“Employee Privacy: How Not To Violate It” by Jay Preston
In a world where most jobs require use of a computer or Smartphone and each have internet access employers are faced with the challenge of how to regulate their use, most notably in regard to email. An employer might find it advisable to monitor such in order to increase employee productivity, ensure compliance with company policies, avoid liability for workplace discrimination, and protect confidential company information from theft. While many are probably aware that activities conducted on company equipment are generally open to monitoring by the company, because it is company property, one should not rely entirely on this general principle, especially when with little effort an employer can protect itself from most employee privacy violations. This article addresses how to avoid violations of state privacy laws, the Electronic Communications Privacy Act, and the Stored Communications Act.
In Missouri, there are four common law torts for the invasion of privacy: (1) intrusion upon seclusion; (2) public disclosure of private facts; (3) false light publicity; and (4) appropriation of another’s name or likeness. Within the context of the employer-employee relationship the most likely claims are intrusion upon seclusion and public disclosure of private facts. A key element to both of these claims is that the information that is intruded upon or publicly disclosed is private information. Without an explicit company policy to the contrary employees generally maintain some expectation of privacy in their e-mail, and text messages logged on company phones. To protect against these possible state law claims an employer should eliminate, through company policy, any expectation of privacy; thereby eliminating any employee argument that the information at issue was private.
The Electronic Communications Privacy Act prohibits the interception and/or disclosure of any wire (telephone), oral (face to face), or electronic (computer) communications. The ECPA contains three exceptions possibly applicable to employers. First, the provider exception, applicable if the employer supplies and owns the email system. Second, the business exception which exempts communications intercepted in the ordinary course of business. The last exception is applicable when the employee gives prior consent to the interception.
It is important to note that such exceptions have been interpreted narrowly by the courts. For example, in one case an employer monitored an employee’s phone calls when the employer suspected involvement in a store burglary. Through review of these calls the employer learned that the employee sold an item at a discount to her boyfriend, a violation of store policy. After her termination the employee brought suit for violation of the ECPA. In ruling for the employee the court stated that while there was a legitimate business reason for listening to the calls initially the employer should have hung up when it learned the calls where personal in nature. As there was no store policy to the contrary the employee had a reasonable expectation that her calls were private.
Due to the narrow nature of courts’ interpretations an employer should take advantage of the consent exception; which authorizes interception of communications as long as one party has given their prior consent. The authorization should be explicit that the employee has no expectation of privacy and is aware that the content of any information transmitted will be monitored, including the content of such communication.
The other federal legislation to be aware of in regards to employee privacy is the Stored Communications Act. The SCA makes it an offense for a person or entity to intentionally access, without authorization, a facility that provides electronic communications service. In the employment relationship a violation is most likely to occur when an employer utilizes an employee password, temporarily stored on a company computer, to access personal email or social media accounts. In numerous instances employers have obtained unauthorized access to employee email or social media accounts, and after observing disparaging or inappropriate remarks regarding the employer terminated the employee. Such action is a clear violation of the SCA and may lead to a judgment with civil damages against the employer. Although passwords to personal accounts are temporarily stored on company property an employer should take great care not to access the private portions of employee social media or e-mail accounts.
The biggest key to avoiding employee privacy violations is to take affirmative steps to establish what the expectation of privacy is in the workplace. Whether this is established through a signed authorization, inclusion in the employee handbook, or other method the policy should state what the appropriate uses of the equipment are, that the employee has no expectation of privacy in their communications, and that such will be monitored, including the content of the communication. While many rely on the general rule that communications on company property may be monitored the increasing complexity of technology makes it advisable, if not mandatory, to have written and established procedures and rules regarding the use of computers, internet, email, and cellular phones. Failure to implement such a policy leaves an employer open to civil suit for violations of employee privacy.