Monitoring Employee Communications – Sources of Potential Liability
There are several sources of potential legal liability for companies that engage in improper monitoring of employee communications. This liability arises from both state and federal law. The constitutional right to privacy, premised upon the Fourth Amendment’s prohibition of unlawful searches and seizures, applies only to public employers. It deserves mention, however, as the philosophical foundation of United States privacy law. Further, several state constitutions expressly extend to public employees a constitutional right to privacy, including Alaska, Arizona, Florida, Hawaii, Louisiana, Montana, South Carolina, Texas, Washington, and California, whose constitution also extends the right to private employees. And, tests applied to Fourth Amendment cases may be used when analyzing cases brought under common law or statutory privacy laws in the private workplace. Finally, the European Union and its member states take a different approach to individual privacy issues than in the United States. So, a “one size fits all” approach to employee privacy for companies in both locations is unworkable.
B. Common Law Claims.
1. Invasion of privacy – unreasonable intrusion into the seclusion of another.
The right to privacy, to quote Justice Brandeis, can be simply stated as “the right to be let alone.” Whether and to what extent employees enjoy this right in the workplace is a relatively recent quandary for companies, employees, and the courts.
The tort of invasion of privacy was first recognized in Ohio in Housh v. Peth, 165 Ohio St. 35 (1956). The Supreme Court of Ohio adopted the current Restatement definition, which stated: “One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to the reasonable person.”
Invasion of privacy is an area of state tort law that may encompass four distinct theories. The four theories are (i) placing a person in a false light, (ii) misappropriation of a person’s name or image, (iii) publication of private facts, and (iv) unreasonable intrusion into the seclusion of another. Sustin v. Fee, 69 Ohio St. 143 (1982). Not all states have recognized all four theories in the employment context. If a company does not disclose private information learned while monitoring its employees, generally it can avoid liability under the first three invasion of privacy theories. The fourth, intrusion into the seclusion of another, does not require dissemination, and is most often at issue in cases of employee monitoring.
The elements of a claim of intrusion vary somewhat from state to state. Generally, to prove intrusion into the seclusion of another, a plaintiff must at least demonstrate (i) there was an intrusion, (ii) the intrusion was intentional, (iii) the employee had a reasonable expectation of privacy, and (iv) the intrusion was highly offensive to the reasonable person. The first two elements are already present in almost every case of employee monitoring’”the company intentionally accessed its employee’s computer or e-mail. The primary issue is whether the employee has a reasonable expectation of privacy. This requirement is borrowed from the Fourth Amendment test outlined in Katz v. United States, 389 U.S. 347, 88 S.Ct. 507 (1967), and can be broken down into two parts. Did the person possess an actual subjective expectation of privacy, and, if so, is that expectation one that society will recognize as reasonable? If both of these questions are answered affirmatively, the employee has a right to privacy and the company may be liable for its violation.
The final element’”offensiveness’”is also rarely an issue, although it introduces a balancing test that may give companies a means to avoid liability should all other elements be satisfied. This test weighs the privacy interest of the employee against the legitimate business interest of the company.
a. Invasion of privacy in the workplace.
The creation of the internet changed how companies and employees view privacy in the workplace. Courts have also struggled with this transition’”attempting to insert traditional legal principles into unanticipated situations. Some decisions rendered outside the context of the electronic workplace, however, reflect how these principles may ultimately apply. In K-Mart Corp. Store No. 7441 v. Trotti, 677 S.W.2d 632 (Tex. App. 1984), an employee sued for invasion of privacy after her employer, K-Mart, removed the lock from an company-issued locker and searched through the personal property it contained.
The K-Mart store had a group of lockers that it allowed employees to use. Employees could request one of several locks from the store, to which management would keep a master key. Because there was often a shortage of locks, management also allowed employees to bring their own locks. Trotti, a female employee, did just that. Upon returning to her locker on a break, she found that someone had opened her lock and rifled through her purse that was in the locker. It turned out to be a K-Mart manager attempting to find out who had stolen a watch from the store. Trotti sued for invasion of privacy, claiming she had a reasonable expectation of privacy in both the locker and her property.
