Snooping employers beware

The U.S.' increasingly technology-savvy work force quickly is surpassing employers' ability to adapt to new, dynamic forms of communication; many private and public sector employers find themselves playing catch-up. With employees' increased access to technology in the workplace, many employers want to be sure such access is used reasonably. However, employees' privacy rights must be considered.

Federal and state laws regulating workplace privacy have clarified employees' right to privacy and employers' right to monitor. Nevertheless, there are innumerable gray areas that can cause trouble for even the most well-intentioned employers.

Existing privacy laws

Privacy concerns are deeply rooted in intrinsic constitutional values, specifically those enumerated by the Fourth Amendment, which protects against unreasonable searches and seizures. Indeed, the line between privacy concerns regarding public and government employers and privacy concerns regarding private sector employers is blurry. And the average employee has difficulty determining the parameters of his or her privacy interests and rights in the workplace. Various federal and state laws have been created specifically to demarcate privacy rights and obligations inside and outside the U.S. workplace.

The ECPA

The federal Electronic Communications Privacy Act (ECPA) of 1986 generally governs privacy rights regarding a broad range of communication media. The ECPA comprises three titles: Title I addresses electronic communications; Title II addresses stored communications; and Title III addresses pen registers and pen/trap devices. Together, these three titles dramatically have transformed employees' and employers' privacy rights and obligations.

The Wiretap Act

Before the ECPA's enactment, the Omnibus Crime Control and Safe Streets Act of 1968, known as the "Wiretap Act," generally prohibited the intentional interception of any wire or oral communications, including all telephone communications. The ECPA amended the Wiretap Act to further prohibit the intentional interception of all electronic and computer communications, including e-mail.

Specifically, the Wiretap Act makes it unlawful to listen to or observe the contents of a private communication without the permission of at least one party involved with the communication. The Wiretap Act applies only to unlawfully intercepting "real-time" communications—those in progress of being delivered to a recipient. It does, however, provide two noteworthy exceptions: the consent exception and business extension exception.

First, the act does not prohibit intercepting private communications when the communication's originator or intended recipient has given his or her lawful consent. Consent can be express (such as in a signed policy acknowledgement form or other agreement) or implied from the circumstances (such as when an employee is informed the employer has commenced e-mail monitoring). As a result, employers should ensure they consistently operate within their e-mail monitoring policies so they don't exceed the scope of an employee's consent.

Additionally, under the business extension exception, the act does not prohibit intercepting private communications by an electronic communications service provider if the interception occurs in the normal course of business and for a legitimate business reason. This exception only applies where employees are using employer-issued or employer-provided equipment or electronic communications services. However, this exception generally does not apply where employers intercept and review employees' personal e-mails beyond the point necessary to determine that it is a personal, nonwork-related e-mail.

Accordingly, employers may intercept employees' e-mails as long as they received consent from employees or the interception is part of their routine, automatic business operations as opposed to part of a targeted disciplinary investigation of a particular employee.

The Wiretap Act provides for criminal and civil sanctions. Any person who or entity that violates the act is subject to criminal sanctions, including a monetary fine and imprisonment for up to five years.

The act further provides that an employee may recover several forms of relief in a civil lawsuit. If the violation was not for a "tortious or illegal purpose or for purposes of direct or indirect commercial advantage or private commercial gain," an employee may recover as follows:

• If the unlawful conduct involves a first-time violation of the act, the employee may recover either actual damages or statutory damages ranging between $50 and $500 per violation—whichever is greater.
• If the unlawful conduct involves a repeat violation of the act, the employee may recover either actual damages or statutory damages ranging between $100 and $1,000 per violation—whichever is greater.
• If the violation is for an improper purpose, the employee may recover either actual damages or any profits made by the violator as a result of the violation—whichever is greater—or statutory damages of $100 per day of violation or $10,000—whichever is greater.

The Stored Communications Act

Title II of the ECPA, commonly referred to as the "Stored Communications Act" (SCA), created a new chapter of the criminal code addressing unlawful access to stored communications and transaction records. The SCA prohibits disclosing electronically stored communications content to government and nongovernment entities. However, the act does not prohibit disclosing user information to nongovernment entities.

The prohibition against disclosing electronically stored communications "content" is broad. Indeed, it "includes any information concerning the substance, purport or meaning of that communication." Electronic communications service providers must refrain not only from generally disclosing or accessing the electronically stored communication itself but also from releasing any information regarding general aspects of the communication.

