the federal or a state constitution. Second, a federal or state statute may provide employees with protection. Third, employees may be able to find some common law precedent on which to base a claim that the company violated their privacy rights. Let’s take a look at each of these protection categories.

Constitutional protections. Privacy rights are not specifically mentioned in the U.S. Constitution, and while the Supreme Court has found a right of privacy in the Fourth Amendment, it applies only to actions carried out by governmental entities, not to the actions of private employers. In their state constitutions, many states, however, provide for a right of privacy that applies both to government and private sector actors .

Employers need to be aware of the constitutions of states in which they operate when developing monitoring policies. Public-sector employers, such as schools, must be cognizant of the federal privacy rights conferred by the Fourth Amendment as well as state constraints.

Statutory protections. The statutes most directly applicable to electronic monitoring in the private-sector workplace are federal and state wiretapping laws. On the federal level, the Wiretap Act, as amended by the Electronic Communications Privacy Act of 1986 (ECPA), prohibits the interception, recording, and disclosure of “any wire, oral, or electronic communication” unless one of a few exceptions applies. The Stored Communications Act (SCA) prohibits unauthorized access to “the contents of a communication while [it is] in electronic storage” unless an exception applies.

Because the general rule is that an employer cannot intercept, access, record, or disclose an electronic communication, employers must qualify for one of the exceptions to these rules. The two most prevalent exceptions are the business extension exception and the consent exception.

Business extension. The business extension exception pertains to certain types of interceptions. For example, if an employer uses equipment such as telephones, facilities, or related components furnished by a telephone service provider to a subscriber or user in the ordinary course of business, then the employer may intercept electronic communications that are business-related. An employer’s telephone lines and facilities have been determined to fall within this exception. (As discussed later, the employer may not intercept personal communications.)

A business may not install tape recorders or other monitoring devices that are not acquired from a telephone service provider in the ordinary course of business to record conversations. (The government may not tape record conversations without a warrant.) However, employers may monitor the statistical aspects of employee telephone communications for data on the origin and destination of calls, call duration, and number of outgoing calls.

Under the exception, employers may monitor the content of employee communications only within certain contexts. To monitor the content of employee communications, an employer must have a reasonable business purpose, such as enforcing a no-private-calls policy or monitoring employee efficiency.

The methods and scope of interception must be reasonable. Under the exception, it is unreasonable for an employer to record all conversations in their entirety. The interception must terminate as soon as the monitored communication indicates that the message is personal.

Consent. Under the consent exception, it is legal for a person to intercept communications across state lines where one party has given prior consent. Also, interceptions are legal where the interceptor is a party to the communication. When both parties are in the same state, the law of that state prevails. For example, in Pennsylvania, all parties must consent.

This exception allows that consent may be implied where employers give appropriate notice to employees, and employees agree to the monitoring. However, a surreptitious or secret interception neg-ates this consent.

The Federal Trade Commission has rules governing how companies must notify nonemployees if telephone communications will be taped. These involve issuing oral warnings that the conversations are being recorded or periodic tones that indicate taping.

An employer who is lackadaisical about establishing a proper and legal monitoring policy could face significant damage to its business, as well as liability. And the charges can go beyond the normal invasion-of-privacy claim. For example, an employer could be liable under the Sarbanes Oxley Act (SOX) for the release of confidential information of clients and customers.

States. Many states have adopted laws equivalent to the federal wiretap statute. In many respects, these laws track the federal law. However, some state courts have interpreted these statutes in different ways. For example, in Montana, a district court ruled that the use of a handheld recorder to record voicemail messages was not an interception, particularly where the person leaving the voicemail message consented to leaving the message in the first place. In contrast, a New Jersey district court ruled that the recording of phone conversations with a tape recorder and adapter is an interception. And, in a recent Pennsylvania case, a court ruled that searching a server and retrieving an employee’s e-mails is not a violation of the ECPA or the SCA.

Numerous states have recently enacted identity theft protection laws. Under these provisions, employers have affirmative obligations to protect computerized records containing personal information and to report breaches of security to law enforcement and the individual whose information was accessed. These laws also impose requirements regarding the destruction of hard copies of such information, as well as restrictions on the use and dissemination of Social Security numbers.