The court recognized that the locker was undoubtedly the property of the company. If unlocked, K-Mart could justifiably search the locker and its contents. The court also acknowledged that K-Mart could certainly search a locker should it issue a lock to the employee but retain a master key. By having the policy that the company retained the master key, the company and the employee understood that the company reserved the right to conduct reasonable searches. What distinguished this case, however, was that Trotti purchased and used her own lock with the knowledge and approval of K-Mart. That demonstrated that “the employee manifested, and the employer recognized, an expectation that the locker and its contents would be free from intrusion and interference.”
Though Trotti does not apply perfectly in the electronic environment, the court’s decision is helpful when predicting the legality of a “search”. The similarities and differences between locker/computer, purse/e-mail, and employer-lock/monitoring policy, can be useful when analyzing claims of invasion of privacy in the electronic workplace.
b. Invasion of privacy in the electronic workplace.
Several factors determine whether employees can reasonably expect that their computer or e-mails will not be subject to monitoring by their companies. Often, knowledge that a company monitors employee e-mails is enough to destroy an employee’s expectation of privacy. In Bourke v. Nissan Motor Corp., No. B068705, unreported (Cal. App. July 26, 1993), an employee sued for invasion of privacy where a company regularly intercepted and read his private communications, including several which contained embarrassing private material. The company prevailed because the employees had signed acknowledgments that they would only use e-mail transmissions for company business. Further, in light of the employees’ knowledge that the company had monitored communications in the past, the court found that there was no reasonable expectation of privacy.
Courts have held employees have no reasonable expectation of privacy when using company-owned equipment, even within the employee’s private residence. In TBG Ins. Servs. Corp. v. Superior Court of Los Angeles County, 96 Cal.App.4th 443 (2002), the company provided two computers for an employee’s use, one at work and the other for his home, allowing the employee to work at either location. The employee had signed his company’s “electronic and telephone equipment policy statement,” and had agreed in writing that his computers could be monitored by the company.
The employee in TGB was terminated when the company discovered that he had violated its electronic policy by repeatedly accessing pornographic sites on the internet while at work. He claimed that the pornographic websites were not accessed intentionally but simply “popped up” on his computer. During discovery, the company moved to compel production of his home computer to learn whether there was inappropriate information on the hard drive. The trial court had denied the company’s motion to compel production of the home computer. The appeals court reversed, ruling that the company was entitled to inspect the employee’s home computer. The court held that since the employee signed the policy allowing monitoring of all computers, he voluntarily relinquished his privacy rights in the information stored on his home computer, and therefore had no reasonable expectation of privacy when he used his home computer for personal matters.
Courts have held that seizure of an employee’s computer who is suspected of illegal activity, such as child pornography, does not violate that employee’s right to privacy. In Muick v. Glenayre Elec., 280 F.3d 741 (7th Cir. 2002), a former employee sued his company for invasion of privacy where the company seized his work-issued computer until the government obtained a search warrant related to child pornography charges. Ultimately, the employee was arrested, convicted, and imprisoned on charges of receiving and possessing child pornography in violation of federal law.
The court held that the employee had no right of privacy in the computer his company had provided to him for use in the workplace. The company had announced to all employees that it could inspect laptops at any time. This policy destroyed any reasonable expectation of privacy the employee might have. The court drew a distinction between a file cabinet or safe offered by a company and a laptop computer, stating that an employee can assume the personal effects left inside a safe or file cabinet are private. The court used very broad language, stating that “the laptops were [employer] property and it could attach whatever conditions to their use it wanted to.” This decision was based upon the rationale that “the abuse of access to workplace computers is so common . . . that reserving a right of inspection is so far from being unreasonable that the failure to do so might well be thought irresponsible.”
Likewise, simply moving emails to a “personal folder” did not provide a reasonable expectation of privacy in Thygeson v. U.S. Bancorp, 2004 WL 2066746 (D. Or.). There the employee sued for invasion of privacy after his company accessed emails in his personal folder and subsequently discharged him. The court found that the employee’s expectation of privacy was not reasonable, even though the employee originally accessed some of the emails through his personal Netscape account. The court pointed to several factors including that the messages were transmitted through the company’s network, that they were saved on a company owned computer, and that the company had a policy of monitoring all files and communications on its equipment. Similarly, the company did not invade the employee’s privacy by accessing the history of websites he had visited because that information was also contained directly on the company owned network.
