United States: Monitoring Employee E-Mail

Monitoring employee e-mail is, for many businesses today, a practical necessity. Employers no longer use e-mail simply as an efficient means of communicating internally. Rather, e-mailing externally to clients and suppliers, including the attachment of draft agreements, bid specifications, marketing plans and the like, has rapidly become the way business gets done.

With this change in business communications come certain pitfalls. Most notable is the risk of the unauthorized transmission of confidential business information. Others include the possible dissemination of potentially unlawful, discriminatory messages and images. See, e.g., Blakey v. Continental Airlines, Inc., 751 A.2d 538 (N.J. 2000). To counteract these concerns, an ever-increasing number of employers have undertaken to monitor their employees’ transmission and receipt of e-mail.

A recent survey conducted by the American Management Association revealed that 45% of major U.S. firms now monitor their employees’ use of e-mail, up from 35% just two years ago. When combined with other forms of employee surveillance, that number jumps to 67%. And, while employers undeniably have legitimate business reasons to engage in such practices, some recent court decisions and legislative initiatives are upsetting previously settled understandings and requiring certain procedural safeguards to be followed before e-mail monitoring in the workplace can be safe from legal challenge.

The Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C.
2511, 2701, prohibits both the unauthorized "interception" of electronic communications and also the unauthorized "access" of a facility through which electronic communication service is provided. This is sowing confusion for employers in large part because, as one court has aptly remarked, the ECPA is "famous (if not infamous) for its lack of clarity." Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457, 462 (5^th Cir. 1994).

With respect to e-mail, the issue is whether an employer "intercepts" an e-mail, in violation of the ECPA, if the employer reviews the electronic communication after an employee has received it, rather than while it is being transmitted. Until recently, courts had uniformly held that that the statutory definition of an electronic communication does not include communications already in electronic storage, thus rendering stored e-mail incapable of being "intercepted." Courts have so held because while the ECPA’s definition of a "wire communication" expressly includes both the "transfer" and "storage of [aural] communications," Congress limited the definition of electronic communications to embrace only the electronic "transfer" of data, while omitting any reference to the storage of such information.

In addition, the definition of electronic communications under the ECPA expressly excludes wire communications. Logically, then, "there can be no interception under [the ECPA] if the acquisition of the contents of electronic communications is not contemporaneous with their transmission." Wesley College v. Pitts, 974 F. Supp. 375, 385 (D. Del. 1997). So things stood until this year.

This past January, the U.S. Court of Appeals for the Ninth Circuit decided Konop v. Hawaiian Airlines Inc., 236 F.3d 1035 (9^th Cir. 2001), in which the plaintiff was an airline pilot for Hawaiian Airlines who owned and maintained a secure Web site where he posted bulletins critical of Hawaiian, its officers, and the incumbent union. Konop controlled access to his Web site by requiring visitors to log in with a user name and password. He provided user names only to certain non-managerial co-workers, who could obtain a password and view the Web site by registering and consenting to an agreement not to disclose the Web site's contents.

A vice president at Hawaiian caught wind of the Web site and persuaded two different pilots to allow him to log on surreptitiously using their names. Mr. Konop was later threatened with a defamation suit by the president of the airline and was suspended. He sued Hawaiian, claiming, among other things, that when the vice president accessed his site under false pretenses – claiming to be one of two different pilots -- he intercepted electronic communications in violation of the ECPA. The 9^th Circuit acknowledged, and then ignored, the line of precedent, including its own, which had held that prohibited interception under the ECPA cannot occur for electronic (as opposed to oral) communications in storage.

The Konop court found it inconceivable that Congress would have rendered it unlawful to intercept stored wire or aural communications, but not stored electronic communications, concluding that it would be "senseless to hold that Konop’s messages to his fellow pilots would have been protected from interception had he recorded them and delivered them through a secure voice bulleting board accessible by telephone, but not when he set them down in electronic text and delivered them through a secure web server." 236 F.3d 1046. Despite its unusual facts, the Konop decision is problematic because of its broad holding that electronic communications in storage are capable of being "intercepted" within the meaning of the ECPA.

Just two months later, a Pennsylvania district court decided Fraser v. Nationwide Mutual Insurance Co., 2001 WL 290656 (E.D. Pa. March 27, 2001), which addressed whether a company violated the ECPA when it viewed the archived e-mails of one of its sales agents. Fraser argued that the Company’s actions violated the ECPA’s provisions concerning both the unlawful interception of electronic communications and the unlawful access to stored communications.

The company provided its employees and independent sales agents with an e-mail system, governed by a policy that stated, among other things, that use of the e-mail system "may be monitored to protect against unauthorized use." Mr. Fraser, an insurance sales agent for Nationwide, also served as an officer for a national insurance sales agents organization. In that capacity, Mr. Fraser published a newsletter that was critical of Nationwide. Furthering his anti-Nationwide pursuits, Fraser also organized a group of 200 or so of Nationwide’s independent sales agents for the purpose of threatening Nationwide that, in the absence of certain concessions, they would leave en masse and join a competitor, bringing with them their policy-holders.

