How to Safely Monitor Employee E-mail
Most people don’t think twice about using email as a means of communication. This is the root of the problem. The informality associated with email and lack of caution creates a host of potential legal pitfalls. Email messages are stored in a routing computer in unencrypted plain text files which are available to anyone with access to the system—most often the employer. For a number of valid legal and business reasons an employer may want to monitor these messages, although monitoring itself creates new issues.
WHY SHOULD I MONITOR MY EMPLOYEES’ EMAIL?
The first question an employer ought to ask itself with regard to monitoring employee email is, “Should I?” The most basic reason for monitoring is to ensure that employees are being productive. Monitoring email is also a way to protect proprietary data and the rights and safety of other employees. Unchecked transmissions offer corrupt employees a simple means to transmit confidential information and trade secrets. Likewise, vicarious liability for the actions of employees and the ever growing number of harassment suits based on the actions of employees seems to mandate the monitoring of email. So, should you monitor your employees’ email to some degree? The answer is a qualified yes.
WHAT DANGERS DO I FACE IN THIS AREA?
The second question an employer should ask is, “Can I monitor my employees’ email legally?” To date, no specific and adequate legislation addresses the monitoring of email in the workplace. Employers and employees must rely on old tools to handle this new problem.
The most prevalent claim made by plaintiff employees is that monitoring violates their rights of privacy. Along with this, plaintiffs usually add in a number of other tort claims such as intentional infliction of emotional distress. Luckily for employers, the courts that have addressed this issue largely recognize the needs of an employer to monitor email. In Smyth v. Pillsbury Co. an employee was terminated for sending email over the employer’s system that threatened to “kill the backstabbing bastards” in management and referred to a planned holiday party as the “Jim Jones Kool-Aid affair.” A federal court rejected the employee’s claim that he had a reasonable expectation of privacy in his email messages. Once sent to a recipient there is no reasonable expectation that others might not see the message. The court held that whatever privacy interests he had in the messages were outweighed by the employer’s interest in preventing inappropriate and unprofessional activity over its email system. The court reached this conclusion despite allegations that the employer had given assurances that emails would remain confidential and privileged and would not be intercepted.
Another federal court reached the same conclusion in the public sector. In United States v. Simons an engineer in a branch of the CIA moved to suppress information obtained from his office computer. He had used a computer owned and operated by the CIA, as well as Internet access provided by the agency, to access pornographic sites and download thousands of files, some of which appeared to be child pornography. The court found that he had no reasonable expectation of privacy in his Internet use while at work and that the search of his computer did not violate his Fourth Amendment rights. This decision was based largely on the fact that the agency had an official policy regarding Internet use that applied to all staff. Another common claim is that employer monitoring violates the Electronic Communications Privacy Act of 1986 (ECPA). This statute amended the Omnibus Crime Control and Safe Streets Act of 1968, which regulates federal wiretapping, to include electronic communications. The ECPA protects most electronic communications, including email, from interception, attempted interception, disclosure, use and unauthorized access. Its reach extends beyond common carriers to include private communication systems operated or subscribed to by a company. Liability under the ECPA includes injunctive and declaratory relief, nominal damages, actual damages, attorney’s fees, and punitive damages. Despite its potential limits on employer monitoring of email, however, the ECPA contains major exceptions that ultimately may allow such monitoring.
First, the statute contains an “Ordinary Course of Business” exception. While “ordinary course of business” has yet to be defined in the context of email interception, it is likely that the capture of email sent and received on company systems will fall into this category. This would probably include monitoring the system to ensure proper operation and routing of emails. Similarly, in cases involving monitoring of workplace phone calls, courts have held that monitoring is allowed as long as the call is business-related. The same standard will likely apply to email.
The second exception applies to stored messages (as opposed to those in transit). The so-called “Provider” exception exempts the monitoring of stored communications by the provider of the system. So, because all email messages are stored in the routing computer, if you operate your own in-house network you are likely free to read these messages. Bohach v. City of Reno is illustrative of how this exception would likely play out in the email context. In Bohach, police officers faced an internal affairs investigation based on the discovered contents of stored pager messages. The court rejected their ECPA claim because the City of Reno acted as the service provider for the pager system and allowed the City to “do as they wish when it comes to accessing communications in electronic storage.”
