E-mail is considered the fastest-growing form of electronic communication in the workplace. But despite the great benefit e-mail offers businesses, it creates productivity and liability issues concerning workplace privacy.
For example, employee misuse of a corporate e-mail system for personal purposes wastes company time. In addition, allowing employees unfettered personal use of e-mail might lead to a sexual-discrimination lawsuit against the employer in which sexually harassing messages are key evidence. This potential liability should motivate you to ensure your e-mail system is not being abused. To do this, you must be mindful of the constitutional, statutory and common-law origins of privacy protection for employees, as well as applicable case law that has explored privacy issues in the workplace, including e-mail monitoring. Currently, there are no clear legal guidelines with respect to these issues.
Federal law
The federal statute that addresses the legality of intercepting and monitoring e-mail communications is Title III of the Omnibus Crime Control and Safe Street Act of 1968, commonly known as the federal wiretapping statute, which was amended in 1986 to include electronic communications.
The law prohibits interception, use and disclosure of electronic communication and expressly allows victims of interceptions to file civil lawsuits. The statute will grant a prevailing plaintiff actual damages; punitive damages of any profits made by the violator as a result of the violation; and statutory damages of whichever is greater—$100 per day for each day of the violation or $10,000.
The law also allows for equitable relief, including injunctions that, for example, seek to have the impermissible interceptions stopped permanently or temporarily while a lawsuit is pending. The law allows plaintiffs to seek declaratory judgments that, for example, ask the court to declare a warrant upon which an interception is based unlawful. Prevailing plaintiffs also can recover their attorneys' fees, and violators may face criminal penalties.
The wiretapping statute, before its amendment, only protected interceptions of wire and aural communications. Electronic communications, such as e-mail, that were not aural by definition were not protected. The amendment merely added the words "or other" to the definition of intercept so other communication forms were covered under the act. In addition, assuming this semantic augmentation was not enough, the amendment also interjected the term "electronic communication" with a definition. Although electronic communication now is within the federal law's anti-interception umbrella, the range of protection afforded by the prohibition against interception has been narrowly interpreted by the courts.
Congress' use of the word "transfer" in the definition of electronic communication and omission of the phrase "any electronic storage of such communication" have been interpreted by courts as reflecting Congress' intention that the term "intercept" would not apply to electronic communication when such communication is in electronic storage as opposed to in transit. Consequently, e-mail stored on a computer's hard drive cannot be intercepted. In practice, this means there only is a narrow window during which an e-mail interception may occur, which makes legal interception of e-mail virtually impossible.
Any protection of employee privacy found in the amended law generally will be based on the unauthorized access provision. An employer seeking to avoid liability for e-mail interception or unauthorized access while still monitoring intracompany communication has three possible exemptions from the act's protection on which to rely: prior consent, business use and system provider.
Exemptions
The most certain protection against liability according to federal law exists when prior consent has been given by an employee before interception of e-mail or access of e-mail in electronic storage occurs. Interception of electronic communication is expressly allowed by federal law when one party to the communication has given prior consent. This portion of the law is what permits a party to a conversation to record the conversation though the other party is unaware the conversation is being recorded. Similarly, access to stored communication is allowed when a user authorizes it.
Although prior consent provides employers with the strongest protection when monitoring e-mail, even in its absence, an employer may argue consent is implied from the employer-employee relationship.
Consent may be implied if employees use the e-mail system after their employer has announced a clear policy of monitoring the system. In this scenario, an employee may have given implied consent to the monitoring. Recent case law indicates, however, that mere knowledge of an employer's capability to monitor e-mail does not equal implied consent. Moreover, an employer's warning without actual proof of notice to employees that they are being monitored may not be enough to establish implied consent.
For example, a provision in an e-mail policy that merely suggests monitoring may take place, such as, "Company reserves the right to monitor all e-mail communication," may not create implied consent. In this scenario, there may not be implied consent if employees are not informed they are being monitored.
Employers hoping to find a safe harbor in the federal law's consent exemption should use a companywide, written e-mail policy that explicitly states employees' e-mails are monitored. Employees with knowledge of the policy who persist in using the e-mail system likely will be deemed to have given implied consent. But because consent may be partial, employers should exercise caution and ensure monitoring does not exceed the policy's terms. For example, if a policy was designed to survey the extent of e-mail use rather than content, uncovering a breach of trade secrets may be beyond the scope of implied consent.
Employers lacking prior or implied consent to monitor e-mail still may assert the business-use exemption for interceptions made within the ordinary course of business. But it is unlikely this exemption will apply to e-mail. The exemption indicates telephone or telegraph equipment is required for the exclusion to apply, and it is doubtful courts will consider a modem (assuming one is involved) to be telephone equipment. There is, however, another source for employers seeking to invoke the business-use exemption.
In defining "device," federal law exempts any device that is furnished to the user by the wire or electronic communication service provider in the ordinary course of business. As a result, if courts construe an employer is a "provider" rather than an Internet service provider, such as America Online, it seems the employer may have a blanket license to intercept any communication that is related to business use.
