2014 New CA Laws 2015 New CA Laws Child Labor Contingent Workers Disabilities Discrimination Exempt vs. Non-Exempt Independent Contractors Industrial Homeworkers Interns Leaves of Absence Non-Compete Agreements Personnel Records
Privacy & Monitoring Sexual Harassment Social Media Telecommuting Unions Volunteers Wage & Hour HR Central Home
Privacy & Monitoring Sexual Harassment Social Media Telecommuting Unions Volunteers Wage & Hour HR Central Home
Telephone, Voice Mail and Email Monitoring
The incredible expansion of information technology in the workplace over the last several years opened a Pandora’s box of legal issues for employers. The typewriter with carbon paper and the telephone message pad have been replaced by computers, voice mail and email. With these modes of communication come questions about employee privacy and employer security. The law in this area continues to take shape. This section addresses the issues created by workplace technology and the current state of the law as it applies to these issues.
Civil Electronic Privacy Statutes. The Electronic Communications Privacy Act (1986) gives an employer who maintains email and/or voice mail systems the right to access those systems. This right does not exist under the Act if the systems are provided by an outside entity. Certain unauthorized disclosures are prohibited by the act. Disclosure can be made only to:
The Omnibus Control and Safe Streets Act regulates the interception of wire, electronic and oral communications. It prohibits the intentional interception of any communication through the use of any electronic, mechanical or other device. However, merely retrieving information after transmission has ceased probably would not be considered an interception of information. That is, you might be allowed to listen to or read the transmission after it has been made.
An employee can give consent, either explicitly or implied, to an otherwise impermissible monitoring of a communication. The courts are split on what constitutes an implied consent, and often will look to the way a company sets forth and applies its policies relating to privacy. The court can find implied consent if a well-known monitoring and access policy exists and you consistently enforce the policy against use of your communication devices for personal reasons. On the other hand, courts might not find implied consent where an employee has consented to your policy of monitoring business calls but not personal calls.
The Act does not prohibit intercepting communications by telephone or related equipment being used in the ordinary course of business. This exception allows you to monitor your employee’s telephone calls for customer service or training purposes. Monitoring voice-mail messages is probably not a prohibited interception, because voice-mail systems rely on telephone equipment. However, monitoring email messages probably would not fall under this exception. Be aware that the courts determine the question of whether a particular message was monitored “in the ordinary course of business” on a case-by-case basis. Standards for making this determination vary among the courts.
Computers and Privacy. You have the right to monitor Internet access and examine any content on a computer used by an employee if you supply the computer. The case of TBG Insurance Services Corp. v. The Superior Court of Los Angeles County offers some guidance on creating policies governing use of business computers, email and Internet access. TBG Insurance Services Corporation terminated an employee for accessing pornographic websites on his computer at work. TBG requested a court order requiring the former employee to turn over a computer provided by the company for home use. The company wanted to discover if the employee used the home computer for similar purposes. The employee agreed to return the computer, but wanted first to delete personal information he and family members placed on the hard drive, which he claimed was covered by the California Constitution’s right to privacy. The court rejected the employee’s claim. The employee signed an agreement to be bound by the company’s computer use policy that said computers were provided for business purposes and not for personal use unless explicitly approved. Company policy also prohibited computer use for obscene purposes and included a consent to company monitoring as needed. The court said the employee could not have had any reasonable expectation of privacy.
It is unlawful for any elected state or local officer, including any state or local appointee, employee or consultant, to knowingly use a state-owned or state-leased computer to access, view, download or otherwise obtain obscene matter, as defined in the Penal Code. The law does not apply to accessing, viewing, downloading or otherwise obtaining obscene matter for use consistent with legitimate law enforcement purposes; to permit a state agency to conduct an administrative disciplinary investigation; for legitimate medical, scientific, academic or legislative purposes; or for other legitimate state purposes.
Policy Sets Forth Privacy Expectation. In Holmes v. Petrovich Development Company, Gina Holmes used her employer-provided email account and employer-provided computer to consult with her attorney about a potential lawsuit against the employer. Holmes claimed that the emails fell under confidential attorney-client communications. The court disagreed, ruling that Holmes did not have a reasonable expectation of privacy in her emails with her attorney because of the company’s strictly worded technology resources policy. This policy plainly stated that employees had no right of privacy with respect to personal information or messages created using company technology. The policy further stated that email was not a private communication and that the company had the right to monitor email usage. The policy warned employees that email should be regarded as a “postcard rather than as a sealed letter.”
Why You Need a Computer Use Policy. The case LVRC Holdings, LLC v. Brekka demonstrates the need for clear computer use policies. In this case, the employer authorized an employee performing Internet marketing for the company to use the company’s computer network. The employee lived out of state, but was often in the employer’s office and he would email information from the company computer to his personal computer to work on later. The company assigned a user name and password to the employee to use when accessing the company’s website. When the employment relationship ended, an employee discovered that someone had logged into the company’s network using the ex-employee’s user name and password. The company brought suit claiming that the ex-employee violated the federal Computer Fraud and Abuse Act (CFAA), when he emailed company documents to himself, prior to leaving the employer. The court held that a person uses a computer “without authorization” under CFAA when someone has not received permission to use the computer for any purpose or when permission to access the computer is rescinded and the person continues to use the computer anyway. Because the company permitted the employee to access its computer, and because the employee was still working for the company when he emailed company documents to himself, the employee’s use during employment was authorized under the CFAA. There was no proof that after the employment relationship ended, it was the former employee who used the user name and password to access the company website. However, if the company could have proved that it was the former employee using the login information, the access would be unauthorized under the CFAA because permission to access had been rescinded.