Finally, the “Consent” exception provides that the ECPA does not apply when one party to a communication consents to monitoring. An employer should inform its employees that their use of a company-provided computer or network is contingent upon such consent. This release of liability will presumably apply even where an outside entity provides Internet service and the provider exception would not apply.
One of the major risks of allowing Internet access and email in the workplace is the danger of harassment and discrimination claims. Although employers have succeeded against employee invasion of privacy and ECPA claims, the evidentiary nature of these communications allows employees to use such messages to support claims of harassment and discrimination.
Under federal, and Oregon and Washington law, an employer is potentially liable for sexual harassment claims if the employer either creates a hostile environment or knowingly tolerates it. Courts have found for employees where the employer allowed other employees to read or display offensive magazines in the workplace or permitted off-color or sexual jokes.
The use of the Internet and email only exacerbates this workplace problem. There is a very real danger that an employee could visit offensive sites or download pornographic pictures. Likewise, the same employee that would be hesitant to tell an off-color joke in person might be more apt to pass one along through an email message. Either of these could create or aggravate a hostile environment.
Similarly, email and evidence of visited Internet sites has been used as proof of discrimination. In Owens v. Morgan Stanley Co. two African-American employees sued Morgan Stanley for racial discrimination. A primary piece of evidence was an email message that contained racist jokes. Likewise, in Strauss v. Microsoft a court admitted sexually offensive email messages to prove that the employer’s proffered reason for not promoting the plaintiff was a pretext.
The first lesson to be learned from these cases is that email and evidence of visited Internet sites is discoverable in litigation. Emails are considered “documents” for purposes of federal litigation and must be produced when requested. The cost to retrieve these messages, which often requires hiring computer experts, is usually billed to the employer. In one recent case, this cost the employer over $50,000.
Second, employers should recognize that email is a double-edged sword. As businesses reduce their employee’s expectations of privacy in messages sent on company systems, employees are increasingly using the same unprotected communications to sue the employer. While useful for a time, email messages need to be disposed of promptly. Also, bear in mind that even though a message has been “deleted,” it can still be retrieved in many cases. Every employer should have well-written policies in place that include provisions for the permanent disposal of company emails.
HOW CAN I SAFELY USE EMAIL AND THE INTERNET IN MY WORKPLACE?
Working together, the employer and its counsel should develop a comprehensive policy regarding all aspects of the use of email and the Internet in the workplace. Each policy should be uniquely tailored to the individual requirements of the business. One consideration is whether any personal use should be allowed at all.
The policy must also clearly state that there is no expectation of privacy in anything communicated over the employer’s system. It should also provide that all electronic communications, including email and the contents of the employee’s computer, are property of the employer. It should state that use of such property must be for business purposes only and that the employer will monitor and access these communications for legitimate business reasons.
It should also set ground rules for using the Internet, including what material and types of sites are prohibited and what may not be downloaded. The policy should also state the penalties for abusing the system, specifically that they may include termination.
All employees should be required to sign a copy of the policy before being granted access to the system and the policy should be redistributed at least annually. Another effective technique is to simply post the policy on the computer when employees log on so that they see it each day. Moreover, once the policy is in place it needs to be enforced consistently. Failure to do so could itself lead to discrimination charges.
A “document retention system” provision that describes how long electronic files are stored and in what manner they are deleted should be included in the policy. This system needs to take into account the employer’s concerns over message storage and retrieval lengths, other relevant regulatory requirements, and the handling of messages during or before litigation.
Litigation in this arena is still in its infancy. Although most of the cases have sided with employers, there are many situations that have yet to be addressed. Modern employment relationships and the changing workplace may further cloud the picture. Unquestionably, a comprehensive policy that is well worded and consistently carried out is an employer’s best weapon in this arena. Included in that policy should be provisions concerning monitoring activities. Monitoring by the employer should only be done after carefully consulting corporate counsel.