If an employer requires all e-mail be used for business purposes only, the protection of the business-use exemption will apply because all transmissions on the system will be business-related or in violation of the policy. In either case, the employer will have the right to read the e-mail.
Employers might be limited to monitoring e-mail only to the extent necessary to determine whether an employee is violating company policy. E-mail interception may be challenging to limit because it may be difficult to know an intercepted message is personal unless the entire message is read. Regardless, courts might permit e-mail monitoring for legitimate business reasons provided the monitoring does not include reading personal e-mail in its entirety or more than is necessary to determine the nature of its contents.
State law
Most state statutes have chosen to follow the basic structure of federal law. The key difference among state and federal statutes usually is in the scope of exemptions. The exemptions contained in many state statutes are noticeably less generous than the corresponding federal exemptions. For example, many states' prior consent exemptions require the consent of all parties as opposed to just one party's consent.
Florida's Security of Communications Act provides an example of a typical scheme adopted by state statutes. Florida's act initially was modeled after the federal law, but subsequent amendments narrowed the act's consent exemption. Since 1974, the prior consent of all parties to the communication is required for the exemption to apply. Courts applying Florida's statute have observed it evinces a greater concern for the protection of one's privacy interests in a conversation than does the federal act.
Tort claims
Another potential liability source in the privacy arena is common-law action brought by an employee for invasion of privacy. This cause of action has been fairly recognized by courts and legislative bodies as a means of protecting against unwarranted intrusions into one's personal affairs. Essentially, anyone who invades another's right to privacy is subject to liability for the resulting harm to the interests of the other. Some states recognize a common-law right of privacy that may protect private employees.
The invasion of privacy tort provides that anyone who intentionally intrudes—physically or otherwise—on the solitude or seclusion of another or his private affairs is subject to liability for invasion of privacy if the intrusion would be highly offensive to a reasonable person.
Several factors have evolved for determining a common-law right against intrusion. These factors include the following:
The first factor may not be difficult for an employee to meet though it should be noted any unintentional access to an e-mail message by a system administrator during system maintenance, for example, certainly would defeat an employee's privacy claim.
Determining whether an intrusion is highly offensive to a reasonable person may be difficult. Courts may not consider accessing and reading employee e-mail to be highly offensive particularly if a court finds the employee had no expectation of privacy in the e-mail.
Courts most likely will be less inclined to hold an invasion offensive or objectionable when it is undertaken to protect the employer's property or other legitimate right, such as monitoring to prevent abusive personal use of a company-owned system. Even when monitoring is based on a legitimate right, employers should be cautious about intruding into employees' personal lives. Therefore, a prudent employer may wish to confine monitoring to determining the nature, not content, of e-mail messages.
Finally, prior consent by employees should reduce the offensiveness of an invasion and potentially entirely eliminate liability. As previously discussed, the best way to get prior consent is to establish a policy letting employees know their e-mail is being monitored. This can be established by including a statement in an employee handbook, having a warning screen appear when employees login to their computers or placing a statement in a separate document.
An example of what can happen if your company does not maintain an e-mail policy can be found in the case Restuccia v. Burk Technology Inc. In the case, the company did not have a policy against personal use of its e-mail system. But the company had a policy against excessive chatting. Supervisors were given the ability to access employees' computer files by using supervisory passwords. Employees were not explicitly informed their supervisors had access to their systems.
The employees bringing the lawsuit were terminated after the company president used his supervisory password to access their e-mails and determined the employees had been sending e-mail using nicknames for him and discussing his extramarital affair with another employee, as well as other personal correspondence.
The court denied the employer's attempt to keep the case from getting to the jury because it found a dispute of fact existed as to whether the employees had a reasonable expectation of privacy in their e-mail messages and whether the president's reading of the e-mail constituted an unreasonable, substantial or serious interference with that privacy.
Considerations
It is imperative you create a company policy that clearly spells out monitoring practices and employee privacy specific to your company's operation. The policy should govern the use of all technology in the workplace, including information systems; e-mail; telephones; voice mail; fax machines; copy machines; personal computers; computer networks; and access to the Internet, intranet or other electronic services.
To effectively guard against liability, the policy must warn employees they have no expectation of privacy. E-mail messages of a harassing, offensive or discriminating nature should be strictly prohibited and designated as grounds for dismissal.
Finally, the policy should explain that employees who violate the policy will be subject to discipline up to and including termination and require them to sign an acknowledgment verifying they have read, understood and agree to be bound by the policy.
If you are mindful of state and federal laws and enact policies to combat the potential liabilities arising from those laws, you will ensure technology increases your employees' productivity and company's profitability without subjecting your company to increased liabilities.
Philip J. Siegel is an attorney with the Atlanta-based law firm Hendrick, Phillips, Salzman & Flatt.
COMMENTS
Be the first to comment. Please log in to leave a comment.