page 1
page 2
page 3
Monitoring Employee E-mail, Voice Mail and
Computer Files
Without Violating Employees' Privacy Rights
By: Judith Lockhart, Esq. (lockhart@clm.com)
Gerald W. Griffin, Esq. (griffin@clm.com)
The Third Annual Raiding on Wall Street Conference
Monday, November 8, 1999
New York City
Sponsored by
Carter, Ledyard & Milburn
and
Securities Week
I. Introduction
E-mail and voice mail have clearly revolutionized the way companies do
business. Productivity and efficiency have improved dramatically as a result
of these technological advances. Where once we were limited to communicating
with colleagues and clients by inter-office mail, "snail mail,"
telexes and facsimiles, information, from the simple to the complex, now can
be disseminated throughout the office and, indeed, throughout the world with
the click of a mouse.
Unfortunately, the nature of e-mail and voice mail systems is such that
they are fraught with opportunities for employee abuse. Who hasn't received
the latest joke, office gossip or sale offering via the company e-mail
system? The proliferation of bad jokes, however, may be the least of an
employer's concerns. Employee use of company computer systems in connection
with the misappropriation or theft of confidential company information,
racial and ethnic slurs, threats of violence and other potentially illegal
employee behavior occurs alarmingly often. As a result, employers are being
forced to monitor employee e-mail, voice mail, and computer use. A 1999
survey by the American Management Association reports that forty-five
percent of major U.S. firms record and review employee phone calls, e-mail
and computer files, a significant increase from the thirty-five percent
reported in 1997. See 1999 American Management Association Survey, Workplace
Monitoring and Surveillance -- Summary of Key Findings, at 1. E-mail
monitoring in particular has increased dramatically, reflecting the growth
of e-mail communications during the last two years. 1999 American Management
Association Survey, supra, at 1.
The increase in electronic monitoring has raised concerns by employees
about their own privacy rights. An employer with fundamental knowledge of
its computer systems can easily retrieve or intercept employee e-mails
without the employee's knowledge. The potential for litigation by employees
against employers for violations of privacy rights is extremely high when
the employer has no clear policy on monitoring. It is critical for an
employer to understand what its rights are with respect to monitoring the
electronic communications and actions of its employees. Unfortunately,
legislation concerning the privacy of such electronic communications is
limited and ambiguous. Case law is similarly sparse and that which does
exist is often inconsistent. A review of the current statutes and cases in
this area make it abundantly clearly that an employer's best defense against
employee privacy claims it a comprehensive policy governing the monitoring
of electronic communications and computer files.
II. Federal Legislation
A. The Electronic Communication Privacy Act
At the federal level, the privacy of electronic communications is
governed by the Electronic Communications Privacy Act of 1986 (the "ECPA"
or the "Act"). 18 U.S.C. § 2510 et seq. (West Supp. 1999). Title
I of the ECPA expanded Title III of the Omnibus Crime Control and Safe
Streets Act (the "Federal Wiretapping Statute"), which prohibits
the unauthorized interception of wire and oral communications, to include
electronic communications. 18 U.S.C. § 2511. Title II of the Act prohibits
the unauthorized accession and disclosure of electronic communications that
are stored in a computer system. 18 U.S.C. § 2701. Essentially, the ECPA
prohibits three types of behavior -- (1) the interception of wire, oral and
electronic communications, (2) the accession of stored wire, oral and
electronic communications, and (3) the disclosure of information contained
in stored communications.
The statute of limitations for violations of both Title I and Title II is
two years from the time the plaintiff actually discovers the violation, or
had the opportunity to discover it. 18 U.S.C. §§ 2520(e), 2707(e). Each
disclosure of an intercepted message is a separate violation, with its own
two year limitations period. See Julia T. Baumhart, The Employer's Right
to Read Employee E-Mail: Protecting Property or Personal Prying?, 8 Lab.
Law 923, 936 (1992)
Violators of the Act are subject to liability for criminal and civil
penalties, attorneys fees and, in some cases, punitive damages. 18 U.S.C. §
2520(c)(2)(B); 2707(v); 2520(b)(2), 2520(b)(3), 2707(b)(3). Specifically, an
individual bringing a civil suit under Title I or Title II is entitled to
injunctive and declaratory relief; actual damages, including any profit to
the defendant resulting from the violation; and reasonable attorney fees and
costs. Under the interception provisions of Title I, actual damages also
includes the greater of $100 a day for each day a violation occurred or
$10,000. 18 U.S.C. § 2520(c). Under the storage provisions of Title II,
actual damages includes a minimum award of $1,000. 18 U.S.C. § 2707(c).
