By Mary C. Hamm
In the wake of WikiLeaks’ latest release of documents describing software tools used by the C.I.A. to hack into phones, computers, televisions, and other devices, it seemed like an appropriate time to review surveillance in the workplace. Employers surveil employees for a variety of reasons, including to guard against liability for misconduct and to manage productivity and performance. Unlike the C.I.A, however, employers are not in the business of conducting espionage and should place employees on notice of the ways in which they are subject to observation. Employees generally have no particular expectation of privacy in work-related technology, including employer e-mail, text messages and voicemail, but employers should take certain precautions and clearly explain their policies, especially when employees use their own devices for business purposes and use their employer’s devices for personal communications.
Keeping a Watchful Eye on Employees
For many years, employers have used video surveillance to prevent theft and workplace violence and misconduct. Now that computers and electronic devices permeate the workplace, employers monitor employee email and internet usage by, for example, reviewing emails sent to or received from their email systems, examining the websites employees visit using the employer’s computers or other devices, and tracking website searches and the amount of time employees spend on the internet while at work. Employers can also install software to monitor when files are renamed, which files are printed, and the keystrokes employees make while using an employer-owned device. Numerous employers use global positioning systems (GPS) to track employees’ whereabouts and their productivity.
Assessing the Risks of Monitoring
Employers who engage in such monitoring should be aware of certain laws that could limit their curiosity. The Stored Communications Act (“SCA”), part of the Electronic Communications Privacy Act, is a federal statute that can create a right to privacy for e-mail and other digital communications stored on the internet. 18 U.S.C. § 2701(a). Whether the SCA applies to an employer’s actions in accessing personal email or non-public social media posts is an issue that courts continue to debate.
Courts have examined whether an employer’s use of passwords to gain access to and monitor an employee’s personal, internet based e-mail or social media accounts give rise to a claim for unauthorized access under the SCA. Compare Ehling v. Monmouth-Ocean Hosp. Serv. Corp., 961 F. Supp. 2d 659, 667 (D.N.J. 2013) (“[T]he SCA covers: (1) electronic communications, (2) that were transmitted via an electronic communication service, (3) that are in electronic storage, and (4) that are not public. Facebook wall posts that are configured to be private meet all four criteria.”) and Pietrylo v. Hillstone Rest. Grp., 2009 WL 3128420 (D.N.J. Sept. 25, 2009) (finding SCA violation after employer accessed private social network chat group without authorization), with Anzaldua v. Ne. Ambulance & Fire Prot. Dist., 793 F.3d 822, 842 (8th Cir. 2015) (holding that a “sent” email was “not stored on the Gmail server for backup protection purposes” and thus did not fall under the protection afforded by the SCA).
Employees have also brought state law privacy claims against employers who reviewed content on employer-owned devices. For these types of claims, courts typically review whether an employee enjoyed a reasonable expectation of privacy and whether the employer’s legitimate business interest outweighed that expectation. Most courts have found that an employee has no reasonable expectation of privacy in workplace e-mails when the employer’s policy limits personal use or otherwise restricts employees’ use of its system and notifies employees of its monitoring policy.
Even if employers are not accessing private social media pages and personal emails, they cannot use information obtained on public social media pages or personal websites regarding an employee’s gender, race, religion, disability, age, genetic information, pregnancy, or other protected characteristic in making employment-related decisions.
Tennessee recently enacted a law which could impact an employer’s ability to use GPS tracking devices. Tenn. Code Ann. § 39-13-606 makes it a misdemeanor to “knowingly install, conceal or otherwise place an electronic tracking device in or on a motor vehicle without the consent of all owners of the vehicle for the purpose of monitoring or following an occupant or occupants of the vehicle.” No court has interpreted this law to apply to GPS trackers on employer-owned vehicles, but all employers should obtain consent of the employee when attaching a GPS device to his or her vehicle and notify employees that employer-owned vehicles are equipped with such devices.
Implementing Appropriate Policies
Employers who engage in workplace monitoring should have policies in place to notify employees that certain systems are covered by the policy, that the employer reserves the right to review the employee’s activities while using these systems, and that the employee should not use the employer’s systems for matters he or she believes are private and confidential. And if employees are using their own phone, tablet, or laptop to access employer information, employers should consider implementing a “bring your own device” policy that sufficiently outlines any employer monitoring.
Monitoring employees is not without risks, but, with careful planning and policy implementation, it can serve legitimate business purposes.