In United States v. Ziegler, 456 F.3d 1138 (9th Cir. 2006), the Ninth Circuit found that a manager had no reasonable expectation of privacy where his company discovered evidence of child pornography, informed the FBI, and copied the employee’s hard drive. Instead of an employee suing a company for invasion of privacy, this issue came before the court as the result of an attempt to prevent the images taken off the hard drive from being admitted as evidence. The analysis and holding, however, are of interest in invasion of privacy cases.
Frontline, the company involved, had a policy of monitoring employees by means of a firewall that would log employee internet activity. Employees were informed of this policy upon hire. When reviewing the log of a manager, Frontline’s IT department discovered that he had accessed child pornography websites and that he had used search terms such as “preteen girls.” The IT department then notified the FBI prior to entering the manager’s private office and making a copy of his hard drive.
The manager claimed that he had a reasonable expectation of privacy. The court disagreed, citing Frontline’s routine monitoring and its disseminated policy. The most interesting part of the opinion, however, is the court’s broad pronouncement that “social norms suggest that employees are not entitled to privacy in the use of workplace computers, which belong to their employers and pose significant dangers in terms of diminished productivity and even employer liability,” and called e-mail monitoring “largely an assumed practice.” The court was careful to state that: “We do not hold that company ownership of the computer is alone sufficient to defeat an expectation of privacy,” but the above language suggested that such a holding might be the next logical step.
Upon a rehearing of the case, the Ninth Circuit backtracked on its earlier pronouncement. In United States v. Ziegler, 474 F.3d 1184 (9th Cir. 2007), the court ruled that the manager did have a reasonable expectation of privacy in the contents of his computer hard drive. Although the court ultimately ruled that Frontline’s ownership of the manager’s computer allowed Frontline to give consent for a search, the court reversed its view on the manager’s expectation of privacy.
Pivotal to reversal was the fact that the manager kept the computer in his private office, which was locked. Management held a master key to the office and all employees were aware of the policy on and extend of company monitoring, but that did not overcome the manager’s expectation of privacy within his private office. Unlike the previous decision, the opinion on the rehearing relied heavily on the employee’s expectation of privacy with respect to the physical location of the computer. The court pointed out that the result may have been different if the computer had been in a public area, but did not address that issue because it was not before the court.
Nonetheless, the reasonableness of an employee’s expectation of privacy for purposes of a civil claim may be less material in light of Hilderman v. Enea TekSci, Inc., 551 F. Supp. 2d 1183 (S.D. Cal. 2008). Adjudicating an employee’s invasion of privacy claim against his former employer, the court explored whether an employee had a reasonable expectation of privacy in information and emails stored on an employer owned laptop.
The answer ultimately depended on whether the company still had a policy of allowing employees to purchase their laptops upon leaving the company. However, the court decided as a matter of law that a company’s search of its own laptop, to protect its confidential information and not to pry into personal information, was not “highly offensive” so as to support an employee’s invasion of privacy claim. That result suggests that even if employees have a reasonable expectation of privacy when using company owned equipment, an intrusion motivated by self-protection is still not actionable.
Most recently, the Ninth Circuit issued another decision protecting employee privacy in Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892 (9th Cir. 2008). Although the case involved a public employer, the ruling may have broader implications for employee privacy rights generally. See Michael Bologna, Employers Should Re-Examine Policies on Monitoring in Light of Ruling, Lawyer Says, DAILY LAB. REP. (BNA), July 24, 2008, at A3, available at http://pubs.bna.com/ip/bna/dlr.nsf/eh/a0b6v9g6y1. In Quon, a police officer sued the wireless provider, the municipality, the chief of police, the police department and a police sergeant after his supervisor obtained transcripts of personal text messages sent to the officer’s department-owned pager. The department’s official policy prohibited personal use of the pagers, but the supervisor directly in charge of the pagers had adopted an informal policy of not reviewing the content of the messages. Instead, the supervisor requested that officers pay for any usage over the 25,000-character monthly limit; the reason behind this request was ostensibly to avoid the necessity of reviewing all the messages to determine which were personal.
The officers did just that, paying for overages on multiple occasions. But, after several months of excessive overages, the supervisor obtained transcripts of the messages to determine how many were personal and how many were department-related. Purportedly, the department wanted to determine if existing monthly character limits were sufficient for department-related messages. A review of the messages revealed that many of the officer’s messages were personal and some of them sexually explicit.
