E-mail and Internet use are integral parts of the typical worker's daily routine. Because of its speed and overall convenience, e-mail has replaced the interoffice memorandum as the preferred method of communication. Employee access to the Internet also is important as a means of conducting job-related research and transactions. For these reasons, employers often have little choice but to provide their employees with Internet access and e-mail accounts. At the same time, however, employees' use of these capabilities carries downside risks for the employer.
Inappropriate Use of Company Internet
One issue posed by employee e-mail and Internet use is loss of efficiency. A California-based research firm recently estimated that businesses lost $5.3 billion to recreational workplace web surfing in 1999. Another report indicated that employees are costing their companies nearly $1.5 million a year in lost productivity by spending an average of thirty minutes a day using e-mail for personal, non-work-related reasons.
Another challenge is the risk that employees' computer use will expose the company to legal liability. For example, according to another survey, almost 72% of the pornographic sites on the Internet are visited during work hours. Openly viewing sexually explicit websites or sending offensive material obtained from the web may create a hostile work environment. Moreover, inappropriate messages sent over the company's e-mail system could expose the company to harassment, defamation, or other claims. One study found that more than 50% of employees had received pornographic, sexist, or racist e-mails at work.
Still another challenge is the possibility that employees will use the Internet in a way that undermines or violates the employer's rights, interests, and practices. Some employees, for example, may use e-mail to disclose the employer's trade secrets or proprietary information, or to engage in inappropriate contacts with competitors or customers.
To reduce these risks, many employers monitor their employees' use of e-mail and Internet access in the workplace. However, both federal and state law limit an employer's ability to engage in such monitoring activity. Accordingly, employers should be familiar with the law in this area and should implement policies and practices that minimize the risk of lawsuits or enforcement actions.
Applicable State and Federal Law
Under federal law, the monitoring of e-mails by an employer is governed primarily by the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2510 et seq. Under the ECPA, the lawfulness of particular monitoring activities will depend heavily upon whether employees' messages are intercepted during transmission or are retrieved from storage on the company's server.
Interceptions of online communications -- that is, monitoring of messages in real time as they are transmitted -- are subject to the ECPA's most stringent restrictions and are permitted only in limited circumstances. For employers' purposes, the exceptions most likely to apply are:
- prior consent to the interception by at least one party to the communication; and
- a need for interception as "a necessary incident to the rendition of [the] service or to the protection of the rights or property of the provider of that service."
The first of these exceptions -- i.e., consent to interception by one party to the communication -- will apply if the employer has specifically notified employees that their communications will be monitored. (We discuss effective notification below.) The second exception -- protection of the service provider's rights or property -- will apply if the intercepted message was sent or received over the employer's network and the monitoring activity was instituted to protect the employer's legitimate legal and business interests.
The ECPA is less restrictive concerning an employer's review of communications that already have been transmitted and are stored on the employer's server. Under the ECPA, a provider of a wire or electronic communications service may access communications in electronic storage on its system. However, the company's subsequent disclosure or use of the contents of e-mails stored in its server may violate another provision of the ECPA, which prohibits divulging "to any person or entity the contents of a communication while in electronic storage by [the company's] service." Under this provision, employers likely are permitted to discuss the contents of an employee's communications with the employee (after all, discussing something the employee already has seen hardly constitutes "divulgence"). However, employers should seek legal advice before disclosing the contents of such communications to persons outside the company.
Employers that provide e-mail and Internet access in California, or that monitor communications between their employees and persons in California, must be aware of two California statutes, commonly known as the Wiretap Statute and the Eavesdropping Statute.
The California Wiretap Statute provides that anyone who "willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communications when the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state," has committed a criminal offense and also may be sued for damages by an aggrieved party. Cal. Penal Code § 631. Under the Statute, before a conversation may be overheard, intercepted, or recorded in real time, the consent of both parties to the communication must be obtained. Accordingly, even if a company has obtained effective consent from the employee to the monitoring of that employee's communications, real-time interception of the employee's communications with non-consenting persons might expose the company to criminal liability.
The California Eavesdropping Statute applies only to "confidential" communications. Specifically, the Statute prohibits anyone who does not have the consent of all parties to a "confidential communication" from eavesdropping upon or recording that communication by means of "any electronic amplifying or recording device." Cal. Penal Code § 632. Arguably, reading stored e-mails does not constitute "eavesdropping" with the aid of an "amplifying or recording device." However, there is no published opinion addressing this issue.
Taking the two California statutes together, the best approach for employers is to review the contents of employee communications only after those communications have been transmitted and are in storage on the employer's server. Also, in order to ensure that the acquired communications will not be classified as "confidential" for purposes of the Eavesdropping Statute, employers should clearly notify employees that their communications are subject to monitoring.
Employers also should be aware of the terms of electronic surveillance laws in other states in which they do business, or with which employees are likely to have online contact.
How to Establish a Comprehensive E-mail and Internet Usage Policy
To minimize the risks associated with employee use of company-supplied e-mail and Internet access, employers should implement a comprehensive, written policy that covers both e-mail and Internet use. Among other things, the policy should remove any expectation of privacy and set forth a code of conduct for employees to follow. It is also important to train employees to raise awareness of the policy and the consequences of violating it.
Removing the Expectation of Privacy
One of the most fundamental goals of any e-mail or Internet usage policy should be to overcome any employee expectation of privacy in using the company's e-mail or accessing the Internet while at work. An effective policy should put a user on notice that any private, non-business-related activities are done at the user's own risk and with no expectation of privacy. The policy should also clearly state that a password is not an indicator of personal privacy.
The value of such policies is underscored by a recent California court decision. In TBG Insurance Services Corporation v. The Superior Court of Los Angeles County, 96 Cal. App. 4th 443 (2002), the employer provided two computers for an employee's use, one for use at the office and one for use at the employee's home. The employee signed the employer's electronic and telephone equipment policy statement and agreed in writing that his computers could be monitored by his employer. The employee was terminated after monitoring of his home computer revealed that he had visited pornographic web sites. The employee subsequently sued his employer for wrongful termination.
In the discovery phase of the litigation, the employee refused to produce the home computer, on the ground that he had a right to privacy in his use of the home computer under the California Constitution. The court rejected this argument on the ground that the advance notice to the employee of the company's intention to monitor his use of the home computer eliminated any privacy expectations that may have existed. Moreover, the employee's use of the home computer after receiving notice of possible monitoring by the employer amounted to implied consent to the company's monitoring.
Code of Conduct
An e-mail policy should also specify the type of conduct that is prohibited. Among other things, the policy should prohibit:
- Threatening, intimidating, or harassing other employees.
- Using obscene, profane, or abusive language.
- Creating, displaying, or transmitting offensive or derogatory images (including screen savers) that in any way violate the company policy prohibiting employment discrimination and/or harassment.
- Sending confidential materials outside the company or to unauthorized personnel.
Training, Awareness, and Enforcement
Once the policy is implemented, training sessions are recommended to raise employees' awareness of the rules and to educate them on the risks of inappropriate use. Too many employees are simply unaware that a seemingly harmless joke sent by e-mail could lead to legal proceedings against the company, or in some cases, the individual. As a means of reinforcing the policy principles, particularly after an incident of misuse, the company should send periodic reminders to all employees regarding appropriate usage.
Finally, for any policy to be effective, employees must know it has teeth. The policy should make it clear that breaches will lead to discipline, up to and including termination. The policy should be strictly enforced, and policy violations should be dealt with on a consistent basis.
There is no doubt that computer use and communication in the workplace, while providing great benefits, also poses dangers of liability for employers. Having a clear, enforceable policy is a significant step to limiting that liability.