Publications
SHOULD YOU MONITOR YOUR EMPLOYEES' E-MAIL?
(You May Be Damned If You Do And Damned If You Don't)
There are all kinds of bona fide reasons why an employer might want to monitor employee e-mail. For example, many courts have found that an employer's tolerance of off color jokes sent through the office e-mail system can be used as evidence of a "hostile environment" in a sexual harassment case. Similar cases abound in respect to employer tolerance of e-mail directed at particular races or nationalities, or office e-mails used as a means through which to spread defamatory accusations. An employer might be concerned about an employee's misuse or disclosure of trade secrets or confidential information. An employer might want to look for evidence that key employees are being solicited by competitors or head hunters. And, of course, an employer might want to monitor employee productivity.
It is becoming much easier for employers to monitor employee e-mail (and for that matter, employee internet access). Employers have always had access to the company e-mail server, but many businesses are now installing surveillance software that permits employers to record each employee keystroke as it occurs - the data from the keystrokes are recorded even if an employee never saves the e-mail on a corporate computer. These programs will also monitor e-mail for key words, e-mail addresses, and so on, making it much easier for the employer to find out what it needs to know.
But is it legal?
On an increasing basis, employees are insisting that they have a reasonable expectation of privacy in the workplace. Virtually all employers tolerate at least some personal telephone calls, knowing that morale would suffer dramatically if they did not. Employees argue that e-mail has in many instances replaced the need for these kinds of calls, and they point out that almost everyone's sensibilities would be offended if employers eavesdropped on a personal telephone call to a spouse, or child, or doctor. So why should e-mail be any different? Individual privacy, free from surveillance, is a hallmark of a civilized society, and the rights of the vast majority should not be infringed because a small minority abuses certain privileges.
It's an attractive argument. But there are, of course, some fundamental, practical differences between personal telephone calls and e-mails. E-mails have the potential to be much more damaging to a company - unlike a telephone call, for instance, they can include hundreds of pages of attachments from company files, they can be directed to a great many recipients at the same time, and they exist in a concrete, reproducible form that can multiply geometrically through the forwarding process.
As so often happens with technology-related issues, it will take the law several years to analyze and react to the current realities. Here's where we are right now.
The Current State of the Law
At present, the most important governing statute is the Electronic Communications Privacy Act (ECPA), a federal law that generally prohibits the "interception" and disclosure of wire, oral and electronic communications. But the ECPA defines "interception" in a very narrow manner. Courts have generally interpreted the term to apply only to the review of an e-mail during its actual transmission from sender to recipient. Reviewing the e-mail after it is transmitted - for example, when it resides on the company's e-mail server - is not an "interception" within the meaning of the statute.
In addition, the ECPA permits the interception of an electronic communication if: 1) one party consents in advance; 2) the employer furnishes the e-mail service; and 3) the employer intercepts the e-mail in the ordinary course of business. Requirements 2 and 3 generally take care of themselves. As for 2, so long as the e-mail was sent on a company system (as opposed to the employee's personal AOL account), that is a non-issue. As for 3, the term "ordinary course of business" has been interpreted by the courts to mean anything to do with quality assurance, theft prevention, promoting employee productivity, avoiding liability, and so on.
But what about requirement 1, mandating consent? For years, we (as well as many other lawyers and consultants) have been preaching the message that every employer must promulgate and distribute to all employees an e-mail/internet policy which, in addition to specifying the dos and don'ts of e-mail and internet use, advises the employees that their e-mails and internet use are subject to employer monitoring. Consent can be established by proving that the employee received such a policy. (Word to the wise: if you do not have an appropriate e-mail policy that has been reviewed by competent counsel, you are running huge and avoidable liability risks for a great many other reasons as well.)
So, from the employer's point of view, what's the problem?
Why Compliance with the ECPA Is Not Enough
All of this is new and untested. We think that, with proper counsel, employers can easily satisfy the ECPA, but we do not think that compliance with the ECPA is an effective vaccination against all potential liabilities for e-mail surveillance. There are other statutes and legal proscriptions that may be implicated by an employer's monitoring of employee e-mail, and those cases have yet to fully bubble to the surface.