The officer brought an action under 42 U.S.C. § 1983 against members of the department’s management, claiming that the review of his personal messages violated his right to privacy under the Fourth Amendment, the California Constitution and the Stored Communication Act. The Ninth Circuit agreed. Despite the department’s policy prohibiting personal use of the pagers, the informal policy of not reviewing messages if the officers paid the overage themselves created a reasonable expectation of privacy in the messages.
Moreover, the search itself was unreasonable, even though motivated by a concern that the existing character limit was inadequate rather than a search for misconduct. The court held that reviewing all the messages was excessively intrusive. There were a host of less intrusive measures that could have been taken instead. The court suggested officer redaction of personal messages before review or a warning that messages would be reviewed at the beginning of the month as examples. According to the appellate court, the department’s failure to use less intrusive measures rendered the search unreasonable.
Still, the limits of privacy when employees make electronic communications over company equipment hardly seem to be a settled issue. In May of 2008, Scott Sidell, a highly placed executive with a finance company, sued his former employer after discovering the employer had read emails on his personal account after his departure. See Jonathan D. Glater, A Company Computer and Questions about E-Mail Privacy, N.Y. TIMES, June 27, 2008, available at http://www.nytimes.com/2008/06/27/technology/27mail.html?scp=1S.
Sidell’s employer, Structured Settlement Investments, obtained information from his Yahoo email account that it then sought to use in its own claim against Sidell for competition in violation of his employment contract. Some of the intercepted emails even included Sidell’s communications with his lawyers discussing his case.
Whether Sidell will succeed in his suit against his employer for the interception is unclear. The case may ultimately center around whether Sidell left his personal email account logged in after he left and whether in that situation, access to the account was covered under Structured Settlement Investments’ policy of monitoring all communications made on its equipment.
The increasing ability to monitor employees both on and offsite presents intrusions on employee privacy that courts seem less and less eager to sanction. The law is especially unclear in situations where the employer and employee share the costs of maintaining equipment. See Alison Grant, Law Murky on Your Rights When Using Personal Smartphone for Work, Plain Dealer, Feb. 24, 2008, available at http://blog.cleveland.com/business/2008/02/_click_here_to_see.html. The Quon decision may indicate the new trend in this regard; increased employee investment in the equipment gives correspondingly higher expectations of employee privacy.
Likewise, recent technological developments provide new occasions for monitoring employees, many of which remain completely unexplored. For example, the increasing availability of GPS units in motor vehicles and cellular phones means that employers may be able to track employees’ location while in company owned vehicles or even simply while a phone is on. Blogs, Networking Sites, and Web Videos Drive Many Workplace Privacy Disputes, DAILY LAB. REP. (BNA), July 23, 2008, at C1. As with computer usage, the appropriateness of monitoring via GPS becomes less clear when company and employee share the costs of the vehicle or phone. Moreover, companies may not have a right to know its employees’ locations during non-work hours.
2. Wrongful Termination Claims.
Wrongful termination claims have been filed arising out of the use of e-mail systems. In Smyth v. The Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996), an employee brought suit after being discharged for sending out threatening e-mail messages to co-workers, including his supervisor. The employee claimed wrongful termination based upon the public policy exception to the at-will employment rule. The alleged public policy was one which prevents companies from terminating an employee in violation of his right to privacy. The company had assured its employees that all messages would be confidential and that such messages would not be intercepted, monitored or used against employees in connection with termination or discipline.
The Smyth court rejected the employee’s invasion of privacy claims. By sending an e-mail to members of the company, the employee gave up any reasonable expectation of privacy. Further, interception of an e-mail is not a sufficiently offensive invasion, and the company’s interest in preventing unprofessional or inappropriate e-mail messages outweighed the employee’s privacy interest. Because there was no invasion of privacy, the court held that no public policy was violated and dismissed the employee’s claim for wrongful termination.
B. The Electronic Communications Privacy Act of 1986.
Prior to 1986, Title III of the Omnibus Crime Control and Safe Streets Act of 1968 protected voice communications from unlawful interception. The Electronic Communications Privacy Act (“ECPA”) amended Title III in order to expand the underlying principles of privacy to digital communication. The relevant portion of the ECPA is divided into two parts.
