page 1
page 2
page 3
Monitoring Employee E-mail, Voice Mail and
Computer Files
Without Violating Employees' Privacy Rights
...continued - pg 2.
The court held that the monitoring was not done in the ordinary course of
business. Although the court agreed that the employer's interest in
obtaining an admission of guilt by the employee and preventing her
unauthorized use of the telephone were "legitimate business
reasons" for monitoring her conversations, the scope of his monitoring,
i.e. taping a month and a half of her personal calls without regard to his
business interests, was more intrusive than necessary to protect those
interests. Thus, the court stated that the scope of the employer's intrusion
was "well beyond the boundaries of the ordinary course of
business." Id. at 1157.
In Briggs v. American Air Filter Co., 630 F.2d 414 (5th Cir.
1980), an employer suspected an employee of disclosing confidential
information about potential job contracts to a competitor and had warned the
employee not to disclose such information. In an effort to confirm his
suspicions, the employer, through the use of an extension phone, tape
recorded a telephone conversation between the employee and the competitor
moments after the employee was informed about a new potential contract.
Neither the employee nor the competitor had notice that their call was being
monitored and neither had consented to being monitored. The employee later
brought action against his employer for invasion of privacy in violation of
the Federal Wiretapping Statute.. The employer argued, inter alia,
that his monitoring and recording of the employee's conversation was done
"in the ordinary course of business" and therefore was
permissible. Id. at 417-18.
The court stated that under certain circumstances, the monitoring of the
employee's "business" conversation, without his consent, falls
within the "ordinary course of business exception." The court held
that "when an employee's supervisor has particular suspicions about
confidential information being disclosed to a business competitor, has
warned the employee not to disclose such information, has reason to believe
that the employee is continuing to disclose the information, and knows that
a particular phone call is with an agent to the competitor, it is within the
ordinary course of business to listen in on an extension phone for at least
so long as the call involves the type of information he fears is being
disclosed." Id. at 419-20.
The employee had admitted that the telephone call was not personal but
rather "business" related. Thus, the court never reached the
question of whether the monitoring of a personal call, without consent, is
proper under the Federal Statutes. The court stated, however, that such
monitoring of personal calls was unlikely to further a legitimate business
interest. The only legitimate interest that might justify such monitoring,
according to the court, was the control of personal use of business
equipment after warnings proved ineffective. Id.
It is apparent from the case law, that the ordinary course of business
exception depends heavily upon the legitimacy of the employer's business
interest in monitoring communications and whether the scope of the
employer's monitoring is more intrusive than necessary in protecting its
interest. While broad monitoring of personal electronic communication is
unlikely to be justified by any legitimate business purpose, monitoring
which is limited to business communications should fall within the
exception.
Determining whether a communication is business related may be more
difficult, however, with respect to electronic communications than other
communications. For example, employers may simply hang up once they realize
that a telephone communication is personal in nature. However, it might be
necessary to read an entire e-mail message to determine whether it is
business or personal in nature. See Arend & Holper, supra,
at 316. In the absence of a policy giving an employer full access to
electronic communications and files, an employer may avoid reading the
contents of every e-mail message of its employees by searching for specific
words or phrases within its computer system which would identify particular
messages that could compromise the employer's business interests. Gantt, supra,
at 371. Employers may also limit their monitoring to e-mails with specific
headings or subject matter fields. Gantt, supra, at 371. Such
limitations would aid any argument by the employer that the monitoring was
done in the least intrusive way.
3) The "System Provider" Exception
Finally, the ECPA excepts from its interception and access prohibitions
"system providers." With regard to interception, the Title I of
the Act specifically allows:
An officer, employee, or agent of a provider of wire or electronic
communication service, whose facilities are used in the transmission of
a wire communication, to intercept, disclose, or use that communication in
the normal course of his employment while engaged in any activity which is a
necessary incident to the rendition of his service or to the protection of
the rights or property of the provider of that service.
18 U.S.C. § 2511(2)(a)(I) (emphasis added). With regard to access to
stored communications the Title II of the ECPA exempts from liability
"the person or entity providing a wire or electronic communications
service." 18 U.S.C. § 2701(c)(1).
Many commentators have interpreted the "provider" exceptions to
shield most private employers from ECPA liability for monitoring employee
e-mails which were transmitted through an employer-provided e-mail system.
Larry O. Natt Gantt, An Affront to Human Dignity: Electronic Mail
Monitoring in the Private Sector Workplace, 8 Harv. J.L. & Tech.
345, 359 (1995) (hereinafter "Gantt"); see, e.g.,
Susan E. Gindin, Guide to E-Mail and the Internet in the Workplace,
at 25-26 (BNA Corporate Practice Series 1999). On the other hand, some
commentators have espoused a narrow interpretation of the "system
provider" exception which excludes private employers and covers only
public and commercial providers such as America Online, Prodigy and
CompuServe. See, e.g., Baumhart, supra, 926. There is
little case law in the area to provide guidance to employers. At least one
case, Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996), has
interpreted the system provider exception to include private employers who
provide their own internal electronic communication service. In Bohach,
two police officers exchanged messages to one another over the Department's
computer network. Faced with an internal affairs investigation based on the
content of those messages, the officers brought suit against the Department
claiming the Department's retrieval of the messages from its computer system
was a violation of Title II of the ECPA. The court held that because the
police Department was the provider of the electronic communications service,
the computer system used to convey the officer's messages, it could not be
liable under Title II. Id. at 1234-36.
Support for a broad interpretation of this exception, which would include
employer-providers, can also be found in Flanagan v. Epson America, Inc.,
No. BC007036, slip op. at 5-6 n.1 (Cal. Super. Ct. Jan. 4, 1991). In Flanagan,
an unreported California decision, several hundred of defendant's employees
brought a class action suit against defendant under the California Privacy
Act which is similar to the Federal Wiretapping Statute. The employees
claimed that the monitoring of all e-mail communications coming in and out
of defendant's company, without the prior consent of the employees, violated
their privacy rights under the California statutes. In dismissing
plaintiffs' claims, the court commented in a footnote on the system provider
exception of the ECPA. The court stated that an employer-provider would
likely be exempted from liability under the system provider exception
reasoning that "there is simply no ECPA violation if 'the person or
entity providing a wire or electronic communications service' intentionally
examines everything on the system."
The Act's legislative history provides additional support for
interpreting the system provider exception to include employer-providers.
The legislative history indicates that Congress did not intend the ECPA to
cover employer monitoring and thus employer-providers should fall within the
exception. The Senate report discussing the ECPA recognized the existence of
employer-provider systems but did not mention whether the Act would have any
effect on such systems. See Baumhart, supra, at 925 (citing S.
Rep. No. 541, 99th Cong., 2d Sess., 3-4 (1986)). Moreover, the testimony
during the Senate hearing on the proposed legislation focussed on the
importance of corporate privacy, not the privacy of individual employees. See,
e.g, Baumhart, supra, at 925 (citing Hearing on S 1667 Before
the Subcomm. on Patents, Copyrights and Trademarks of the Senate Comm. on
the Judiciary, 99th Cong., 1st Sess. 40, 42). Thus, Congress may not have
intended the ECPA to prohibit employers from monitoring employee electronic
communications and files on the network which they provided. See,
Baumhart, supra, at 925; Gantt, supra, at 362.
Despite the support cited above for the argument that the "system
provider" exception to the ECPA be interpreted to include
employer-provided e-mail networks, employers should be hesitant to place too
much reliance upon this exception. The limited case law that exists is
sufficiently ambiguous. Compare Baumhart, supra, at 925, with
Gindin, supra, at 25.
4) Contemporaneous Requirement
In addition to the three statutory exceptions discussed above, an
additional limitation to employer liability has developed in the case law.
Several courts have held that liability for the "interception" of
electronic communications will only arise if the interception is
contemporaneous with the communication's transmission. See, e.g.,
Wesley College v. Pitts, 974 F. Supp. 375 (D. Del. 1997); Bohach
v. City of Reno, 932 F. Supp. 1232, 1236-37 (D. Nev. 1996); United
States v.. Reyes, 922 F. Supp. 818, 836 (S. D. N.Y. 1996); Steve
Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th
Cir. 1994).
In Wesley College, the College sued former employees alleging, inter
alia, that these employees, without authority,
"intercepted" private e-mails of the president of the college in
violation of Title I and disclosed the contents of these e-mails in
violation of Title II. The court rejected the colleges Title I claims
holding that in order to "intercept" an e-mail under Title I, the
acquisition of the contents of the electronic communications must be
"contemporaneous" with their transmissions. Because the evidence
indicated, and the college in fact admitted, that the e-mails involved in
the litigation were accessed from storage in the college's mainframe, the
court held Title I was not violated.
The court explained that "electronic communication," such as an
e-mail, is defined under Title I as "any transfer of signs, signals,
writings, images, sounds, data, or intelligence of any nature transmitted in
whole or in part by a wire, radio, electromagnetic, photo electronic or
photo optical system but does not include wire or oral communication." Id.
at 385 (citing 18 U.S.C. § 2510 (17)). Significantly, the definition of
electronic communication, unlike the definition of wire communication, does
not include the electronic storage of such communications. Thus, the court
held that the statutory language of Title I mandates a finding that
electronic communications can only be "intercepted" in violation
of Title I when they are in transit, and not when they are already in
storage. Id. (citing Steve Jackson Games, Inc. v. United States
Secret Service, 36 F.3d 457 (5th Cir. 1994)). According to the court,
Title I does not apply to the access and disclosure of stored
communications.
Thus, in addition to the three statutory exceptions within the ECPA,
employers are also shielded from liability under Title I, provided they
monitor stored communications rather than communications in transit. This is
significant considering Title I provides for much stiffer penalties than
Title II, including the right to punitive damages which is unavailable under
Title II.
B. The Privacy for Consumers and Worker's Act
The ECPA's lack of clarity and the difficulty courts have had in
interpreting it have led to the proposal of additional federal legislation
which would provide employee's more explicit privacy rights with respect to
employer monitoring.
In 1993 the Privacy for Consumers and Workers Act ("PCWA") was
introduced to Congress but currently remains inactive due to republican
opposition. Generally the PCWA would require employers to give employees,
job applicants and customers substantial notice before engaging in
electronic monitoring. Under the PCWA employees would be entitled to written
notice of the forms of monitoring to be used, the personal data to be
collected, the hours and days per week that electronic monitoring would
occur, and the use to be made of the personal data collected. See
Thomas P. Klein, Electronic Communications in the Work Place: Legal
Issues and Policies, 563 PLI/PAT 695, 736-37 (June 14-15 1999).
The PCWA contained one important exception to these notice requirements.
If an employee has a reasonable suspicion that an employee has violated or
will violate criminal law or civil law or has engaged in or will engage in
gross misconduct and the conduct adversely affects the employer's economic
or safety interests, the employer may engage in monitoring without notice,
provided the employer first executes a statement describing the conduct and
the economic or safety interest. See Klein, supra, at 737.
Although the PCWA remains inactive, it provides some indication of
Congress' thinking on the matter of employer privacy. The PCWA or similar
legislation may be passed in the near future and employers are advised to
consider the PCWA notice provisions in adopting it own electronic
communication policy.
III. State Legislation -- New York
New York State has passed an "Eavesdropping" statute similar to
the Federal Wiretapping Statutes. See N.Y. Penal Law §§ 250.00,
250.05. A person is guilty of the felony of eavesdropping when he or she
unlawfully engages in, inter alia, "wiretapping" or
"intercepting or accessing of an electronic communication."
"Wiretapping" is generally committed when a person intentionally
overhears or records a telephonic or telegraphic communication, without the
consent of a party to the communication, by means of an instrument device or
equipment. § 250.00(1). "Intercepting or accessing of an electronic
communication" is generally the intentional interception of an
electronic communication, which includes e-mail, without the consent of a
party to the communication, by means of any instrument device or equipment.
As with the ECPA, consent of a party to the conversation or communication
is the principal exception to liability under New York's Eavesdropping
Statute. People v. Lasher, 58 N.Y.2d 962, 460 N.Y.S.2d 522 (1983). A
New York Attorney General Opinion, considering the consent exception under
an earlier version of the Eavesdropping Statute, held that an employer could
not "wiretap" its own telephones in order to intercept a
conversation between an employee and another person, without the consent of
a party to the conversation, even for the purpose of determining whether the
employee was being unfaithful disloyal or dishonest to the employer. 1958
Opinions of the Attorney General 271.
The Attorney General's opinion at least implies that employer monitoring
of employee communications is only permitted under the Eavesdropping statute
where consent is first obtained from the employee, and that an
"ordinary course of business exception" may not apply.
IV. Common Law Privacy Torts
In many states, the common law protects privacy rights by recognizing
four torts: (1) intrusion upon the seclusion of another; (2) appropriation
of another's name or likeness; (3) unreasonable publicity of an individual's
private life; and (4) publicity that unreasonably places another in a false
light. Other states, including New York, do not recognize a common law right
of privacy. See, e.g., Howell v. New York Post Co., 81
N.Y.2d 115, 123, 596 N.Y.S.2d 350, 354 (1993) (New York does not have
"common law of privacy").
Of the four common law torts mentioned above, the one most applicable in
the electronic communications monitoring context is intrusion upon the
seclusion of another. That tort generally provides that "one who
intentionally intrudes, physically or otherwise, upon the solitude or
seclusion of another or his private affairs or concerns, is subject to
liability to the other for invasion of his privacy, if the intrusion would
be highly offensive to a reasonable person." Restatement (Second) of
Torts § 652(B) (1977). Because the intrusion does not have to be physical,
it clearly protects against the unreasonable monitoring of an individual's
electronic communications. Gantt, supra, at 374, n.3.
The only two cases to consider whether employer monitoring of employee
e-mail constituted an intrusion upon the seclusion of another reached
opposite conclusions as to the employees' expectations of privacy in their
e-mail communications. In Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D.
Penn. 1996), the plaintiff brought action against his employer for
terminating his employment for transmitting what the employer deemed to be
inappropriate and unprofessional comments made by plaintiff over the
employer's e-mail system. The employer maintained its own e-mail system to
promote internal corporate communications between its employees. The
employer repeatedly assured its employees, including plaintiff, that e-mail
communications could not be intercepted by the employer. Despite these
assurances, the employer intercepted the plaintiff's personal e-mails and
terminated his employment because of their contents. Id. at 98.
|
