Earlier this week, a story broke reporting that Harvard University surreptitiously viewed the work emails of 16 residential deans as part of its investigation into a cheating scandal. Your level of outrage at Harvard's investigation will depend entirely on the degree to which you believe employees have an expectation of privacy in a corporate email account.
According to U.S. v. Finazzo (E.D.N.Y. 2/19/13), employees enjoy no such expectation of privacy, provided that you have the right language in your email policy.
In Finazzo, the U.S. government alleged that Christopher Finazzo, an executive at the clothing retailer Aéropostale, received illegal kickbacks from transactions between his employer and one of its vendors. During an unrelated internal investigation, Aéropostale discovered an email in Finazzo's Aéropostale email account between him and his personal attorney. That email contained a list of Finazzo's personal assets, which included several companies he co-owned with the vendor from whom he received the illegal kickbacks.
In his subsequent federal criminal trial, Finazzo attempted to block the government from using that email against him. The trial court denied his motion, holding that he had no expectation of privacy in his work email account.
In reaching this conclusion, the federal court relied upon Aéropostale's email policies, which stated:
Except for limited and reasonable personal use (e.g., occasional personal phone calls or e-mails), Company Systems should be used for Company business only. Any limited exceptions to this rule must be approved through the IT department. Under no circumstances may Company Systems be used for personal gain or profit; solicitations for commercial ventures; religious or political issues; or outside organizations. Company Systems may not be used to distribute chain letters or copyrighted or otherwise protected materials….The court concluded that Aéropostale's policy, and Finazzo's knowledge of it, disposed of any claim that the email exchange with the personal attorney was private and therefore privileged:
You should have no expectation of privacy when using Company Systems. The Company may monitor, access, delete or disclose all use of the Company Systems, including e-mail, web sites visited, material downloaded or uploaded and the amount of time spent on-line, at any time without notification or your consent.
Finazzo has no reasonable expectation of privacy or confidentiality in any communications he made through his Aéropostale e-mail account. Aéropostale had a clear and long-consistent policy of limiting an employee's personal use of its systems, reserving its right to monitor an employee's usage of the system, and making abundantly clear to its employees, including Finazzo, that they had no right to privacy when using them.Do you have an email or workplace technology policy? Do you employees know that you have such a policy? Does your policy—
- Warn employees that they have no expectation of privacy in corporate emails or in their use of corporate systems?
- Ban personal use of corporate systems or email, or limit such personal use to what is reasonable and occasional?
- Reserve the right of the company to monitor employee use of its systems, including emails?