Title I of the Act, commonly referred to as the “Wiretap Act” prohibits interception of electronic communications while in transit from sender to receiver. “Electronic communication” as defined by the Act means “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce,” and has been held to include e-mail. To “intercept” these communications means “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”
Title II, referred to as the Stored Communications Act (“SCA”), protects against unlawful access or acquisition of communications while they are contained in electronic storage. Violation of the SCA occurs when a person “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility.” To be entitled to SCA protection, a communication must be stored in “any temporary, intermediate storage . . . incidental to the electronic transmission thereof, or “any storage . . . by an electronic communication service for purposes of backup protection of such communication.”
2. Difficulty in application of the Act.
Though the Act may seem fairly straightforward, application has proven difficult. In Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107 (3d Cir. 2001), the company searched the company’s electronic file server and retrieved an e-mail message that had been sent from one employee to another. The court, relying upon an earlier decision in the Fifth Circuit, stated that because the e-mail had already been received, the employer had not “intercepted” the transmission, and therefore this action was not a violation of the Wiretap Act. See Steve Jackson Games Incorporated v. U.S. Secret Service, 36 F.3d 457 (5th Cir. 1994). As in Fraser, most courts that have ruled on the “interception” of e-mails under the ECPA, have agreed that the Wiretap Act only applies to e-mails that are seized by the company between the time they are sent and the time they are received.
Most of the debate surrounding monitoring employee e-mails surrounds the SCA. For instance, the lower court in Fraser held that both parts of the ECPA only prohibited monitoring while communications were in transit. 135 F. Supp. 2d 623 (E.D.Pa. 2001). The court stated that reference by the SCA to “backup” storage simply meant the process by which a message in transit is backed up on a server in case there is an error in delivery. Yet, many courts have rejected this view. The Third Circuit in Fraser chose to affirm the district court, but do so through a “different analytical path” that abandoned the questionable reasoning. Likewise, courts in Fischer v. Mt. Olive Lutheran Church, Inc., 207 F. Supp. 2d 914 (D. Wisc. 2002), Quon v. Arch Wireless Operating Co., Inc., 309 F. Supp. 2d 1204 (C.D. Cal. 2004), and Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004) have openly disagreed with the district court in Fraser, and held that the SCA applies to stored communications regardless of whether they have been received.
The most recent decision to address the issue was issued by the Ninth Circuit in Quon v. Arch Wireless Operating Co., Inc., 529 F.3d at 903, discussed previously, which held that text messages sent to a police officer’s department-issued pager were protected from interception under the ECPA. The police department obtained transcripts of the officer’s messages directly from Arch Wireless, the company that provided the pager services. Arch Wireless tried to characterize itself as a “remote communication service” (RCS) rather than an “electronic communication service” (ECS). The court disagreed, stating that the service provided by Arch Wireless was geared towards sending and receiving communications rather than storage of the information. The officer’s messages had only been stored as a backup, incidental to the transmission of the messages. Thus, Arch Wireless was an ECS and was permitted to release the transcripts only to the addressee or intended recipient (the officer), not to the subscriber (the department).
3. Exceptions relevant to the workplace.
The ECPA includes three statutory exceptions that essentially insulate companies from liability for monitoring employees. These exceptions are (i) the ordinary course of business exception, (ii) the service provider exception, and (iii) the consent exception.
a. Ordinary course of business exception.
To be a violation of the Wiretap Act, an intercept must occur by means of an “electronic, mechanical, or other device.” The definition of the type of device, however, excludes “any telephone or telegraph instrument, equipment or facility, or any component thereof, furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business.” In short, if Company A sells Employer B equipment to monitor its employees, the company cannot violate the Wiretap Act with this equipment, so long as Company A and Employer B were both operating in the ordinary course of business. No cases have given meaningful guidance on the application of the exception to employee e-mails. It has, however, been applied to cases where companies or other employers monitored their employees’ telephone conversations and pagers. In Adams v. City of Battle Creek, 250 F.3d 980 (6th Cir. 2001) a police officer sued the city and police department under the ECPA alleging that the interception of pages he received over a department-issued pager through use of a “clone” pager violated the Act. The Sixth Circuit held that for the “ordinary course of business” exception to apply that “the use be (1) for a legitimate business purpose, (2) routine and (3) with notice.” 250 F.3d at 984. The court also noted that “[t]here is some disagreement in the case law about whether ‘covert’ monitoring can ever be in the ‘ordinary course of business’”. Id. And, while the court did not find that “actual consent” was required for the exception to apply, it did require that monitoring in the ordinary course of business requires notice to the person or persons that are monitored. Id.
