Negotiating the Workplace Privacy Minefield
But it's the workplace that is shaping up as the real privacy battleground.More than 73 percent of companies now monitor their employees' Internet use,according to a study last year by the American Management Association.
As monitoring has increased, so has employee wariness. Legal challenges areon the rise. Last year Congress debated a bill that would have forced companiesto supply employees with detailed information about the method, frequency, andgoals of monitoring. Violations of the requirements could have resulted in actualdamages, punitive damages, and attorney fees of up to $500,000. The bill did not pass,but new versions are appearing. Just recently, the California State Senate passed Senate Bill 147, which, ifapproved by the State Assembly and Governor Davis, would require employers to give written notice of any e-mail or electronic monitoring to its employees by March 1, 2002.
The employer must distribute its electronic monitoring policy to all employees and obtain a receipt from the employee acknowledging they have read and understood the policy. Failure to comply with this new bill could result in a misdemeanor fine. Whether this bill or another version passes remains to be seen. The reality is, employee groupsare pushing for more protection of individual privacy rights and employers must be aware of the ever-changing rules.Hoping to head off problems, several large companies, including Microsoft andAmerican Express, have created the post of Chief Privacy Officer to focus oncorporate privacy issues. Presumably, one of their job responsibilities will include addressing this issue.
From a legal standpoint, it is generally agreed that if an employer providescomputers to its employees, then the computers are company property and theemployer can usually monitor and examine their contents.
Employers have good, legitimate reasons for monitoring employee Internet ande-mail usage. Aside from financial and liability problems stemming from employeemisconduct, Internet downloads clog computer systems and make the systems runslowly and inefficiently. More than 30 percent of Internet surfing that occursduring the 9-to-5 workday is not business related, according to a study by Websense,one of the several companies offering employers filtering software. With somuch at stake, sales of e-mail scanning software will grow from $52 millionin 1999 to $873 million in 2004, according to IDC, a research firm.
However, as they move to protect themselves, employers must be careful notto infringe on their employees' privacy rights. They face both civil and criminalliability under the Electronic Communications Privacy Act of 1986 ("ECPA").Originally adopted to address concerns about the illegal monitoring of phonelines, the ECPA has been interpreted by some federal district courts as alsoapplying to the monitoring of e-mails.
Regardless of the interpretation, the courts have agreed that an employer cancomfortably monitor an employee's computer activities if the employee expresslyor indirectly consented to the monitoring, or the actions were undertaken duringthe ordinary course of business.
Express or implied consent can be shown if employees have formally agreed toa set of policies. Implied consent arises in situations where the employee hasno reasonable expectation of privacy. For example, courts have found that anemployee could not reasonably expect privacy in using an employer's e-mail systemto send company trade secrets to a competitor. If the employer reviews thosee-mails, it would not be an ECPA violation for two reasons.
First, by using the company's e-mail, the employee implied his consent to thecompany's viewing of business-related e-mails. Second, under the "ordinarycourse of business" exception to ECPA, a company taking steps to protectits trade secrets in the ordinary course of business would not be liable.
Land mines still exist
Employers still need to be careful. In addition to the civil and criminal implicationsof the EPCA, employers face liability under the common law tort of invasionof privacy. The most common actions arising under an invasion-of-privacy theoryare the unreasonable intrusion into an individual's private affairs and publicdisclosure of private facts. While the employer may have the right to monitore-mails, once a determination of the "nature" of the e-mail is made,if it is personal and does not violate any company policies, viewing and monitoringof the e-mail should immediately cease.
Although it may sound simple, potential land mines are everywhere. For example,in this day and age of telecommuting, the review or monitoring of an employee'slaptop or home computer is a sticky situation. If the computers are companyproperty, the company should have similar rights to inspect and review the informationon the computers. However, if employees are using their own computers for companybusiness, it may be a different matter.
In California, Labor Code § 2860 provides that "everything whichan employee acquires by virtue of his employment, except compensation . . .belongs to the employer," even after termination of employment. Accordingly,a company should have the right to review or remove any company files and informationstored on an employee's personal computer. But the guidelines are differentthan those for monitoring employees' use of computers at work, and the employer needs the employee's permission before inspecting a personal computer.
With that in mind, an employer should put employees on specific notice thatany company information or property taken home or stored on personal computersstill belongs to the company. With highly sensitive information, companies maywant to adopt an across-the-board policy that strictly prohibits downloadingsuch information on personal computers. If an employee refuses to cooperate,an employer might need a court approval for an inspection.
Creating policies and procedures
Confrontations can be avoided by implementing clear Internet and e-mail policies.Not only will it avert problems, but these policies can also help a companyestablish the express or implied consent exception to an ECPA claim.
First and foremost, employee handbooks should inform employees as to what constitutesinappropriate usage of the company computer. The policies should always containthe following key points:
The single most important pointis the need to reduce the employees' expectations of privacy. The systembelongs to the employer. Even e-mails marked as private or confidentialhave no protection from employer monitoring. Passwords do not ensure theright to privacy, either. If employers don't state the policy and enforceit, it can be read as implied consent for inappropriate behavior.
The policy should describe thepenalties for violating the Internet and e-mail policies. In most cases,it should be clearly stated that abuse of the Internet will not be toleratedand can lead to termination.
It should be made clear that e-mailis not a casual form of communication. Many employees compare e-mailsto telephone calls, but they are unaware that even if an e-mail is deleted,it is permanently stored on magnetic tape and still remains on the harddrive. Employees should understand that e-mails have to be carefully drafted,similar to formal correspondence. The policy should make it clear that even"casual" e-mails containing sexually suggestive, harassing, discriminatory,or unprofessional statements, or e-mails encouraging or engaging in illegalactivity, will not be tolerated.
All employees should be requiredto report any misconduct. When the rules are stated clearly and distinctly,enforcement becomes everyone's responsibility.
The policy should inform employeesabout the type of monitoring that will take place. Some companies havea compliance department that might open every e-mail that comes in. Othercompanies may just do periodic reviews. Whatever the method, let the employeesknow about it.
Addressing abuse and misuse
If a company discovers improper Internet or e-mail usage, it must promptlyaddress the problem and take all necessary steps to stop the activity. Failureto act may lead to the employer's liability for employee misconduct. Furthermore,it may result in accusations that the employer tolerates or promotes a hostilework environment.
But even discovering the identity of the culprit may be difficult, thanks tothe anonymity afforded Internet users. Convincing an Internet service provider(ISP) may be difficult without a subpoena, warrant, court order, or other legalmeans. Even if the ISP responds, the information may not be helpful if the senderoriginally submitted false information to the ISP.
As with any investigation, there must be thorough interviews and the accusedshould be given the opportunity to be heard. Victims should be assured thatstrong action will be taken and their privacy rights will be considered.
By following established guidelines, employers can avoid potential headachesdown the road, as well as costly lawsuits.