Nationwide reacted to this threat by searching its e-mail storage archives to discover the extent of Mr. Fraser’s disloyal actions. That search turned up an e-mail indicating that Mr. Fraser had approached at least one competitor with his proposal to leave Nationwide. This e-mail had been sent by Mr. Fraser and read by its recipient, another of Nationwide’s sales agents. To no one’s surprise, Nationwide immediately terminated Mr. Fraser’s sales-agency agreement and Mr. Fraser sued for, among other things, alleged violations of the ECPA.

Although the district court found against Mr. Fraser, it did so based on a questionable examination of precedent and the language of the ECPA, and that portends trouble for future employer monitoring activities. The court held that that the "point in time when the [e-mail] message is acquired is the determining factor for whether or not interception has occurred," and that if an employee’s e-mail message to the intended recipient is retrieved from storage by the employer before the recipient has reviewed the message, then the employer has "intercepted" an electronic communication within the meaning of the ECPA. 2001 WL 290656 at *8, *9.

The court reached this conclusion by relying only on precedent concerning the interception of voicemail messages, which holds that under the ECPA, when a party obtains access to the recipient’s voicemail and retrieves a message before the recipient has heard the message, then there is an unlawful interception. Smith, 155 F.3d 1058. While the ECPA makes it unlawful for one to intercept aural communications while in storage, however, the statute contains no such prohibition with respect to stored electronic communications. Thus, the court’s foray into the metaphysics of "interception" was, it seems, unnecessary.

Nonetheless, the court found no violation under its new interpretation of the law because Nationwide had reviewed Mr. Fraser’s sent e-mails only after their intended recipients had reviewed them. The problem, however, is that there are occasions when an employer will want to be able to review an e-mail sent to an employee before the intended recipient has read it -- such as when there is suspected misconduct. The Fraser court’s holding would, if followed, seem to foreclose that option.

The court also rejected the argument that Nationwide unlawfully "accessed" the e-mail for the same reason it had rejected the alleged unlawful interception claim – namely, that accessing already-read e-mail is not unlawful. But a violation of the "access" section of the ECPA, 28 U.S.C. 2701, does not turn on the interception of stored communications. Rather, this section prohibits the unauthorized access or "hacking" into a computer system. See Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817, 820 (E.D. Mich. 2000). Moreover, nothing in that section appears to bar an employer from accessing its own computer system.

These recent decisions show that the ECPA is an unsettled and misunderstood area of the law. Employers are ill-advised to walk down the prickly path of interpreting the precise point at which e-mail may be intercepted, especially since there is simply no need to go there.

Under the ECPA, it is perfectly lawful "to intercept a wire, oral, or electronic communication, where . . . one of the parties to the communication has given prior consent to such interception." 28 U.S.C. 2511(2)(d). It would, therefore, be prudent to notify employees in a handbook or policy statement, or in a message that appears on the computer screen periodically, that employee use of the company’s computer and e-mail systems may be monitored by the company and that, by engaging in such use, the employee consents to such monitoring. This would appear to enable an employer to avail itself of an implied, consent defense to any putative claim for intercepting electronic communications under the ECPA. See, e.g., U.S. v. Amen, 831 F.2d 373 (2d Cir. 1987). Such implied consent is an inoculation against both ECPA and invasion-of-privacy claims arising under state common law and statutes.

Moreover, providing such notice is consistent with actual and anticipated legislation on both the federal and state levels. Connecticut already requires (with certain limited exceptions) employers to notify their employees if they are going to engage in any kind of monitoring, including of e-mail and voice-mail. See Conn. St. § 31-48d. In addition, New York’s Penal Law § 250 concerning unlawful wiretaps, though not providing for private, civil remedies, could possibly be interpreted to prohibit an employer’s non-consensual monitoring of an employee’s stored e-mail. A bill similar to Connecticut’s passed the California Legislature last year but was vetoed by the governor and comparable bills are currently pending in Congress.

In light of the unsettled and evolving nature of the law, implied consent may not be enough. The safest practice for employers is to obtain an acknowledgment signed by their employees that they understand that the company may monitor or inspect all communications systems -- voice-mail, e-mail, and whatever is next -- to assure the security of documents and systems, to maintain quality standards, to investigate disputed matters as required or permitted by law, or otherwise to further the company’s business interests, and that employees do not expect privacy in their use of the company’s computer and voice mail systems. Whether the inconvenience and morale problems engendered by express consent outweigh the higher level of protection it affords over implied consent is something each company must decide for itself.