United States: E-Mail Monitoring In The Workplace - An Overview (Part 2)

They are not, however, irreconcilable. In fact, reconciling employees’ limited rights to privacy in the workplace and the legitimate need of employers to take steps to make sure that their e-mail facilities are not misused are fairly straight-forward and easy to implement. As with most other facets of employment law, the safe course is simple to see but harder to follow: have a policy and follow it. Apathy toward an e-mail/internet policy is the biggest mistake an employer can make. Many lawyers feel that some employers are not concerned enough about the contact their workers are making with cyberspace.¹³³

The e-mail policy should be a clear, specific written policy.¹³⁴ The benefits of a written policy are manifold.¹³⁵ First, it sets the boundaries for employee use of e-mail and the Internet.¹³⁶ Second, and most importantly, a policy puts an employee on notice that the employer will be monitoring the use of its computer equipment and electronic services, which, in turn, destroys any reasonable expectation of privacy an employee may have regarding e-mail or Internet usage.¹³⁷ A copy of the policy should be distributed to each employee and it is probably wise to require that each employee sign a consent form acknowledging that he or she has received a copy and agrees to the terms of the policy. Although a signed consent form may not provide additional protection if not uniformly enforced, it still demonstrates employee awareness and may help to defeat a right to privacy claim.¹³⁸

A clear policy can also serve to educate employees on the technological ramifications of e-mail and the Internet. In other words, "’deleting an e-mail message is not like hanging up the phone,’ …since e-mail is typically stored on a company’s back-up tapes until recycled, and the computer’s hard drive maintains the information until it is overwritten at a later date."¹³⁹ It is evident that many employees are often unaware that their e-mail messages can be retrieved and printed by someone else, such as a network manager, and do not instantly "disappear" after they are sent. Employees also misunderstand the purpose of a user password. A password protects an employee’s communications from other employees, not from the employer.¹⁴⁰

E-mail policies should also fit the particular employer and how it does business. Take the time to determine what is to be considered appropriate use.¹⁴¹ Uniform enforcement is imperative. A haphazardly enforced e-mail policy does little to help an employer in a right to privacy action. This is also true in a discrimination suit. The employees need to know about the policy and they need to know that violations of the policy will lead to disciplinary consequences, just like any other policy infraction. And the employer must be prepared to follow through with punishment.

A stirring example of e-mail policy put to use is the incident that occurred at Edward Jones & Company, a brokerage firm in St. Louis, last spring.¹⁴² An employee complaint about receiving an inappropriate e-mail message, containing off-color jokes and pornography, resulted in an investigation that subsequently led to nineteen employees being dismissed.¹⁴³ The company, according to a principal, has a "very clear," "zero tolerance" written e-mail policy that is distributed to every employee who has access to e-mail.¹⁴⁴

By the same token, the employer needs to follow and stay within the scope of the policy.¹⁴⁵ An employer has little room to defend itself when it violates the boundaries of the policy by engaging in excessive, unwarranted or unnecessary monitoring.¹⁴⁶ The employer should also have a legitimate business interest to support monitoring.¹⁴⁷

The policy should start by telling employees (and any outsiders who communicate electronically with employees) that their e-mail will be monitored and that their consent is a condition of their use of the system and continued employment. "Clearly state that the computer, communications system, and all e-mail transmissions are the property of the employer."¹⁴⁸ Make it clear that there is no expectation of privacy in information communicated over or stored in the employer’s network. This includes reserving the right to monitor messages as well as disclose the messages to a third party without the employee’s consent.

The policy should provide that the e-mail facilities are for business use only. Any allowance for personal use should anticipate a manner of handling personal e-mail that accounts for enhanced expectation of privacy, particularly with respect to personal information such as medical histories and credit information. Clear boundaries should be set with respect to personal use. In addition, the employer may want to require some sort of disclaimer on all e-mail communications that the message may not reflect the views of the company.¹⁴⁹

The policy should explicitly (and presumably consistent with other policies proscribing specific workplace misconduct) prohibit e-mail which is unprofessional, harassing, obscene, defamatory, etc. and should probably specify restrictions on the transmissions of various sorts of proprietary information, trade secrets or intellectual property of the employer. E-mail and Internet usage that is sexual in nature should be prohibited.¹⁵⁰

An e-mail policy should also include provisions on protecting confidential information. While this and other aspects of the e-mail policy obviously overlap with other area of substantive law which are beyond the scope of this article, they are mentioned here merely for the purpose of provoking thought regarding the appropriate scope of a comprehensive e-mail policy. However, attorneys should be particularly mindful of the confidentiality issues that arise with e-mail and the attorney-client privilege.