Punitive damages are only available for violations of the interception
provisions. 18 U.S.C. § 2520(b).
There are, however, three statutory exceptions written into the ECPA that
may exempt an employer from liability. These statutory exceptions are (1)
the "consent of a party to the communication" exception; (2) the
"ordinary course of business" exception; and (3) the "system
provider" exception. Additionally, a "contemporaneous"
requirement has developed in the Title I case law which provides employers
with some additional protection. Case law applying and interpreting these
exceptions is scarce and deals predominantly with the monitoring of
telephonic communications.
1) The "Consent of a Party to the Communication" Exception
The ECPA's prohibition against the interception or accession of stored
electronic communications does not apply to situations where a party to the
communication has given prior consent to such action. 18 U.S.C. §
2511(2)(d) (interception under Title I); 18 U.S.C. § 2702(b)(3) (accession
under Title II). Thus, an employer can avoid liability under the ECPA where
an employee has consented in advance to the monitoring of their e-mails.
Determining whether an employee has in fact consented to monitoring is not
always clear, particularly if the employer had no written policy. While
there are no cases interpreting the consent exception under Title II of the
ECPA(stored communications), cases interpreting the exception under the
interception provisions of Title I have held that consent may be either
express or implied.
The leading case on the consent exception is Watkins v. L.M. Berry
& Co., 704 F.2d 577 (11th Cir. 1983). In Watkins, plaintiff,
a telephone sales representative, sued her employer for illegally
intercepting a personal telephone call between the plaintiff and a friend in
violation of the Federal Wiretapping Statute. Id. at 579-80. The
employer argued that it was not liable for its admitted interception of
plaintiff's personal call based upon the consent exception in the statute.
The employer had an established monitoring policy which was made known to
all employees, including plaintiff, which called for the monitoring of
business calls only. Personal calls were to be monitored only to the extent
necessary to determine whether a particular call was of a personal or
business nature. The employer argued that plaintiff's use of the company's
telephones with the knowledge of the company's monitoring policy constituted
her consent to the general monitoring of her calls. Id. at 581.
The Court rejected the employer's argument finding that plaintiff neither
actually nor impliedly consented to the monitoring of her personal calls.
According to the court, the fact that the employee knew that the employer
had the capability of monitoring all her calls did not constitute her
implied consent to such monitoring. The court held that consent under the
statute could not be so "cavalierly implied." Id. To the
extent the employer's interception went beyond the point necessary to
determine the nature of plaintiff's call, it went beyond the scope of her
actual consent and was thus prohibited under the statute.
In the subsequent case of Griggs-Ryan v. Smith, 904 F.2d 112 (1st
Cir. 1990), plaintiff was a tenant at a campground where the only working
telephone belonged to the defendant landlady, which she allowed all tenants
to use. Id. 113-14. As a result of a series of harassing telephone
calls made to the landlady and upon the advice of the police, the defendant
landlady began recording all incoming calls on her telephone. The landlady
had informed the plaintiff that she was recording calls on her telephone
because she believed one of plaintiff's friends was responsible for the
harassment. Thereafter, she began intercepting and recording plaintiff's
telephone conversations. Although the recordings revealed nothing about the
harassment, it did incriminate plaintiff in a drug transaction. The
defendant disclosed the incriminating conversation to the police which
resulted in plaintiff's arrest. Plaintiff later brought an action against
his landlady for unlawfully intercepting and disclosing his telephone
conversation in violation of the Federal Wiretapping Statute. Id.
The defendant landlady argued that plaintiff's use of her telephone, when
considered in light of the warning she had given him, constituted
"implied consent" sufficient to trigger the prior consent
exception. The court agreed, stating that Congress had intended the consent
exception to be applied not only to a plaintiff's explicit consent but to
his or her implied consent as well. Id. at 116 (quoting United
States v. Amen, 831 F.2d 373, 378 (2d Cir. 1987)). The court held that
implied consent can occur where the surrounding circumstances show an
"acquiescence or a comparable voluntary diminution of . . . otherwise
protected rights." With respect to the monitoring of communications,
such circumstances could include language or acts which tend to prove that a
party knows of or assents to the interception and recording of his
communication. The plaintiff's continued use of defendant's telephone after
defendant's sweeping warning that all calls were being recorded clearly
indicated that he "knowingly agreed to the surveillance." Id.
at 118.