Common law protection. Employees seeking redress from electronic monitoring periodically assert an invasion of privacy claim. Most jurisdictions recognize this claim. In general, a party who intentionally intrudes, physically or otherwise, on the solitude or seclusion of another or on his private affairs or concerns is subject to liability for invasion of privacy if the intrusion would be highly offensive to a reasonable person.

Despite the availability of this type of claim, courts rarely find that employers have invaded the privacy of an employee through electronic monitoring. To be successful, an employee must overcome several hurdles. There must be an intrusion and the intrusion must be intentional. The employee must have a reasonable expectation of privacy in the matter intruded on and the intrusion must be highly offensive to a reasonable person.

Then, even if the employee satisfies all of these criteria, the employee may still be unsuccessful if the court finds that the employer had a legitimate business reason for engaging in the intrusion that outweighed the employee’s privacy interest.

To further reduce the likelihood that an employee would prevail in this type of claim, employers should eliminate the employee’s reasonable expectation of privacy by having a well-publicized policy and obtaining employee consent to monitoring.

Challenges
Employers frequently ask their legal counsel about their right to monitor employee use of e-mail and the Internet to detect, for example, excessive online shopping or visits to inappropriate Web sites. They want to understand their rights and obligations with respect to accessing an employee’s e-mail or Web site history.

Employers have certain obligations that virtually mandate monitoring and review. For example, employers are required to investigate wrongdoing under federal antidiscrimination laws. While this legal obligation might be enough to protect an employer who must search an employee’s e-mails and Web usage, properly drafted polices are still necessary. Companies should, therefore, maintain clear policies concerning the use of the systems by employees and the employer’s right to monitor that use.

There have been various court challenges to company monitoring programs. A review of these cases can help companies understand which practices may withstand legal scrutiny.

In one case (Campbell v. Woodard Photographic, Inc., U.S. District Court for the Northern District of Ohio, 2006) a federal court found that an employer invaded an employee’s privacy during a workplace investigation. In the case, Woodard Photographic had experienced a series of suspected thefts of cash and office equipment. An investigator claimed that he found a printout of items that Dwayne Campbell had listed for sale on eBay and that these items were identical to the missing equipment. This evidence, coupled with other facts that pointed to Campbell as the culprit, was used to terminate Campbell.

Campbell filed a lawsuit against the company, claiming invasion of privacy. He claimed that he did not print out the eBay listings and that the company must have accessed his password-protected eBay account to get the information. The company requested that the case be dismissed.

The court denied the company’s request, finding that Campbell could pursue his invasion of privacy claim against the company and that if the company did obtain its information by accessing a password-protected account, it could be held liable. However, the court did note that if the company had established an employee monitoring policy and communicated that policy to its employees, Campbell would not have had an expectation of privacy and his lawsuit would have failed.

Why monitor? To avoid the potential liability that monitoring could create, companies might be inclined simply to avoid any oversight or investigation of employee activity. Yet this approach can land them in hot water as well, as the case of Doe v. XYZ (Superior Court of New Jersey, 2005) illustrates. (Names were sealed in the case to protect the victims.)

XYZ Corporation employed 250 workers in Somerset County, New Jersey. One of the employees, whom the courts called John, worked for the company as an accountant. He worked in a cubicle, which was located along a wall in a line of cubicles. The cubicles had no doors and opened onto a hallway.

In late 1998, the company’s IT manager, whom the court called George, conducted a standard computer log review and noted that John had been visiting pornographic Web sites. George told John to stop visiting the sites but did not tell John’s supervisor, called Keith in court documents, about the incidents.

Over the next three years, various employees raised questions about John’s Internet use. Two investigations launched by his supervisors proved that John had visited child pornography sites from his work computer. John was warned to stop several times but repeatedly slipped back into his old habits.

In 2001, John began taking nude photos of his 10-year-old stepdaughter (called Jill in the case). He transmitted three of these photos over the Internet from his workplace computer to a child pornography site. He also threw some photos of Jill in the trash at work. Someone saw the photos and called police.

