E-Mail and the Internet have become as common in today's business world as the telephone and fax. However, these powerful electronic communication tools are raising serious legal concerns for employers. Through the use of innovative software programs employers now have the ability to record and monitor the substance of communications by employees over the Internet and by e-mail. The ability to electronically peer over an employee's shoulder raises the possibility of criminal and civil liability, if such monitoring is done without the employee's knowledge or consent.
Can Employers Read Employee E-Mail and Track Internet Use?
Does the law protect the privacy of e-mail communications made on a company's internal e-mail system? Many employees view the use of their employer's e-mail system as akin to making a telephone call, and thus feel the e-mails they send on their company's computers should be free from intrusion. Indeed, the Federal Electronic Communications Privacy Act forbids eavesdropping on telephone calls and e-mail messages sent via a public, Internet e-mail system. But with respect to an employer's privately-owned internal e-mail system, the prevalent view among the courts is that employees do not have rights of privacy in e-mail communications they send and receive on their employer's system.
The Omnibus Crime Control and Safe Streets Act of 1968 makes it a crime to intercept or record an electronic communication without the consent of at least one party. However, the few courts that have addressed the issue in an employment setting have generally upheld the right of an employer to monitor employees, including the right to intercept and read an employee's e-mail. These courts have reasoned that such monitoring falls within either the "business extension" or "service provider" exception to the federal requirement that at least one party to an electronic communication, such as e-mail or Internet usage, must consent to the recording or monitoring.
Under the business extension exception, an employer may record or intercept conversations for the purpose of monitoring compliance with company policies or federal, state, or local laws, as well as for general security purposes. An intercepted communication, however, may be used only for the stated business purpose. Once an employer has reasonably determined that the subject of an intercepted communication is not relevant to the business purpose for which monitoring took place, the contents of the communication are off-limits. In general, software that merely records the addresses of e-mails or URLs of Internet sessions should be legal under the business extension exception to federal prohibitions against recording without consent.
Some courts have condoned electronic monitoring under the narrower service provider exception, which permits monitoring for the limited purposes of protecting the provider from liability and monitoring the operation of the network. It has also been argued that the federal prohibition against unconsented electronic monitoring does not apply if the employer does not actually intercept the communication but merely retrieves copies of files (including copies of e-mails and cached Web pages) that are automatically stored on an office computer. The courts have likened electronically stored messages to files in a filing cabinet and have held that an employee has no expectation of privacy in files kept on the employer's computer network.
On the other hand, courts have indicated that if the user has attempted to "lock the file cabinet" by using a password or encrypting the file, the employer should consider the contents private. Similarly, messages stored on a non-network computer that is kept in a locked office may also be subject to a higher expectation of privacy.
The Importance of E-Mail and Internet Use Policies
Because of the potential liability to an employer for any improper or illegal employee conduct, even employers who do not need to monitor employee computer usage regularly must retain the ability to monitor their employees' e-mail and computer usage periodically. The only sure way an employer can avoid legal liability for monitoring employees is to obtain their consent in advance. An employer should establish and communicate clear written policies for employee monitoring and educate supervisors when monitoring is permissible. At a minimum, an employer should reserve the right to access e-mail and monitor computer usage for the purpose of retrieving documents, trouble-shooting, security, and complying with legal and regulatory requirements. Each employer will need to determine whether a greater level of monitoring is appropriate.
In addition, employers should caution supervisors against discussing or otherwise disclosing any personal non-work-related information about an employee that is learned as a result of such monitoring. Employees should be explicitly told that their e-mail and Internet usage is being monitored by computer software. Employees should be required to sign an acknowledgment that they have read the policy on electronic monitoring and understand that their e-mail and Internet usage may be monitored and recorded. The acknowledgment should also explain that the employer may disclose any information obtained as a result of such monitoring to law enforcement officials and regulators.
Obtaining a signed consent or acknowledgment is important because the courts have been reluctant to make a finding of implied consent. To reinforce the policy and strengthen their position in any potential liability lawsuit, employers should circulate periodic reminders of the policy to every employee and supervisor.
Many approaches to electronic communication policies are available to companies considering them. For information on how to set up an e-mail or Internet use policy for your business, contact White & Allen, P.A.