Other cases dealing with the consent exception include: Griffin v.
Milwaukee, 74 F.3d 824, 827 (7th Cir. 1996) (holding that employee
receiving emergency calls for police department had knowledge of possible
interception of telephone calls and thus consented); Deal v. Spears,
980 F.2d 1153, 1156-57 (8th Cir. 1992) (holding that employee had not
consented to monitoring of telephone calls because she was not informed that
she would be monitored only that the employer "might" monitor); Jadek
v. Village of Brookfield, 520 F. Supp. 815 (N.D. Ill. 1981) (holding
that private citizen and police officer had not consented to the monitoring
of their telephone call were neither party had knowledge of the recording).
Based upon the limited case law interpreting the consent exception, it
appears that an employer may avoid liability under the ECPA if it gives its
employees adequate notice of its policy to monitor their electronic
communications and the scope of such monitoring and then abides by its
policy. If, after being given such notice the employee communicates
electronically at work, the employee will have consented to the employer's
monitoring provided that the employer did not go beyond the scope of its
stated policy. Importantly, if the scope of the employer's electronic
monitoring policy is without limitation, the employee consent exception will
apply, regardless of whether the scope of the monitoring goes beyond its
intended business purpose.
2) The "Ordinary Course of Business" Exception
The second exception under the ECPA is the "ordinary course of
business" exception which is based upon the ECPA's definitions of
"intercept" and "electronic, mechanical, or other
device." "Intercept" is defined in the Act as "the aural
or other acquisition of the contents of any wire, electronic, or oral
communication through the use of any electronic, mechanical, or other
device." 18 U.S.C. § 2510(4). An "electronic, mechanical, or
other device is":
any device or apparatus which can be used to intercept a wire, oral, or
electronic communication other than --
(a) any telephone or telegraph instrument, equipment or facility, or any
component thereof (i) furnished to the subscriber or user by a provider of
wire or electronic communication service in the ordinary course of its
business and being used by the subscriber or user in the ordinary course of
its business or furnished by such subscriber or user for connection to the
facilities of such service and used in the ordinary course of its business;
or (ii) being used by a provider of wire or electronic communication service
in the ordinary course of its business. 18 U.S.C. § 2510(5).
To qualify for this exception, an employer must satisfy two elements: (1)
the interception must be accomplished through the use of a "telephone
or telegraph instrument, equipment or facility" as defined above, and
(2) the monitoring must have been conducted "in the ordinary course of
its business."
Because this exception has not yet been applied in the e-mail context, it
is uncertain if an employer's computer network and equipment will constitute
the "electronic device" that accomplishes the interception for the
purposes of this exception. At least one commentary has expressed the view
that this exception may not be applicable in the e-mail context because the
equipment involved in the interception does not meet the definition of a
telephonic device as set forth in the Act. See Patrice S. Arend &
Kathleen M. Holper, Monitoring E-Mail in the Workplace: Employer Privacy
and Employer Liability, 87 Ill. B.J. 314, 316 (June 1999) (The plain
language of the "business use" exemption indicates that it is
limited to telephone or telegraph equipment, and courts probably will not
consider a network's modem, computer, or software program to be telephone or
telegraph equipment). It is more likely, however, that courts will accept an
employer's central computer as the monitoring "device" for the
purposes of satisfying the first element of this exception. Gantt, supra,
at 371, n.3. Therefore, the likely focus will be on the second element of
the exception -- whether the interception was in the ordinary course of
business.
One of the leading case interpreting the ordinary course of business
exception is Deal v. Spears, 980 F.2d 1153, 1157 (8th Cir. 1992). In Deal,
an employer suspected an employee of participating in a burglary of the
employer's store. In an effort to obtain an admission by the employee to the
crime, the employer installed a recording device which would automatically
record all conversations made on the telephone within the store, with no
indication given that conversations were being recorded. Before purchasing
the device the employer had warned the employee to cut down on her personal
calls or he might resort to monitoring. Subsequently, the employer taped the
employee's personal calls for a one and half month period. Id. at
1156. Although the employer learned nothing about the burglary, he did learn
that the employee sold store goods to her friends at cost, in violation of
store policy. The employee was confronted with the incriminating tapes and
then fired. Thereafter, the employee brought an action against the employer
for violating the Federal Wiretapping Statute. The employer argued that
there was no violation because his action fell within the ordinary course of
business exception. Id.
|