To date, no court has been asked to rule on whether an otherwise confidential communication loses its privileged status if it is sent by e-mail.¹⁵¹ A number of state ethics opinions have held that the use of e-mail in appropriate circumstances and sometimes with appropriate precautions, such as encryption, is consistent with a lawyer’s ethical obligation to protect communications with clients.¹⁵² The main dilemma seems to surround the reasonable expectation of privacy issue, particularly because e-mail can potentially, with little difficulty, be intercepted and read by someone other than the intended recipient.¹⁵³ In addition, an e-mail message can pass over several servers owned and operated by someone outside the attorney-client relationship before reaching its destination.¹⁵⁴ The more servers a message passes over, the greater the chance that someone outside the attorney-client relationship can access the message.¹⁵⁵

E-mail monitoring in the workplace presents many, and sometimes conflicting, issues regarding an employer’s need to protect its property and itself against liability and an employee’s right to privacy. In this time of ambiguous case law and statutory laws, the strongest protection for an employer is to have a clearly written, uniformly enforced e-mail monitoring policy in place. The employer should present copies of the policy to all employee e-mail and Internet users and make it clear that the employees have no expectation of privacy with regard to communications sent and received on employer owned computers and software. The employer must then follow the policy and abide by its scope of monitoring, as well as enforce the policy when violations are committed. Once an employer is aware of any inappropriate messages or use of the e-mail system, it is on notice of the offending employee’s actions and must take appropriate action to correct the problem. An employer can be held liable for inappropriate e-mails sent by its employees. Having a written policy can prevent a multitude of problems down the road.

1 Laurie Thomas Lee, "Watch Your E-Mail! Employee E-Mail Monitoring and Privacy Law in the Age of the ‘Electronic Sweatshop,’" 28 J. Marshall L. Rev. 139, 140 (1994).

2 Michael Higgins, "High Tech, Low Privacy," ABA Journal, May 1999, p. 57.

3 Id.

4 Lee supra note 1, at 140.

5 "One Click Commerce: What People Do Now to Goof Off at Work," Wall Street Journal, September 24, 1999, p. A1.

6 Id.

7 Id.

8 Id at p. A8.

9 Id.

10 Id.

11 Lee supra note 1, at 143.

12 "Bloomberg Demands Expletives Deleted—Traders Say: $!*A&," Wall Street Journal, June 28, 1999, p. A1.

13 Id.

14 "Work Week: A Special News Report About Life On the Job—and Trends Taking Shape There," Wall Street Journal, September 21, 1999, p. A1.

15 Id.

16 Lee supra note 1, at 144.

17 Id.

18 Id..

19 Steven B. Winters, "Do Not Fold, Spindle or Mutilate: An Examination of Workplace Privacy in Electronic Mail," 1 S. Cal. Interdisciplinary L.J. 85, 94 (1992).

20 Id at 95.

21 Lee, supra note 1, at 146.

22 Id.

23 Id.

24 Id.

25 Winters supra note 19, at 95-96, citing Fred W. Weingarten, "Communications Privacy: New Challenges to Privacy," 21 J. Marshall L. Rev. 735, 746 (1988).

26 Id at 96. O’Connor v. Ortega, 480 U.S. 709, 725 (1987).

27 Ortega at 725.

28 Winters supra note 19, at 97.

29 Ortega at 712.

30 Id at 713.

31 Id at 714.

32 Winters supra note 19, at 100 citing Ortega at 717.

33 Ortega at 719-720.

34 Winters supra note 7, at 97.

35 Lee supra note 1, at 147. See Katz v. U.S., 389 U.S. 347, 88 S.Ct. 507, 19 L.Ed.2d 576 (1967); Smith v. Maryland, 442 U.S. 735 (1979). In these two cases, the Supreme Court set the limits within which government entities were allowed to monitor telephone conversations without a warrant. The Court employed a two-part test that asks if the plaintiff had a subjective expectation of privacy and whether that expectation was one which society was prepared to recognize as reasonable.

36 Id at 148.

37 Id.

38 Id at 151.

39 Id.

40 18 U.S.C. §2510 et seq.

41 James J. Ciapciak and Lynne Matuszak, "Employer Rights in Monitoring Employee E-Mail," For the Defense, November 1998, p.17. See 18 U.S.C. §§2510-2522, §§2701-2711 and §§3121-3127.

Id.

42 See Lee, supra note 1, at 152. The ECPA also comprises the Stored Wire and Electronic Communications and Transactional Records Access Act, which creates broad prohibitions on accessing and disclosing electronically-stored communications. The Act makes it unlawful for anyone who "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents unauthorized access to a wire or electronic communication while it is in electronic storage in such system…" See 18 U.S.C. §§2701-2711.