The act applies to any "electronic communications service," which broadly is defined as any service that provides its users with the "ability to send or receive wire or electronic communications." Generally, telephone and electronic mail companies provide electronic communications services. Further, private employers that provide employees with access to the Internet or an internal electronic communications system also are bound by the SCA.

As with the Wiretap Act, the SCA provides some noteworthy exceptions: the consent exception and employer-owned systems exception. The consent exception dictates an electronic communications service provider is not liable for accessing and/or disclosing stored communications when acting pursuant to the consent of either the originator or intended recipient of the particular communication. The employer-owned systems exception dictates an employer that also is an electronic communications service provider is not liable for accessing and/or disclosing communications stored in its own systems.

However, the exceptions apply only to communications in "electronic storage," which exist only when communication storage is incidental to the electronic transmission of communication information or communication storage is made by an electronic communications service provider to provide backup protection for the communication. Therefore, arguably, employers who access electronic communications stored for a nonincidental or backup purpose are not exempt from the act's prohibitions.

The SCA states an employee may seek civil remedies, including preliminary and other equitable relief; actual damage and profits made by the violator for a minimum of $1,000 in statutory relief per violation of the act (assuming actual damages are shown); and reasonable attorneys' fees and costs. If an employee can prove the employer's violation was willful or intentional, the employee also can recover punitive damages.

Moreover, the SCA provides for criminal penalties. If an employer's conduct involves a first-time SCA violation that was not committed "for purposes of commercial advantage, malicious destruction or damage, or private commercial gain, or in furtherance of any criminal or tortious act," penalties include a maximum of one year's imprisonment and/or $100,000 fine.

For repeat violations not committed for one of the improper purposes listed previously and for first-time violations committed for one of the improper purposes, penalties include a maximum of five years' imprisonment and $250,000 fine. For repeat violations committed for one of the improper purposes, penalties include a maximum of 10 years' imprisonment and $250,000 fine.

The Pen/Trap Statute

Title III of the ECPA contains the Pen Registers and Trap and Trace Devices Statute, known as "the Pen/Trap Statute." The statute regulates the lawful (and unlawful) use of pen registers and trap/trace devices. Pen registers are instruments that automatically record the identifying telephone numbers of all outgoing calls made by a particular telephone line. Trap and trace devices are instruments that automatically record the identifying telephone numbers of all incoming calls received by a particular telephone line. Because the statute applies only to government-initiated investigations, it has little effect on private employers.

State laws

Various states have enacted (or are in the process of enacting) laws regulating workplace privacy rights and obligations. Although a majority of states are enacting laws that mirror protections offered by federal privacy laws, a number of states are enacting even stricter laws to further regulate employers' access to employees' electronic and other types of communications.

In a majority of states, including New York, the consent of one party to a communication must be obtained before monitoring. Similarly, California and other states require the consent of both parties to a communication before any monitoring can be performed lawfully. States such as Connecticut and Delaware have gone even further, enacting statutes requiring employers to notify their employees before monitoring their e-mail use and content.

Accordingly, you must ensure you comply with federal and state-specific mandates when monitoring or otherwise accessing your employees' electronic communications.

Difficult questions

Most employers have a limited understanding of their rights and obligations under federal privacy laws. As a result, many employers find themselves in trouble after stepping outside the established parameters of acceptable workplace "snooping." Because federal and state laws provide significant penalties for violations, you should become familiar with privacy rights and obligations before you find yourself defending a costly lawsuit or even facing criminal charges.

Following are some common questions regarding privacy rights and obligations.

Can employers monitor and intercept e-mails sent by their employees via their company's internal electronic communications service?

You are authorized to intercept and monitor employee e-mails taking place on employer-issued or employer-authorized computers and electronic service systems for regular, legitimate business purposes. You also are authorized to intercept and monitor employee e-mails upon receiving employees' express or implied consent.

As a result, you have wide latitude when monitoring e-mails sent by employees via company computers. However, you may not target specific employees for e-mail monitoring to determine, for example, whether an employee is disgruntled or otherwise communicating negatively about you or your company. You also are not entitled to review all e-mails intercepted when the e-mail clearly is personal and not related to the legitimate business reasons for monitoring employee e-mail use.