Develop clear policies and guidelines about computer access and communicate them to all employees. Inform employees of your right to access email, Internet usage and history and any content on the computer. Inform your IT department of terminations so that they can prohibit future access by ex-employees.
Criminal Electronic Privacy Statutes. In addition to the federal civil statutes, California places criminal sanctions on people who engage in wiretapping or various related activities. Activities prohibited include:
In general, eavesdropping is prohibited under these statutes only if done while the message is in transit. Therefore, listening to voice-mail messages once recorded or reading sent email messages should limit exposure to criminal penalties. Listening to or recording confidential communications is prohibited if either party to the conversation expects it to be private. Outgoing voice-mail messages should not indicate that the caller can “leave a private message,” and might even go so far as to state that incoming messages may be monitored by the company. You should warn all email users in writing that you do not guarantee email communications to be private and that you can access them. Your best defense is to clearly inform employees and all others using your electronic communication systems that they should not expect communications to be private.
Electronic Media Use Policy. Electronic media includes computers, software applications, handheld devices, etc. Creating a policy about the use of electronic media prevents employee misuse. This, in turn, helps avoid claims that you committed an invasion of privacy by searching the media.
Your policy should:
Internet Access Policy. Implement a policy for appropriate use of the company’s resources to access the Internet. Set guidelines for Internet access during working hours and for employees who are allowed Internet access for personal use during breaks, meal periods and other non-work time. The policy should also clarify disciplinary procedures for personal use of the Internet during work times and detail proper and improper use of Web browsers. Include language telling employees that they should have no expectation of privacy regarding communications sent and received through the company’s email and/or intranet, nor should they expect privacy when accessing the Internet. This includes employee’s personal electronic devices that use organization servers to access the Internet or send and receive email or text messages. Many employers also include a policy about the safe use of company cell phones and limitations on their use for personal business.
Keep in mind that electronic media and Internet access policies should not be enforced in a manner that would limit an employee’s right to discuss the terms and conditions of employment, such as wages and working conditions. These discussions are generally protected under California law and Section 7 of the National Labor Relations Act.
Privacy and Text Messaging. The U.S. Supreme Court ruled in favor of an employer in City of Ontario v. Quon. The case involved the employer’s review of text messages stored on a third party’s server. The employer’s policy about Internet use included the right to monitor all network activity, including email, with or without notice. The policy did not specifically mention text messages. However, the employer made it clear that text messages would be treated the same as email. An employee, Quon, who consistently exceeded his monthly text message allowance reimbursed the employer for the overage. However, the supervisor became tired of collecting money for the overage and obtained transcripts of the text messages. It was apparent that some of the messages were not work-related and contained sexually explicit material. After an investigation, the employee was disciplined and the employer was sued. The case was eventually heard by the U.S. Supreme Court, which held that the employer’s search was reasonable and did not violate the employee’s rights. The Court noted that the search was limited to a short period of time and only messages sent during Quon’s actual work hours were audited. The employer found 456 messages sent during Quon’s work hours for the two month period. Of these, only 57 were work-related. Though the case deals with a public employer’s search, it is pertinent for private employers as well. The Court found that in the private sector, such a search would have been reasonable. The facts in this case are specific; it is unknown how a California court would rule on the “reasonable expectation of privacy” standard that applies to private sector employers. This case emphasizes the necessity of having a well-communicated policy about email, Internet, voice mail and other communication devices and sources that record or store information.
Protecting Company Property. In Intel Corporation v. Hamidi, a company’s effort to prevent a former employee from using the company’s email addresses to distribute email messages critical of the organization’s policies to other employees was rejected by the California Supreme Court. Over a period of approximately two years, an ex-employee sent a total of approximately 200,000 email messages to large numbers of former co-workers criticizing the organization’s personnel practices. There was no breach of any security barriers or damage to or network disruption. The sender complied with employee requests to be removed from his mailing list, but he rejected company requests that he stop his disruptive email messages. The company sued, alleging trespass to the corporate computer network. The California Supreme Court rejected the trespass theory, saying that the organization failed to show that the email messages damaged its network or interfered with the property’s use or possession. According to the Court, the loss of employee productivity resulting from the controversial content did not injure the organization’s interest in its network. The California Supreme Court observed that its decision is not intended to grant senders any special immunity from liability for the message content, such as defamatory statements. The decision underlines the importance of taking all necessary steps to secure your electronic communication systems, data and address books. Publish policies that limit employee use of organization computers and networks to matters reasonably related to organization business and forbid transmission of inappropriate messages that offend or harass others.
Advise employees that they should have no expectation of privacy with regard to messages sent using the organization’s network and that you have the right to monitor messages to ensure compliance with organization policies.