43 Under the ECPA, "electronic communication" is defined as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system…but does not include…any wire or oral communication." 18 U.S.C. §2510(12). "Electronic storage" is defined as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof" and "any storage of such communication by an electronic communication for purposes of backup protection of such communication[.]…" 18 U.S.C. §2510(17).

44 See Wesley College v. Pitts, 1997 U.S. Dist. LEXIS, No. 95-536 (D. Del. Aug.11, 1997); United States v. Moriarty, 962 F.Supp. 217, 221 (D. Mass. 1997); Bohach v. City of Reno, 932 F.Supp. 1232, 1236-37 (D. Nev. 1996); United States v. Reyes, 922 F.Supp. 818, 836 (S.D.N.Y. 1996); United States v. Turk, 526 F.2d 654, 658 (1976); Payne v. Norwest Corp., 911 F.Supp. 1299, 1303 (D. Mont. 1995).

45 Ciapciak and Matuszak supra note 41, at 17.

46 Michele C. Kane, "Electronic Mail and Privacy," Prac. L. Inst. Pats. Copyrights Trademarks Literary Prop. Course Handbook Series, Oct.-Nov. 1993, at 419, 436-37. See also Julia Turner Baumhart, "The Employer’s Right to Read Employee E-Mail: Protecting Property or Personal Prying?" 8 Lab. Law. 923, 936 (1992).

47 Baumhart supra note 47, p.936.

48 Lee, supra note 1, at 152.

49 Id. See supra note 44.

50 See 18 U.S.C. § 2510(18).

51 Lee, supra note 1 at 153.

52 Ciapciak and Matuszak, supra note 41, at 17. See United States v. Amen, 831 F.2d 373, 378 (2d Cir. 1987); Griggs-Ryan v. Smith, 904 F.2d 112 (1^st Cir. 1990).

53 Larry O. Natt Gantt II, "An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace," 8 Harv. J. Law & Tec 345, 356 (1995). See Griggs-Ryan v. Connelly, 904 F.2d 112, 116 (1^st Cir. 1990); Deal v. Spears, 980 F.2d 1153, 1157 (8^th Cir. 1992).

54 Id. See 18 U.S.C. §2511(2)(d) (1988).

55 704 F.2d 577 (11^th Cir. 1983). Note: Watkins was decided under the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. §§2510 – 2520 (1968), the predecessor to the ECPA. The consent issue is the same, however.

56 Gantt, supra note 54 at 356.

57 Watkins at 579.

58 Id.

59 Id.

60 Id.

61 Id.

62 Id.

63 Id at 581.

64 Id.

65 Id.

66 Id at 582.

67 Id at 583.

68 Id.

69 Lee, supra note 1, at 154.

70 980 F.2d 1153 (8^th Cir. 1992).

71 Lee, supra note 1, at 154.

72 Deal at 1155.

73 Id at 1155-56.

74 Lee supra note 1, at 154-55.

75 Id at 155.

76 Id. See also 18 U.S.C. §2510(4).

77 Id.

78 Id. The section provides that "it shall not be unlawful under this chapter for an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service…." 18 U.S.C. § 2511(23)(a)(i) (Supp. 1994).

79 See Lee, supra note 1, at 156.

80 Ciapciak and Matuszak, supra note 41, at 18. Courts have given considerable leeway for this ordinary course of business exception. See James v. Newspaper Agency Corp., 591 F.2d 579 (10^th Cir. 1979); Briggs v. American Air Filter Co., 455 F.Supp. 179 (N.D.Ga. 1978). See also Lee supra note 1, at 156.

