electronic privacy in the workplace

by John Nicholson <John.Nicholson@ShawPittman.com>

John Nicholson is an attorney in the Technology Group of the firm of Shaw Pittman in Washington, D.C. He focuses on technology outsourcing, application development and system implementation, and other technology issues.

We spend roughly a third to a half of our waking hours at work.[1] Many of our friends are our coworkers. We communicate with our friends, schedule events, and plan our lives while at work using the work phone, voicemail, email, and pagers and cell phones provided by our company. We generally use these tools as if they were private and secure. As we all know, however, phone calls can be monitored and recorded, voicemail and email can be retrieved, things like IRC or other messaging tools can be recorded, keystrokes can be logged, and so on. To what extent does an employer have the right to monitor employees, and what rights to privacy do those employees have?

The short answer is, the company owns the computer and the company owns the network — if you want something to be private, don't do it at work.

There are several reasons why a company needs to be able to have access to an employee's electronic files and to monitor email and Internet traffic.

First, there is the simple business need of a company to be able to access an employee's files if the employee is not available or leaves the company. Theoretically, email sent to an employee and files stored on an employee's computer should be for business purposes, and, therefore, property of the company, and the employee is only using them on behalf of the company as part of the employee's job.

Second, excessive Internet access and Web surfing can have a negative impact on employee productivity.

Third, companies need to accurately evaluate their bandwidth needs, and to do so they need to be able to separate legitimate business-related use from employee surfing and downloading.

Finally, in the current era of increasing employer liability for the activities of employees, employers have little choice but to monitor employees' actions, including their use of employer-provided electronic tools. Prior to the advent of email and the Internet, employers and employees did not have as much to worry about. Now, however, the ease with which large quantities of information can be sent to multiple people creates a situation ripe for disgruntled employees to divulge company secrets and for workers to be offended by their coworkers' sense of humor. Additionally, the casual and spontaneous nature of email may allow employees to write things that would not look good when presented to a jury. Moreover, the seeming privacy and anonymity of email and the Internet makes some people do or say things they would not do or say if they thought they might be seen or overheard by a third party. Employees who email sexually explicit or racially based jokes or who download pornographic or explicit images can offend coworkers and, according to the courts, can create a "hostile workplace."[2] Unless employers can show that they have policies in place that prohibit such use and that they take action against those who violate such policies, employers can be held liable for substantial damages and be subject to a lot of very bad press. To protect themselves, employers have a very real need to be able to monitor employees' electronic activities and to search employees' computers for specific files. The question is, how far can employers go in monitoring and searching employees' electronic activities?

As I discussed in my last column, the first place to look when asking a question like this is whether there is a federal statute on the subject. In this case, Title 18 of the Omnibus Control and Safe Streets Act (the "Safe Streets Act") prohibits all private individuals and organizations, including employers, from intercepting the wire, oral, or electronic communications of others.[3] Generally, the Safe Streets Act provides for penalties and civil damages when a third party intercepts a telephone conversation without the consent of either of the conversing parties.[4] In 1986, the Electronic Communications Privacy Act (more commonly known as the Federal Wiretap Act) amended the Safe Streets Act to cover interception of electronic communications.

The Safe Streets Act now prohibits the intentional interception of any "wire, oral, or electronic communication," and defines "intercept" as the "aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device."[5] Under the Safe Streets Act, intercepting an electronic communication "means acquiring the transfer of data."[6]

There is, however, a significant exception to this provision. Section 2701(c)(1) of the Safe Streets Act allows the provider of an electronic communications service to do virtually whatever it wants with regard to accessing electronic communications.[7] Thus, if the communications service is being provided by the employer, the employer has virtually free access to the communications. However, if the communications service is being provided by a third party, and any messages are stored by that third party and not on any service provided by the employer, then the employer does not have a right to access those stored messages. The practical implications of this are:

(1) If you are using a computer provided by your company, your company probably has a right to retrieve stored files from your computer (including personal email, graphics files, Web-browser caches, logs, etc.).

(2) If you are sending email or using some messaging service inside your company's network, the company can probably read and save any email or messages you send or receive, regardless of whether you are using a company-provided computer or not (note that if you are also using a company-provided computer on the company's network, (1) will also apply).

(3) If you are using your company's network to access the Internet, and you are using a third-party email service, then your company can monitor the traffic that goes in and out of its network (including recording the Web sites that you visit and reading and saving email or messages that you send or receive), but the company cannot access any email or files saved on the third party's system without the approval of that third party or the sender or receiver of the message.

Thus, the proper way to handle your computer while at work or while connected to your company's network is to behave as if everything you read or type is also being read and saved by someone in the IT department.

Careful readers will note that I used the word "probably" in the above list. In general, a federal law will take precedence over a state law, especially if the monitored communications are interstate communications. However, it is possible that there could be situations where some state's constitution or laws could limit the type and scope of employee monitoring in the workplace. Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Massachusetts, Montana, Rhode Island, South Carolina, Washington, and Wisconsin all have laws or provisions in their state constitutions regarding rights to privacy.[8]

If your company operates in multiple states, or if your company has operations outside the U.S., be sure to have your general counsel review the laws of those states or countries and the policies of your company to determine what you are allowed to do and what privacy rights your company's employees in those states or countries may have. Additionally, whether a company has a usage policy that states that electronic communications should be used exclusively for business purpose and can be monitored and recorded, and whether an employee has explicitly signed a statement acknowledging that the employee has read and consents to the policy, can affect whether a court determines that a company's monitoring of an employee or search of that employee's electronic files was a violation of the employee's right to privacy.

For an example of how a U.S. federal court has approached these issues, let's look at the case of U.S. v. Simons.[9] In that case, a network manager was checking his firewall logs and noticed that the logs were unusually large. Upon scanning the logs, he noticed that several of the requests were for Internet Web sites, including one that appeared to be pornographic and, therefore, not for legitimate business purposes.[10] The network manager also noticed that a significant group of the hits came from a single workstation (in Simons's office). He reported the discovery, and his supervisors first confirmed that the Web site in question was pornographic and then discovered that Simons's workstation had over a thousand pictures stored on it, some of which appeared to be pornographic.

At that point, the supervisors remotely copied the workstation's hard drive. Because some of the pictures appeared to be child pornography, Simons' employer notified the FBI. The FBI obtained a search warrant for Simons's office and made a copy of his workstation's hard drive, disks that were found in his desk, and documents relating to screen names and other personal correspondence.

In analyzing whether the search of Simons's office was legal, the court focused on whether Simons had a reasonable expectation of privacy.[11] The court found that Simons's employer had an official policy regarding Internet use that stated, "permitted use includes official business use, incidental use, lawful use, and contractor communications." Simons's downloading of child pornography did not fall into any of these categories. Additionally, Simons's employer had a policy regarding audits that stated:

 Audits. Electronic auditing shall be implemented with all . . . networks that connect to the Internet or other publicly accessible networks to support identification, termination and prosecution of unauthorized activity. These electronic audit mechanisms shall . . . be capable of recording: