This article is also available in PDF form as a TechRepublic download.
Courts are increasingly holding employers responsible for the actions taken by employees using company-owned computers. On the other hand, employees continue to push back through litigation claiming their privacy is being violated. It might come as a surprise to many that employees are sometimes justified in their expectations of workplace privacy. Today's managers must take steps to protect both the organization and the rights of their employees.
In this article, I look at the current legal environment in which employers in the private sector are expected to monitor use of electronic communication over their networks. This includes a review of the law governing workplace privacy and relevant court rulings dealing with the rights of both employers and employees. Finally, I list recommendations for creating and implementing workplace monitoring policies and processes that should help keep managers out of civil court.
The legal environment
Abuse of the Internet tops the list of employee activities that might result in worker claims that a hostile work environment exists. This is particularly true in organizations where access to pornographic sites is not restricted.
In Adamson v. Minneapolis Public Library, the library paid $435,000 to settle a sexual harassment claim. The claim was made by 12 librarians who asserted that a hostile work environment was created by patrons accessing pornographic or sexually explicit material. In a related case, Chevron Corporation paid over $2 million to settle litigation brought by four women who claimed they received Internet pornography from coworkers on Chevron computers.
Another valid reason to monitor employee use of electronic devices is to ensure each person is actually working while in the office. Employees are paid to provide a certain level of productivity. The courts have ruled that it is not unreasonable for employers to check to ensure that personal Internet browsing or personal e-mail use is not interfering with business processes.
Monitoring of e-mail and other forms of electronic communication might also be necessary to ensure proper handling of information that could potentially fall under discovery during current or future litigation. The new Federal discovery rules, which took effect on December 1, 2006, are reason enough to begin controlling how electronic communication is managed. The new rules, part of a change to the Federal Rules of Civil Procedure, put additional emphasis on corporate responsibility for producing information requested during litigation.
Finally, employers are allowed to monitor electronic communication for the purpose of preventing intellectual property theft.
The basis for an employer's right to monitor electronic information is The Electronic Communications Act of 1986 (18 U.S.C. Section 2510, etseq). The ECPA provides for employer monitoring of electronic communication if the device monitored is used in the normal course of business. The device should be owned by the employer and be part of the business network. However, there is a limit on the information that an employer can access.
Managers are not allowed to eavesdrop on their employees or browse through electronic media for reasons unrelated to abuse prevention. Judicial impatience is growing with employers who violate what is seen as a reasonable expectation of privacy. In other words, if you are reading through material that you know does not constitute abuse you might be on very shaky legal or moral ground.
In an article entitled "Employers' Rights to Monitor Employee E-mail under United States Law", Pavlina B. Dirom wrote that courts tend to consider two issues when looking at privacy cases. First, an employer must show the context of intrusion. In other words, the intent of monitoring must be related to protecting the business.
Second, the court will look at the content of the information in question. Companies are only allowed to intrude into electronic communications -- including phone and e-mail -- to the point at which it is clear that the content:
- Is personal
- Does not violate any laws
- Does not put the company, its employees, or its customers at risk
Examples of rulings on these issues include Watkins v. L. M. Berry & Company and Smyth v. Pillsbury Co.It is important to note that workplace privacy laws can vary across local and state boundaries. An employer must understand the legal environment in which her organization operates before writing policy or monitoring employee activities.
The right way to monitor
There is a widely accepted principle that is easily applied to employee expectation of privacy -- as employee awareness of monitoring policies and practices increases, employee expectation of privacy decreases. So the first step in implementing monitoring processes is employee education.
The employee manual -- which every employee should read and sign -- should contain information describing proper use of company information assets. It should further stipulate that neither Internet access nor e-mail may be used in a way that is illegal or causes harm to the organization or its employees. Management's intent to monitor for compliance must be included.
This communication of management's assertion of its right to search or monitor computer storage, voice mail, e-mail, and other relevant areas of an employee's workspace is typically interpreted as enough to sufficiently lower employee expectation of privacy.
FindLaw has posted a list of DOs and DON'Ts for employers who want to protect themselves from potential liability from employee abuse of information assets while providing reasonable and appropriate privacy for their employees. Summarizing that list:
- Provide all employees with training about the best and most efficient use of e-mail and Internet searching
- Make rules about Internet and e-mail use
- Prohibit access to pornography
- Prohibit access to Internet sites or the use of e-mail in a way that might create a hostile work environment
- Prohibit or limit personal use of e-mail
- Create a clear policy and make all employees aware of its content and the possible sanctions if the policy is violated -- include clear statements about the organization's position on privacy and it's right to search employee work areas when abuse or illegal activity is suspected
- Don't spy on your employees -- monitor for abuse only
- Make sure your employees know why they have Internet access -- it is a business tool
The final word
Employers have the right to protect their businesses by monitoring employee use of electronic devices. However, this right is not absolute. There is still a line between looking for abuse and browsing communications containing information considered personal and private.
Companies should establish monitoring policies that are clearly communicated to the workforce. This helps reduce expectation of privacy as well as the probability of invasion of privacy litigation.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.