Published in the New Hampshire Business Review, February 2011

The IT Director walks into your office with printouts of emails and Facebook postings made by an employee. The IT Director explains that these documents prove what he has feared for a few months – the employee is taking confidential information through a gmail account the employee accesses on a company laptop, and is making negative remarks about the company's products and management. You want to fire the employee and file suit to protect the business, but your attorney tells you that the company and you personally may be in trouble for violating the employee's digital privacy rights.

Is there really any privacy in the digital age? Despite what you may think at first, the answer is, unequivocally, YES! In fact, the consequences for violating someone's digital privacy rights are severe, even criminal. Businesses need to get ready to comply with digital privacy laws because these issues are here now, and here to stay for the long term.

Facebook is a phonom, no doubt. It has over 500 million users, about half of whom access their accounts on mobile devices. That means about 72% of the U.S. population with Internet access are on Facebook, and yet 70% of all Facebook users are outside this country.

But digital privacy is not just a Facebook issue. The entire social media movement is implicated: You Tube, Twitter, Flickr, Linked-In, and on and on. The massive use of email – not only company email but also webmail like Yahoo!, gmail, hotmail, etc. – and the rapid adoption of devices like iPhones and Droids also adds significant fuel to the fire.

One would expect that the law and business policies governing such an important and expanding social activity would be clear and foresighted. Not so. Attorneys have only a patchwork of federal and state statutes and cases to use to advise clients. Digital privacy is a reality now, and the law and business compliance need to catch up quickly.

The most significant digital privacy laws are the federal Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA). The ECPA prohibits the unauthorized interception of electronic communications, like email, texts and instant messages. However, this statute is limited because it is inapplicable if electronic communications are not in transit from sender to recipient.

The SCA picks-up where the ECPA leaves-off, in part. It prohibits unauthorized access to electronic communications stored in certain computer systems. The SCA also is limited because it only covers electronic communications, not other data, and (understandably) does not prohibit the entity that hosts the system from accessing the communications.

Most states also have laws that afford some additional protection. As a result, an individual or employee may have a claim against an employer or another individual for "invasion of privacy" if the individual or employee had a reasonable expectation that the data accessed was private.

Applying this patchwork is difficult given the complexities of technology. For example, in the situation discussed above, the company could recover screenshots of the gmail accessed by the employee from the laptop hard drive, but violated the SCA if it used the employee's gmail password (which also is often recoverable from the hard drive) to gain access to the gmail account on the Internet.

Moreover, while the company was safe under the SCA to recover data from the hard drives of its computers (and its servers and other company owned electronic devices), the company still may face a claim for invasion of privacy if it did not implement an appropriate electronic use policy. Such a policy informs employees that:

  • All electronic data communicated or stored on company owned electronic devices is the property of the company, not the employee.
  • Employees should not have any expectation of privacy with respect to data stored, communicate, or accessed using company owned electronic devices.
  • The company can and, when appropriate, will monitor and review data that is stored, communicate, or accessed using company owned electronic devices.

What about the Facebook postings? As you now know, it would violate the SCA to have use the employee's password to access the Facebook account. Instead, could the IT Director have set up an alias on Facebook, and induce the employee to "friend" the IT Director in order to gain access to the postings? That would likely be an invasion of privacy. Also, depending on the purpose or content of the employee's on-line communications, such conduct could lead to a claim under whistleblower laws or the national labor relations act.

Although this example highlights just a few digital privacy potholes, this is a navigable roadway with appropriate care and counsel. Businesses need to invest the time necessary to learn about these issues and consult with an experienced attorney to get into compliance, particularly since the law in this area is still evolving.

Social media, handheld devices, and an explosion of electronic communications have propelled digital privacy issues to the forefront, with the law and business compliance lagging behind. To avoid a problem before it occurs, your company should (1) understand the digital privacy issues that may arise in your business and how the developing laws would address those issues, and (2) adopt an appropriate electronic use policy dispelling employees of any expectation of privacy with respect to data stored, communicate, or accessed on company owned electronic devices.

Cameron Shilling is a shareholder at McLane, Graf, Raulerson & Middleton, where he is a member of the Litigation Department and the Employment Law Group.

To view McLane's latest press release, "Carol Holahan Joins the McLane Law Firm" please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.