This parameter is key to understanding the business extension exception's purpose. Employers are not intended to have unfettered access to their employees' e-mails. Instead, they are intended to have monitoring rights to ensure their systems are running properly and their employees are working efficiently and productively.

Can employers monitor and intercept e-mails sent by their employees via a personal, password-protected electronic communications service provider?

As previously mentioned, your monitoring rights are limited to situations where an employee is using employer-provided equipment or Internet services. If your routine monitoring system captures all e-mails and Internet use (including those on personal e-mail accounts) for some legitimate business purpose, you likely are in compliance with the Wiretap Act.

However, you will run afoul of the Wiretap Act if you specifically endeavor to intercept and review employees' personal, nonwork-related e-mails for illegitimate purposes (for example, to determine whether an employee is pro- or anti-union).

Can employers access stored e-mails sent by their employees via their internal electronic communications service?

Generally, you may store and access stored e-mails sent by your employees via employer-issued or employer-authorized equipment or Internet services. However, your purpose for storing and later accessing the e-mails must be incidental to the e-mail transmission or to provide routine systems maintenance (such as the need to ensure a backup copy).

Nevertheless, you generally are free to then access and review all work-related e-mails. Of course, you still should be cautious and ensure access does not violate other labor and employment laws.

Can employers access stored e-mails sent by their employees via a personal, password-protected electronic communications service provider?

As previously mentioned, you may access stored e-mails provided the e-mails are lawfully stored for valid, legitimate purposes. However, your rights are fairly limited when it comes to accessing stored e-mails via an employee's password-protected, personal e-mail account.

This area seems to cause employers the most difficulty. Because of the dense and complicated nature of federal privacy laws, many employers falsely assume they may access any e-mail stored in a company-issued computer for any purpose; this is simply untrue. Employers may access work-related e-mails for legitimate purposes only.

Indeed, several recent district court opinions have clarified and reinforced employers' rights and obligations regarding this tricky situation. In the 2008 case Pure Power Boot Camp v. Warrior Fitness Boot Camp, the Southern District of New York held that an employer violated the SCA by reviewing an employee's private e-mail account maintained on a company-issued computer.

The employer in this case had accessed the employee's personal e-mail account after discovering the employee had left the username and password saved on the company computer. According to the employer, the employee's private e-mail account opened automatically when the Hotmail Web site was accessed. Furthermore, the employer argued its electronic communications policy clearly explained that the employer had control, access and ownership of all communications using company-issued equipment.

The court disagreed with the employer, noting that its clear, broad electronic communications policy could not and did not authorize its review of nonwork-related e-mails maintained in the employee's personal, password-protected e-mail account.

Similarly, in the 2009 case Van Alstyne v. Electronic Scriptorium, Ltd., the U.S. Court of Appeals for the Fourth Circuit affirmed the award of significant punitive damages, attorneys' fees and costs amounting to more than $236,000 for an employer's repeated unauthorized access to an employee's personal e-mail account.

In this case, the employee noticed during the discovery phase of an unrelated lawsuit against her filed by her employer that her employer had accessed at least 258 e-mails stored in her private AOL e-mail account. She subsequently filed a lawsuit against her employer and was awarded the significant relief previously described.

These remarkable decisions illustrate the importance of employers taking time to fully understand their rights and obligations under federal privacy laws, as well as the need to consult legal counsel to make sure they adhere to established parameters and their own electronic communications policies.

Attorney-client privilege

A highly litigated aspect of workplace privacy law involves the possibility of waiving attorney-client privilege in e-mail communications intercepted and/or later accessed by an employer. Although the legal landscape still is evolving in this area, recent court decisions have shed some light on the issue.

Of notable significance is the 2005 case In Re Asia Global Crossing, in which the Southern District of New York set forth a four-part test for determining whether an employee has waived the attorney-client privilege by virtue of his e-mail correspondence at work. In arriving at these four factors, the court relied on several cases involving workplace privacy rights, observing that employees' expectations of privacy are closely analogous to clients' expectations of confidentiality. The four factors are:

1. Whether the employer maintains a policy banning personal or other objectionable use
2. Whether the employer monitors the use of employees' computers or e-mails
3. Whether the employee knows of the employer's policies regarding monitoring, privacy and computer and/or e-mail use
4. Whether third parties have a right to access employees' computers or e-mails

Although the court did not find that the attorney-client privilege had been waived on the facts before it, a more recent decision illustrates how the factors can militate against the privilege. In the 2007 case Scott v. Beth Israel Medical Center, the New York Supreme Court held that e-mails sent by a physician to his attorney using the hospital's e-mail system did not retain their privileged character. Applying the four factors, the court noted the hospital maintained an e-mail policy, which provided that electronic mail systems "should be used for business purposes only"; therefore, employees have "no personal privacy right" in their e-mails and the hospital "reserves the right to access and disclose such material at any time without prior notice."

