The Privacy Lawyer: Monitoring Employees' Internet Communications: Big Brother Or Responsible Business?
Balancing employees' privacy rights with the responsibilities of the employer is becoming increasingly tricky for both sides Parry Aftab says.
The two prime exceptions to the ECPA afford employers broad rights to monitor their employees: An employer may monitor an employee's conversations if the monitoring occurs in the ordinary course of business or with the employee's implied consent.
Most of the cases developed under the ECPA involve criminal justice and investigatory wiretaps of telephone and E-mail communications. Until recently, most of the case law in the civil application of the ECPA involved monitoring telephone communication.
The ECPA also contains a "business exclusion exemption" that exempts interceptions made by equipment "furnished to the subscriber or user by [a communications carrier] in the ordinary course of its business [and being used by the subscriber or user] in the ordinary course of its business." Under this exception, an employer may monitor phone calls made on an employer-supplied telephone system by attaching a device supplied by the employer. The courts look to whether a reasonable business justification exists for the monitoring, whether the employee was informed about the employer's right to monitor, and whether the employer acted consistently in connection therewith.
Additional federal and state legislation has been introduced to afford employees more rights and weapons in the battle for more privacy.
So far, there's no federal law that requires employers to notify employees that their communications are being monitored. Legislation was introduced in Congress in 1991 by Sen. Paul Simon, D-Ill., that would have required advance notification to both employees and customers of electronic monitoring. The bill, known as The Privacy for Consumers and Workers Act, prohibited undisclosed monitoring of rest rooms and dressing-room and locker-room facilities, except when the employer suspected illegal conduct. The bill, which was never passed, would have provided for fines for violations and permitted injured employees to sue for compensatory and punitive damages and attorneys' fees.
Without federal protection, plaintiffs sought protection in state courts. This was similarly unsuccessful in overruling the employer's right to monitor the workplace, including intercepting communications. Many states have adopted their own version of the ECPA, and some require the consent of both parties for non-exempt interceptions (as opposed to the one-consent ECPA rule). In addition to the state versions of the ECPA, state laws include constitutional provisions, statutes and common law (law that has been developed through case-by-case review and, in the United States and under the United Kingdom's judicial systems, is as much part of the law as a statute).
Common Law And Invasion Of Privacy
Given the lack of protection afforded by the ECPA against employee monitoring, the few state-adopted privacy statutes, and the failure of states to adopt legislation protecting employee privacy rights, many employees are seeking recourse under common-law rights of action. Typically, they seek relief under the common-law tort of invasion of privacy. Invasion of privacy laws don't exist in all states, and in some cases, statutes labeled as "privacy invasion" laws don't deal with privacy matters at all. In New York, for example, the privacy statute deals with protection of celebrities and others rights against the commercial exploitation of their images.
In the states that recognize the tort of invasion of privacy, a violation generally requires an intentional intrusion, "physical or otherwise, upon the solitude or seclusion of another upon his private affairs, or concerns if the intrusion would be highly offensive to a reasonable person."
One of the key conditions to successfully prosecuting an action for invasion of privacy is whether the person has a "reasonable expectation of privacy." Courts across the country are finding with more and more frequency that no reasonable expectation of privacy exists with E-mail or employee online communications.
One of the most talked about E-mail invasion of privacy cases--Smith v. The Pillsbury Company, No. 95-5712 (E.D. Pa. 1996)--demonstrates the lack of patience of the judiciary with the claim of common-law privacy torts. In ruling against the plaintiff/employee, a Pennsylvania court held that there was no reasonable expectation of privacy in E-mail communications, even though Pennsylvania recognizes a common-law right of privacy.
The courts are also holding regularly that when the employer is also the system provider, no restrictions exist on interception of information on the system. Under current circumstances, there's little recourse available to employees who feel their privacy has been invaded by their employers.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest August 03, 2015The networking industry agrees that software-defined networking is the way of the future. So where are all the deployments? We take a look at where SDN is being deployed and what's getting in the way of deployments.