In existing cases, courts generally have taken two approaches to the “business purpose” ‘” content-based and context-based.
i. Content-based analysis.
Some courts look to the content of the communication when evaluating whether phone monitoring falls under the ordinary course of business exception. Put simply, companies are allowed to monitor calls related to business, but not employees’ personal conversations. The seminal case in this regard is Watkins v. L.M. Berry & Co., 704 F.2d 577 (11th Cir.1983). In Watkins, a company intercepted a phone conversation its employee was having concerning his possible resignation and future employment plans. According to the court, though the company may be interested in this information, it had no legal interest in it. Companies, when monitoring phone calls, must have a business interest in the content of the conversation and must cease monitoring activity as soon as they realize a call is personal in nature.
In Fischer v. Mt. Olive Lutheran Church, 207 F. Supp. 2d 914 (W.D.Wis. 2002), a youth minister was terminated after church officials listened to a phone conversation in which the plaintiff and another adult described homosexual encounters in extremely graphic detail. The plaintiff brought claims under the ECPA, and the church asserted that it had a business interest in protecting church personnel and preventing contact between the plaintiff and a minor. The court stated that there was no threat to church personnel in sexually suggestive conversations, and that although the church had a legitimate interest in protecting minors, the person on the phone was clearly an adult. The court refused to grant summary judgment for the church and held that the church officials should have hung up the phone as soon as they realized it was an adult on the line.
ii. Context-based analysis.
Other courts look to the context in which the company monitoring program occurs to determine whether the ordinary course of business exception applies. The focus of courts applying the context-based analysis falls upon the company’s monitoring program, rather than the employee’s communications. Courts applying this approach look to (1) whether the employee was put on notice of the monitoring program, and (2) whether the level of intrusion posed by the monitoring was justified.
Although it is unclear exactly what extent of monitoring is overly intrusive, courts have consistently held that unlimited monitoring of communications is not consistent with the ECPA. One illustrative situation was reviewed in Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994). In Sanders, a company, without notice, recorded every employee phone call that occurred at its office. Although the company stated that it was investigating a bomb threat, the court held there was no legitimate business purpose for what was extremely excessive monitoring.
iii. Application to e-mail monitoring is unclear.
It is unclear how the ordinary course of business exception will apply to employee e-mail monitoring. The Watkins rule may apply in theory, but the nature of e-mail may require a different result. E-mail is not transmitted over time, like a telephone conversation, thus a company receives the entire message at once, regardless of whether it is personal or business-related. In Restuccia v. Burk, 1996 WL 1329386 (Mass. Super. 1996), a Massachusetts state court held that a device which stored e-mails for later review by a company was excepted under the ordinary course of business exception present in a state privacy law similar to the ECPA. The question of whether this exception to the federal statute applies to employee e-mail monitoring may never be answered. Further, the presence of two additional exceptions that allow companies to monitor employees’ e-mails make the presence of a third virtually unnecessary.
b. Service provider exception.
A company is not liable under the SCA if it qualifies as a “service provider.” To be a service provider, an entity must be “a person or entity providing a wire or electronic communications service.” Some commentators argue that “service provider” should only include companies whose essential purpose is to provide internet or e-mail service, such as America Online, but courts have not so limited the definition.
In United States v. Mullins, 992 F.2d 1472 (9th Cir. 1992), the court held that American Airlines, in providing a reservations system for travel agents, was a service provider for the purposes of properly intercepting electronic communications, and was thus exempt from the Act. In Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996), the court held that a police department could retrieve text messages stored in the police department’s system without violating the SCA because that system was “provided by” the department.