When the police searched John’s work computer, they found more than 1,000 pornographic images stored on his computer, e-mails to pornographic Web sites, and e-mail discussions with others about child pornography. The police arrested John for possession and transfer of child pornography.

Jill’s mother, named as Jane Doe, sued XYZ for negligence, claiming that it knew or should have known that John was using his computer to view and download child pornography. The lawsuit also alleged that, because of the nature of the offense, XYZ had a duty to report John’s activities to the police. According to Doe, this negligence led to the continued exploitation of her daughter.

XYZ filed a motion for summary judgment—a hearing based on the facts of a case, without a trial. The trial court granted the summary judgment, ruling that there was no evidence that the company knew that John’s conduct was dangerous to others. Further, according to the court, the company had no duty to investigate the private communications of its employees.

Because most of the exploitation of Jill occurred in the home, the court concluded, more rapid action on the part of XYZ would not have protected the child. Doe appealed the decision.

The New Jersey Superior Court disagreed with the lower court, finding that XYZ could be held liable. The court determined that XYZ could have implemented software to monitor employee activity on the Internet. It also found that the company could have conducted investigations into computer use.

The company had a written policy stating that the employee had no right to privacy in e-mail or Web searches at work and that those who used the system for “improper purposes” could be disciplined or discharged. All employees were supposed to read and sign the policy. There was no record of John signing the policy, but according to the court, there was no suggestion that he was unaware of the policy.v

Solutions
Companies should implement and disseminate a comprehensive electronic monitoring policy, and it should be well publicized to ensure that employees have no expectation of privacy.

An electronic monitoring policy should state that the employment relationship is “at will” and that the policy does not create a contract of employment, either express or implied. The policy should be part of a more comprehensive employee handbook that has all of the necessary and properly drafted disclaimer notices required by the courts.

This disclaimer must clearly state that employees have no expectation of privacy when they use the computer equipment or other communication systems provided by the employer, including the Internet and e-mail systems. Also, the policy must include the notice that the continued use of the employer’s systems constitutes an employee’s consent to monitoring.

In the policy, employers must assert that the business computer systems are the sole property of the company and that the employer has the right to monitor and access all areas of the employee’s computer files.

Similarly, the policy should state that the employer reserves the right to store e-mails that pass into or out of its systems and that it may review e-mails and disclose the contents of e-mails to third parties, with or without notice to employees. Some employers may wish to apply the policy to all company communications systems.

The policy should advise employees that they may be liable for submission of personal information or other sensitive data they send through interactive computer systems. It should also caution employees that e-mails should only contain content that would otherwise be included in a normal business memorandum or letter. The company should clearly prohibit e-mails containing defamatory, sexual, racist, abusive, harassing or other offensive material.

The policy should also clearly state that accessing offensive Internet sites or offensive use of e-mail is prohibited. Companies may want to include a reference to the employer’s antiharassment and antidiscrimination policies.

Some companies have taken an additional step and included statements in the policy asserting that all messages composed, sent, or received on the e-mail system are and remain the property of the employer and are not property of the employee.

Another possible statement a company might want to use would assert that the e-mail system may not be used to solicit or proselytize for commercial ventures, religious or political causes, outside organizations, or other nonbusiness-related solicitations.

Companies should notify employees that the confidentiality of any message should not be assumed, that even when a message is erased, it is still possible to retrieve and read that message, and that the company retains the right to amend the policies at any time. The company should also set out guidelines for the reporting of policy violations and explain the disciplinary steps that will be taken if an employee violates the policy.

The employer should obtain a signed acknowledgment form relating to the policy and maintain the acknowledgment in each employee’s personnel file. In addition to having this written policy, management may want to have the IT department set up banners or sign-in windows so that as employees log on to the computer system, they are reminded that they consented to monitoring.

Employers cannot afford to ignore the legal issues arising out of the introduction of technology into the workplace especially when coupled with the employers’ interests in monitoring the use of that technology. By addressing the legal ramifications of monitoring, employers can maintain efficiency while also avoiding liability.

Comments

 

The Magazine — Past Issues

 




Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.