November 26, 2001

According to a recent report by the Privacy Foundation, the Internet and e-mail activities of 14 million U.S. employees are under continuous surveillance by their employers. That's a little over one-third of the nation's online workforce -- and the report only focused on the continuous, systematic monitoring of employees. Another recent survey, conducted by the American Management Association (AMA), found that 77.7% of employers surveyed "record and review employee communications and activities on the job, including phone calls, e-mail, Internet connections, and computer files" on an occasional basis – mostly in the form of spot checks.

When employees use the company's electronic resources (i.e., phone, computer, fax machine, e-mail system) to conduct personal business, the organization can suffer in more ways than one. This includes lost productivity, liability for harassment and discrimination, illegal activity on company time and property, breaches of confidentiality, draining of electronic resources, and defamation of the company name. And considering that workplace surveillance technology has become easier to use and less expensive to implement (usually under $10 per employee) than ever, it's no surprise that more and more employers are turning to workplace monitoring as a way to ensure company resources aren't being misused and abused.

That said, workplace monitoring isn't without its pitfalls. One of the biggest obstacles is potential invasion of privacy claims. But if you conduct workplace monitoring correctly, you can balance your need to run a productive business with employees' privacy rights.

***Case in point #1: An independent contractor leased computer equipment from the company with which he contracted. The lease agreement stated that the computer system was the property of the company, and a notice popped up whenever someone logged on, informing the user that the system, including e-mail, could be monitored to protect against unauthorized use.

When the company came across a copy of a letter written by the contractor soliciting the company's client list to its competitors, it searched its file server to determine whether the letter had actually been sent. It found another message the contractor had sent to a co-worker confirming that the letter had been sent to at least one competitor. The company retrieved the e-mail from the co-worker's file of already received and discarded messages stored on the server and canceled the independent contractor's contract. The contractor sued, claiming the company unlawfully intercepted and accessed his e-mail in violation of the federal Wiretapping Act and Stored Communications Act.

Court: The Wiretapping Act protects against unauthorized "interception" of electronic communication; the company retrieved the e-mail after it had been sent and received, which is not considered interception. And it didn't violate the Stored Communications Act because the Act covers a message that is stored in intermediate storage temporarily -- after the message is sent by the sender, but before it is retrieved by the intended recipient. Because the company acquired the e-mail from post-transmission storage, it was not protected. (Fraser v. Nationwide Mutual Insurance Co., E.D.PA, No. 98-CV-6726, 2001)

***Case in point #2: A government employer's policy stated that the Internet was only to be used for official government business, and electronic audits would be conducted to ensure that employees were in compliance with this provision. When the company did just that, it discovered that an employee had visited sex-related sites that had nothing to do with business.

During its subsequent investigation, the employer examined files from the employee's hard drive and discovered pictures of child pornography. It then proceeded to get a warrant and search the employee's office; it made copies of the contents of his computer, disks found in his desk, files stored on a zip drive, and personal correspondence. Result: The employee was indicted on two counts related to child pornography.

The employee argued in court that the initial search of his computer violated his Fourth Amendment rights. But the court disagreed. Court: The search was legal because it was prompted by employee misconduct. The employee forfeited his legitimate expectation of privacy when he chose to willingly violate his employer's electronic communications policy. (United States v. Simons, 4th Cir., No. 99-4238, 2000)

***PREVENTING PRIVACY PROBLEMS*** Generally speaking, the legality of electronic monitoring is often based on whether or not employees had a reasonable expectation of privacy. Consider the following steps to make sure your workplace monitoring stays on the right side of the legal line.

*** Create an electronic communications policy that describes the type of electronic monitoring used and why. Explain what kinds of e-mail, Internet, or phone usage are allowed and what are considered inappropriate. Include the actions that will be taken if the policy is violated.

*** Notify employees. Whether you're monitoring e-mails, websites, or telephone conversations, employees need to know. Notify each employee in writing of your electronic communications/monitoring policy. Make sure they return a signed acknowledgment of their understanding of the policy. New employees should be notified as soon as they are hired. And each time the policy is amended, it should be redistributed, signed, and returned.

*** Update your harassment policy. If it doesn't already, your harassment policy should include inappropriate and harassing e-mails, websites, phone conversations, and other electronic communications.

*** Remind employees of your monitoring policy. Even if your policy remains the same year after year, a memo reminding employees of the policy should be sent out at least annually. You can also create a pop-up window that appears whenever employees log on to a computer, which reiterates the policy and forces them to click an "I agree" button before they can access the system. This way, employees can't claim ignorance in court.

*****************************************************************

As stated above, a well-written electronic communications policy can be the key to defending against invasion of privacy claims. But such a policy can do more harm than good if employees aren't aware of it. Having employees sign a written acknowledgment that they have read and understand your company's policy is a good way to make sure everyone's on the same page.

AHI Employment Law Resource Center (2001). I'll Be Watching You. November 7, 2001.