In Fraser v. Nationwide, the Third Circuit applied the Bohach holding to the private sector. In Fraser, Nationwide searched an employee’s e-mails that were stored on the company server. From the content of the e-mails, Nationwide determined that the employee had been contacting rival companies and terminated him for disloyalty. Applying Bohach, the court held that “because Fraser’s e-mail was stored on Nationwide’s system (which Nationwide administered), its search of that e-mail falls within [the service provider exception to the SCA].”
c. Consent exception.
The ECPA allows for interception of electronic communications or access to stored electronic communications when “one of the parties has given prior consent.” Because so few cases have applied the wiretapping statutes to an employee’s use of e-mail or the internet, cases involving telephone monitoring serve as guidance on what constitutes consent. In Watkins, the Eleventh Circuit held that mere knowledge of a company’s monitoring of telephone conversations did not equal consent. Likewise, courts are reluctant to rule that an employee consents to monitoring when a company merely discloses its practice of monitoring.
It is unclear what constitutes prior consent, but companies should be wary. In sum, unless express permission is obtained, a company may not be able to use the consent exception to avoid liability under the ECPA. But, clearly enunciated policy of monitoring, an explanation of the application of that policy, and the employees’ agreement to the policy should suffice to show consent. See e.g., United States v. Workman, 80 F.3d 688, 692-94 (2d Cir. 1996); United States v. Van Poyck, 77 F.3d 285, 292 (9th Cir. 1996).
C. Federal Labor Laws.
Employees can use e-mail to take part in concerted activity protected by the National Labor Relations Act (“NLRA”). In Time Keeping Sys. Inc. and Lawrence Leinweber, 323 N.L.R.B. 244, 154 L.R.R.M. (BNA) 1233 (1997), an employee was terminated after he sent an unpleasant e-mail to the company’s Chief Operational Officer and all other employees critical of changes in the employees’ vacation policy. The National Labor Relations Board (“NLRB”) found that the discharge violated the NLRA stating, “[T]his is a case of concerted activity for the “purpose of mutual aid or protection,” as required by Section 7 of the Act. Leinweber’s effort to incite the other employees to help him preserve a vacation policy . . . unquestionably qualified his communication as being in pursuit of “mutual aid or protection.”
The Board also found that the tone of the e-mail did not remove its protection: “It has generally been the Board’s position that unpleasantries uttered in the course of otherwise protected covered activity do not strip away the Act’s protection.” Indeed, the Board has found communications using the terms “hypocritical,” despotic,” “tyrannical,” “a-holes,” and “cheap son of a bitch” protected. It is important to note that the protection for employees acting for the “purpose of mutual aid or protection” exists irrespective of whether a union is present.
In a union environment other issues may arise. The NLRB held in DuPont & Co., 301 N.L.R.B. No. 14 (1991), that a company had a duty to bargain with the union over the monitoring of employee e-mails. How the Board and courts will ultimately rule on the use of e-mails in union organizing campaigns and in support of grievances is unclear. Existing cases provide only limited guidance.
In Konop v. Hawaiian Airlines, 302 F.3d 868 (9th Cir. 2002), an employee sued Hawaiian Airlines, claiming the company had viewed his secured website without authorization, disclosed the contents of that website, and took other actions in violation of the Railway Labor Act, 45 U.S.C. § 151 et seq., and other laws. The employee, a pilot, had created and maintained a website where he posted bulletins critical of his employer, its officers, and the incumbent union. In particular, the employee opposed the labor concessions that Hawaiian Airlines sought from the union. Because the union had supported the concessions, the plaintiff employee, via his website, encouraged other employees to consider an alternative union to represent them. His website was controlled by requiring visitors to log in with a user name and password. In December 1995, the vice president of the company asked another pilot to use his name to access the website. The other employee agreed. The plaintiff argued that the vice president had interfered with the plaintiff’s organizing efforts by viewing the website under false pretenses. The district court granted summary judgment in favor of the company on the Railway Labor Act interference claim.
The Ninth Circuit, on rehearing, reversed summary judgment. The court held that there were sufficient issues of fact regarding whether Hawaiian had interfered with his organizing activity by accessing the plaintiff’s website to require a trial. The court stated that the surveillance or eavesdropping done by the vice president may have had the “tendency” to chill protected activities under federal labor law.