The court also emphasized that the physician had received "both actual and constructive knowledge" of this policy, which was disseminated to all employees, including those under the physician's supervision. Adding that any confidentiality notices embedded in the e-mails were inconsequential for purposes of preserving the privilege, the court concluded the physician did not have an objectively reasonable expectation of confidentiality in the e-mails sent to his attorney.

Most courts have embraced the four Asia Global case factors in one manifestation or another. In particular, courts have stressed the importance of maintaining a widely disseminated e-mail policy. In National Economic Research Association v. Evans in 2006, the Superior Court of Massachusetts held that an employee could not reasonably expect to communicate with his attorney in confidence using his work e-mail address because his company's policy stated that "e-mails are not confidential and the Company may read them during routine checks."

In contrast, the same court held in Transocean Capital v. Fortin in 2006 that where a company failed to provide its employees with adequate notice regarding the existence of its e-mail policy, the privilege remained intact.

Courts have supplemented the Asia Global case factors with additional considerations. In the Evans case, the court drew a distinction between using work e-mail and personal e-mail. Although the court found that e-mails sent from the employee's work e-mail address were not privileged, it noted the policy did not "expressly declare, or even implicitly suggest, that [it] would monitor the content of e-mail communications made from an employee's personal e-mail account." Because employees would not assume e-mails sent from their personal accounts would be automatically stored on the computer's hard drive, the court concluded that e-mails sent from the employee's personal address did not waive the privilege.

Other courts have emphasized the extent to which a company's e-mail policy is enforced. In the 2006 case Curto v. Medical World Communications, the Eastern District of New York considered whether an employee had waived the attorney-client privilege where the company's policy provided that "[e]mployees shall not have an expectation of privacy in anything they create, store, send or receive on the computer system." Despite this policy's existence, the court held that "lack of enforcement by [the employer] of its computer usage policy created a false sense of security which lulled employees into believing that the policy would not be enforced."

These rulings clarifying the importance of an employer's enforcement of its electronic communications policy in the context of attorney-client privilege waivers are in line with general rulings regarding the importance of an employer's enforcement of its policies in relation to claims of privacy violations. For example, the Seventh Circuit held in the 2002 case Muick v. Glenayre Electronics that an employee had no right of privacy in his work laptop computer where his employer had announced it could inspect employees' computers at any time.

Accordingly, the importance of enforcing electronic communications policies cannot be overstated. Employers must draft, disseminate and adhere to carefully crafted electronic communications policies to better comply with and prevent privacy law violation claims.

Best practices

What should you do to ensure your employee monitoring practices comply with federal privacy laws? Consider the following:

• Develop strong electronic communications policies that comply with federal and state privacy laws.
• Apply all your policies (particularly your electronic communications policies) routinely and consistently to avoid discrimination, retaliation and privacy breach claims.
• Consult legal counsel to establish a strategy for successfully and lawfully monitoring and accessing employee e-mails.
• Train supervisors, managers, human resources personnel and other administrators to strictly comply with your electronic communications policies and the privacy laws. Their lawful implementation is key to avoiding costly privacy violation claims.

In this era of rapid technological advancement, continued interdependence of technology resources, and effective workplace management and performance, we encourage you to wisely and strategically use employee monitoring and communication storage tools to maximize your employees' efficiency and company's productivity.

Despite the clear benefits of employee monitoring and communications access, it is imperative you adroitly comply with often ignored privacy laws to avoid costly litigation, boost employee morale and maintain a positive public image. The bottom line? "Snoop" cautiously and with purpose.

Jason C. Kim is a partner and Gray A. Mateo is an associate in the labor and employment practice group of the Chicago-based law firm Neal, Gerber & Eisenberg LLP.