For example, suppose you randomly select an employee and monitor his e-mail for a week in order to see if he is spending too much unproductive time engaged in personal e-mail activity. In the course of that monitoring, you read an e-mail in which the employee discloses to a friend that he is HIV positive. Or you read an e-mail that he sends to a union, disclosing his current efforts aimed toward organizing your office staff. You just got more information than you wanted to know. If, by chance, the employee is terminated three months later and believes that his termination was a result of your knowledge of his sickness or his union favoritism, the depositions could become very interesting. What happens when representatives of the employer are asked if, before the firing, they knew that the employee was HIV positive, or if they knew that he was engaged in a union organizing campaign? A routine termination has now become an ADA case, or an Unfair Labor Practice charge before the National Labor Relations Board. There is an unforeseeable variety of information that might be unintentionally gleaned from employee e-mails, such as the organizations they belong to, their sexual orientation, the medications they take, and so on. Sometimes, its better not to know.
Then picture this scenario. The employee's most private and sensitive secrets, now known by the employer, are maintained in a file, stumbled upon by a clerical employee, and disclosed to other employees. Or a memo reflecting the information is accidently seen at the copy machine by another employee, and the word spreads. We believe that courts will be very sympathetic to employees who have their privacy breached, their careers ruined, or their personal lives shattered by these kinds of disclosures.
Up to this point, courts and legislatures have been very reluctant to chip away at an employer's unfettered right to monitor employee e-mail, so long as the employer complies with the ECPA, but we caution against taking too much solace in these results. We believe that it is only a matter of time before the right fact pattern makes its way into a courtroom. Courts deal in precedent. Once a court establishes a precedent in this area, other courts will feel much more sanguine about following suit.
In addition, proposed federal legislation, which is expected to pass, evidences the beginnings of Congressional intent to address this issue. The pending Notice of Electronic Monitoring Act would require all employers to make employees aware of the type of computer use that the employer will monitor, how the monitoring will take place, and how often the monitoring will be conducted. Employees would receive notice of the monitoring activity upon hiring, annually thereafter, and whenever monitoring policies are altered. The law would not prohibit employers from monitoring e-mail, but it would make employees more conscious of the practice, and that will inevitably lead some employees to test the litigation waters. And, by the way, the proposed legislation would permit employees to sue their employers if the required notices were not provided.
The Action Plan
So what should your action plan be? Consider the following:
- A global prohibition of all personal use of e-mail and internet use is not practical in most workplaces. Employers are usually better served by restricting the types of personal e-mail and internet use so that, for example, employees do not use the computers for unlawful purposes, or to violate their employer's rights in trade secrets or intellectual property, or to conduct independent business activities, or in defined ways that could expose the employer to liability.
- You must have an e-mail/internet policy. Counsel must be involved in the drafting and implementation of the policy so that it satisfies current law, so that it does not implicate violations of other laws (like the ADA and labor laws), and so that it stays up to date. It must also be distributed in such a way that you can prove it was received by all employees. And you must enforce it consistently.
- If you choose to monitor employee e-mail, compliance with the ECPA mandates that you consult with counsel regarding who should conduct the monitoring, how and when it should be done, and what records should be kept respecting the efforts.
- If you choose to use the sophisticated monitoring software now available, be mindful of the fact that "flagging" certain key words can become a litigation issue. It can become extremely relevant if, for instance, an employer chose to search for terms such as "union," "organize," "strike," "HIV," and the like.
- Some states have enacted specific legislation that covers electronic and similar monitoring activities. You must get specific legal advice for all states in which you conduct business. Recently, for instance, a bill passed the California legislature making it a crime for an employer to monitor an employee's e-mail without warning the employee in advance. The Governor vetoed the bill. But it will probably be back, and other states may jump on that and similar bandwagons.
- Keep abreast of changes in the law, such as the expected enactment of the Notice of Electronic Monitoring Act. Of course, we will keep you apprised in Avoiding Lawsuits. Our law firm, and our affiliated training firm, are ready to provide you with assistance in these areas.
Powell, Trachtman, Logan, Carrle & Lombardo, P.C. is a full service law firm with offices in suburban Philadelphia, PA, Harrisburg, PA and Cherry Hill, NJ. Powell Trachtman represents a variety of commercial enterprises, entrepreneurs and business executives in respect to their litigation, litigation avoidance planning, business formation, business transactions, estate and tax planning, and other needs. We are also approved defense counsel for numerous insurance carriers in matters pertaining to professional malpractice, products liability, employment practices, directors and officers liability, and many other fields. For more information, contact us at info@powelltrachtman.com and visit our website at www.powelltrachtman.com.
