Privacy Issues in a Hi-Tech Workplace
In today's workplace, computers and electronic communications are the norm rather than the exception. Computers, e-mail, electronic databases and on-line research play an important role in many businesses today. While technological advances have made electronic communication indispensable in today's workplace, the laws regarding privacy issues in the employment area have been ambiguous in the protections they afford to the employer and the employee. What, if anything, is being done by the lawmakers to deal with this growing area? What are some of the emerging court decisions facing employers? What can employers that utilize these technologies do to protect themselves from employee privacy claims? The following article addresses these issues.
A brief review of the legislative efforts in this area makes it clear that, although the issue has been raised during congressional hearings, there have been no serious legislative initiatives in the area of electronic privacy. For instance, in March of this year, the House Commerce Committee announced that it would begin review of a range of issues relating to the future of electronic commerce. Congress Daily, 3/5/98. These issues include online privacy and the structure and nature of the Internet. Despite reports of a pending review, there has been no mention of new legislation.
The U.S. Federal Trade Commission has continued to urge the on-line industry to promulgate "self-regulatory" programs to ensure individual privacy. Although the Commission has threatened to implement its own mandates if the industry fails to comply by the end of 1998, one commentator stated that the "glacial pace" of Congressional enactments regarding the Internet should give the industry plenty of time to come up with a scheme.
Other legislative steps have focused mainly on encryption. This process converts data into codes of 1s and 0s and is designed to increase the security of e-mail messages sent over the Internet. Ballon, 520 PLI/PAT 167. This process is designed to increase the security of e-mail messages sent over the Internet. Encryption in the work place, however, is simply not practical, since the technology is not freely exported or widely used.
Illinois enacted an Eavesdropping Act as part of the Criminal Code in 1961. 720 ILCS 5/14. The Eavesdropping Act prohibits the use of an eavesdropping device to hear or record conversations. In 1996, the Illinois legislature amended the Act to add an exception for businesses engaged in marketing or telephone solicitation. 720 ILCS 5/14-3j. The law provides that if it is determined that the conversation is not related to marketing or opinion research, the business must immediately stop listening and must destroy all recording as soon as practicable. For the Act to apply, the business must provide all employees with notice that the recordings may occur during their employment.
Perhaps the most significant legislation regarding privacy in electronic communications continues to be the Electronic Communications Privacy Act of 1986 ("the Act" or "ECPA"). The ECPA amended what was commonly referred to as the Federal Wiretapping Statutes. Under the ECPA the intentional interception of any wire, oral or electronic communication is prohibited. An offender can be liable for various civil and criminal penalties. The ECPA permits states to enact their own laws regarding electronic privacy, so long as those laws are at least as protective as the EPCA.
Although the ECPA clearly provides protection to privacy rights, it is ambiguous regarding those rights in the employment environment. Employers have relied upon certain exceptions to the EPCA to keep themselves out of its reach.
For example, the Act provides for a "business exception," which permits interceptions when telephone or telegraph components are used in the ordinary course of business and for a legitimate business purpose. 18 U.S.C. 2510(5)(a). If the courts find modems and computers qualify as telephone components, employers can certainly assert legitimate business reasons for monitoring employee e-mail communications in order to exempt themselves from the Act. Additionally, the Act includes an exception where one of the parties to the communication has given prior consent to the interception or access. 18 U.S.C. 2511(2)(d).
What are the courts saying on this subject? Most of the case law addresses employers' interception of telephone calls. For example, in Briggs v. American Air Filter Co., 455 F.Supp. 179 (N.D. Ga. 1978) the court found that monitoring business calls of an employee was within the ordinary course of the employer's business and was therefore exempt as a "business exception" under the Act. In James v. Newspaper Agency Corp., 591 F. 2d 579, the court similarly found that the business exception applied to a telephone company that monitored telephone conversations between its employees and it customers. The company claimed that the monitoring was necessary to provide better training to its employees.
The court found differently in Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994) where the employer's use of a voice logger did not qualify as a telephone or telegraph instrument. The voice logger monitored telephone calls twenty four hours a day, seven days a week.
The most recent holding regarding electronic privacy in the workplace comes from a case pending in the Southern District of New York, where the court found that two former employees of an alarm business may proceed with their claims under the Act. Arias v. Mutual Central Alarm Services, Inc., S.D. N.Y., No. 96 Civ. 8447 (LAK and 96 Civ. 8448 (LAK), Sept. 11, 1998. The former employees claimed that the company illegally recorded and listened to their private telephone conversations in the work place. The company monitors all ingoing and outgoing telephone calls as part of its security service to its clients. The court denied summary judgment to the company, finding that there was a fact issue regarding whether the interceptions were made within the ordinary course of business, thereby exempting the company from the Act.
What does this mean for the employer? Most of the courts found in favor of the employer where the company could point to a legitimate business reason for intercepting the telephone calls. In Sanders, excessive and continuous interception was found to be a violation of the Act because there was no legitimate business reason for such drastic measures. As in Arias, a fact question will be found to exist where the legitimate business concern is not clear cut.
Employers should also consider the "prior consent" exception to the Act. An employee's prior consent must be an informed one for the exception to apply. In Watkins v. L.M. Berry & Co., 704 F. 2d 577 (11th Cir. 1983) the court found that an employee's knowledge of her employer's capability to monitor private telephone calls was not prior consent under the Act. This case makes it clear that every employer should get its employee's informed consent to monitor electronic communications before doing so.
The Act was clearly meant by Congress to reinforce individual privacy rights in electronic mediums. But, as the above cases illustrate, the extent to which those rights apply in the workplace is not always clear.
Employers should also be aware that plaintiffs have relied on the fourth amendment as the basis for an invasion of privacy claim in the workplace. The case of Bohach v. City of Reno, 932 F.Supp. 1232 (D.Nev. 1996) addresses the question of whether the plaintiffs had a "reasonable expectation of privacy" in the use of a computer message board at their workplace under the fourth amendment. When the message system was installed, a memorandum was sent to all users notifying them that their messages would be logged on the network and that certain types of messages were banned. The court agreed with the defendant employer that the employees' expectation of privacy was diminished and dismissed the plaintiffs' fourth amendment claim.
In light of an employer's exposure to privacy claims in the use of computers and e-mail systems, an employer should seek to protect itself from this liability. Although there is a lack of legislation in the area of electronics privacy, there are clear mandates by the courts that should be followed. An effective and economical way is for the company to comply with the courts' decisions is to implement a company policy regarding the use of e-mail and the Internet outlining both the employer's rights and the employee's rights. Such a policy will ensure that the company's practices fall within the business exception and prior consent exception of the ECPA. It should also reduce an employee's fourth amendment claims to privacy by reducing or eliminating any expectation of privacy.
The corporate policy should include clear provisions that state the following:
- By virtue of the policy, the employee is being put on notice that the computer, modem, telephone and e-mail systems are the property of the employer.
- Use of e-mail, telephone and internet systems are strictly for business purposes.
- If personal use of the e-mail or the Internet is permitted, certain limits, as listed, are being imposed.
- A reservation of the company's right to periodically review or inspect the employee's e-mail.
- A reservation of the company's right to reproduce an employee's e-mail and publish it to third persons without notice to the employee.
- A warning that any such review or inspection is to be conducted as part of the company's ordinary course of business.
The implementation of a corporate policy on e-mail and Internet privacy issues is essential. Such a policy will ensure that employees are fully informed about the company's position regarding the use of e-mail and the Internet. It will also allow the company to maximize its use of workplace technology, while protecting it from potential claims of privacy violations by its employees.