Recently, the protection afforded to employees who use company email for union organizing purposes was put into doubt by the NLRB’s ruling in Guard Publishing Co., 351 N.L.R.B. No. 70 (2007). Previously, NLRB rulings had held that a company violated the NLRA if it allowed personal use of the employer’s email system but forbade use of the system for union purposes because to do so constituted discriminatory enforcement. In Guard, the NLRB modified its previous policy to allow this type of differentiation.
The company, a newspaper, had disciplined an employee, who was also the union president, after she sent emails to other employees over the company email system informing them about union related activities and information. The company claimed that this violated its policy that company email was not to be used for non-business purposes. In response, the employee pointed to a variety of personal emails that had been tolerated previously, including jokes, items for sale, and baby birth announcements. She argued the company was specifically targeting her emails because they were union related.
In an apparent change of policy, the NLRB disagreed. While the company had tolerated personal emails, the emails were “swap and shop” in nature, selling items and making social communications. In contrast, the company had never allowed the use of its email system to promote the activities of organizations outside the company, with the exception of a company sponsored United Way campaign. The company did not forbid only union emails, or emails regarding a particular union, but all emails regarding outside organizations. By drawing the lines of tolerated use around outside organizational uses versus individual social use, the company had not discriminated against union activities. Thus, the company’s prohibition did not violate the NLRA.
Some reaction to the Guard Publishing ruling has been negative. One commentator stated that the ruling makes “absolutely no sense.” See Lawrence E. Dube, Law Professors Speaking at ABA Conference Criticize NLRB’s Register-Guard Decision, DAILY LAB. REP. (BNA), May 6, 2008, at C1. Academics have criticized the ruling as deviating significantly from previous precedent. Further, critics argue that the NLRB’s analogy between an email system and a company maintained bulletin board is incongruous because email is not a finite resource like a physical bulletin board. But, for now the limitations on employees’ rights to make union related communications via company-owned email systems seem to be increasing. And, the Guard Publishing ruling does attempt to make a practical distinction between speech regarding political, religious or societal topics and personal use.
D. Companies Can Monitor Their Employees, but Must Be Mindful of State and Foreign Laws.
Courts have been pragmatic when resolving cases involving companies monitoring employee e-mails and internet activity. Although courts cannot agree on a universal legal justification, no company-operated system of monitoring employee e-mails has ever been held to violate the ECPA or an employee’s common law right to privacy. There is a consensus among U.S. courts that company monitoring of employee e-mail and internet use is an acceptable practice.
One continuing cause for concern comes in the form of state laws. Some states, including Michigan, Nevada, New Hampshire, South Carolina, and Washington, require consent by all parties to a communication prior to recording. Even more troublesome, many states expressly require that all parties consent to monitoring of electronic communications, including California, Connecticut, Delaware, Florida, Hawaii, Illinois, Louisiana, Maryland, Montana, and Pennsylvania.
The effect of varying state laws on e-mail monitoring in the workplace remains to be seen. Although these state laws are causes for concern, employee monitoring has increased to the point where the company that does not monitor its employees is the exception, rather than the rule. So long as this trend continues, one can assume that American courts will continue to be pragmatic when addressing monitoring issues. And, although there may be some uncertainty concerning the employee’s statutory and common law right to privacy, companies appear to face more serious threats by not monitoring their employees.
Companies should proceed cautiously. They should balance the level of monitoring necessary to protect the their interests against the level of intrusion into employees’ personal lives. Legal authority on many forms of monitoring is still developing and provides little guidance as to the result under the fact patterns that are now emerging. Companies that take a conservative route and minimize monitoring that intrudes into employees’ personal lives will probably have better results.
Finally, U.S. Multinational companies must be aware of the European Union Data Protection Directive (95/46/EC) and each member states’ data protection regulations. While U.S. privacy law generally has a property-based outlook, European regulation focuses on individual legal rights. See Monitoring Technology in the American Workplace: Would Adopting English Privacy Standards Better Balance Employee Privacy and Productivity?, 95 Cal. L. Rev. 115 (2007); ICT and Employer-Employee Power Dynamics: A Comparative Perspective of United States’ and Netherlands’ Workplace Privacy in Light of Information and Computer Technology Monitoring and Positioning of Employees, 25 J. Marshall J. Computer & Info. L. 37 (2007). Plainly, a typical U.S. electronic communications policy would not pass muster within the European Union.