81 Lee supra note 1, at 156.

82 Lee supra note 1, at 156.

83 Lee supra note 1, 156-57. See Watkins.

84 Ciapciak and Matuszak, supra note 41, at 18.

85 Lee supra note 1, at 157.

86 Id.

87 State statutes addressing interception of electronic communications: Ariz. Rev. Stat. Ann. §13-3012 (1993); Colo. Rev. Stat. §18-9-305 (West 1993); Del. Code Ann. Tit. 11, §1336 (1993); D.C. Code Ann. §23-542 (1993); Fla. Stat. Ch 934.03 (1993); Ga. Code Ann. §16-11-66 (Michie 1993); Haw. Rev. Stat. §803-42 (1993); Idaho Code §§18-6702; 18-6720; Iowa Code Ann. §8082.B (1993); Kan. Stat. Ann. §21-4001; §22-2514; La. Rev. Stat. Ann. §15:1303 (1992); Md. Code Ann. Cts. & Jud. Proc. §10-402 (1993); Minn. Stat. §626A.02 (1993); Miss. Code Ann. §41-29-531 (1993); Mo. Ann. Stat. §542.402 (Vernon 1992); Neb. Rev. Stat. §86-702 (1994); Nev. Rev. Stat. §200.620 (1993); N.H. Rev. Stat. Ann. §§570-B:3; 570-A:2 (1993); N.J. Rev. Stat. §2A:156A-4 (1994); N.M. Stat. Ann §30-12-1 (Michie 1994); N.D. Cent. Code §12.1-15-02 (1993); Ohio Rev. Code Ann. §2933.52 (Anderson 1994); Okla. Stat. Tit. 13, §176.4 (1993); Or. Rev. Stat. §165.543 (1993); Pa. Cons. Stat. Ann.§5704 (1993); R.I. Gen. Laws. §11-35-21 (1993); Tex. Penal Code §16.02 (West 1994); Utah Code Ann. §77-23a-4 (1994); Va. Code Ann. §19.2-62 (Michie 1994); W. Va. Code §62-1D-3 (1994); Wis. Stat. §968.31 (1993); Wyo. Stat. §7-3-602 (1994).

88 720 ILCS 5/14-3 (1996).

89 "A person commits eavesdropping when he: (a) uses an eavesdropping device to hear or record all or any part of any conversation unless he does so (1) with the consent of all the parties to such conversation, or (2) in accordance with Article A or Article 108B of the Code of Criminal Procedure of 1963." An eavesdropping device is defined as: "any device capable of being used to hear or record oral conversation whether such conversation is conducted in person, by telephone, or by any other means." Ill. Rev. Stat. 1991, Ch. 38, Par. 14 et seq.

90 People v. Herrington, 163 Ill.2d 507, 645 N.E. 957 (1994).

91 RESTATEMENT (SECOND) OF TORTS §652B.

92 See, e.g., Miller v. Motorola, Inc. 202 Ill.App.3d 976, 560 N.E.2d 900, (1^st Dist. 1990).

93 No. B068705 (Cal.Ct.App. July 26, 1993).

94 Id.

95 Id.

96 Id.

97 Id.

98 Id.

99 Id.

100 Ciapciak and Matuszak, supra note 41 citing Smyth v. Pillsbury Co., 914 F.Supp. 97 (E.D.Pa. 1996).

101 Smyth at 98.

102 Id.

103 Id.

104 Id.

105 Id.

106 Id.

107 Id.

108 Id at 97.

109 Id at 101.

110 Id.

111 Id.

112 Id.

113 Id.

114 U.S. v. Simons, 29 F.Supp.2d 324 (E.D.Va. 1998).

115 Id at 327.

116 Id at 328-329.

117 Id at 325.

118 Id at 326.

119 Id.

120 Id.

121 Id.

122 389 U.S. 347, 361, 88 S.Ct. 507, 19 L.Ed.2d 576 (1967).

123 Simons at 327. See also Ortega, supra. note 29.

124 Id.

125 Id.

126 Id.

127 Id citing Ortega.

128 Id at 328.

129 Id.

130 Id.

131 Another case finding no reasonable expectation of privacy is Bohach v. City of Reno, 932 F.Supp. 1232 (D. Nev. 1996). The Bohach court found no that the plaintiff policemen had no objective reasonable expectation of privacy in alpha-numeric messages stored over the police department’s pager system because all users were warned that the messages were logged on the network. The court found the recording and storing of the messages on the police department’s internal system to be within the "ordinary course of business" for the police department and that the messages were not intercepted in violation of the ECPA since they were already in electronic storage. "An electronic communication my be put into electronic storage, but the storage is not itself a part of the communication." Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 461-62 (5^th Cir. 1994).

132 Paul D. Boynton, "Monitoring Workers Online," 28 M.L.W. 3024 (1999).

133 The Electronic Mail Association has help kits designed to aid companies in developing an e-mail policy. The EMA’s address is 1555 Wilson Blvd., Suite 300, Arlington, VA 22209 (703) 875-8620.

134 Boynton, supra note 133, at 3024.

135 Id.

136 Id.

137 Id at 3025.

138 Id.

139 Id.

140 Id at 3024.

141 Jeffrey L. Seglin, "You’ve Got Mail. You’re Being Watched," The New York Times, July 18, 1999.

142 Id.

143 Id.

144 Baumhart supra note 47 at 935.

145 Boynton, supra note 133, at 3024.

146 Id at 3025.

147 Ciapciak and Matuszak, supra, note 41 at 19.

148 Id.

149 Boynton, supra note 133, at 3025.

150 Theresa E. Loscalzo and Matthew H. Simmons, "E-mail and the attorney-client privilege," Trial, February 1999, p.20.

151 Id.

152 Id at 22.

153 Id.

154 Id.

Reprinted with permission. Copyright 2000 International Association of Defense Counsel.