The use of the internet, email, text messages, and cell phones are rampant in the workplace because of good reason. As the US moves ever closer to an information worker/service type of economy, the convenience and speed of electronic communications increase the efficiency and productivity of employees, and any business without these tools is at a severe competitive disadvantage.
On the downside, the use of the electronic devises can actually result in a loss of efficiency due to employees’ use employer-provided devices for personal, non-work-related use during work hours. Employees might use the web to visit pornographic websites or disburse inappropriate materials via company email, and therefore expose employers to legal liability for permitting a hostile work environment due to harassment or defamation. Further, the unscrupulous employee could expose the employer’s trade secrets, proprietary and confidential information, or engage in inappropriate contact with competitors or customers.
How can you as an employer protect against these risks? The easiest way is for the employer to monitor communications between employees and other parties. But isn’t that an illegal invasion of the employee’s privacy?
Governing Laws – Employee Protections
Both federal and state law limit an employer’s ability to monitor employees’ communications. The Fourth Amendment to the Constitution protects every citizen against unreasonable search and seizure, and The Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2510 et seq extends Fourth Amendment protection to include email and other digital communications. Under the ECPA, the lawfulness of particular monitoring activities will depend heavily upon whether employees’ messages are intercepted during transmission or are retrieved from storage on the company’s server. Another provision of the ECPA prohibits disclosing “to any person or entity the contents of a communication while in electronic storage by [the company's] service.” In other words, employers may under certain circumstances be permitted to discuss the contents of an employee’s communications with that employee, but the employer should seek legal advice before disclosing the contents of such communications to anyone else.
Under California privacy laws, specifically Cal. Penal Code §§630 et seq, the Wiretap Statute provides that the employer must have the consent of both parties to the communication, not just the employee, to monitor real time communication via any media, or else be exposed to criminal and/or civil liability. The California Eavesdropping Statute prohibits anyone who does not have the consent of all parties to a confidential communication from eavesdropping upon or recording that communication. Employers also should be aware of electronic surveillance laws in other states in which they do business and with which employees are likely to have online contact.
So, then, how does an employer protect himself and his business against inappropriate use of electronic communications by an employee?
The ECPA allows employers to intercept electronic communications if the employee consents in advance. To remove the expectation of privacy by employees, employers should establish a formal Internet Acceptable Use Policy (IAUP) that puts an employee on written notice that any electronic non-business-related activities are done at the employee’s own risk and can by monitored by the employer, and that password protection is not an indication of personal privacy. In consideration of the two California statutes, the safest approach is for employers to review the contents of employee communications, not in real time, but only after those communications have been stored on the employer’s server. Cell phone calls and text messaging a little trickier to monitor, because California is one of only a handful of states that requires permission of both sender and recipient of a communication to the eavesdropping or recording of that communication.
One circumstance when the retrieval of an employee’s text messaging or cell phone records is legal is if it is motivated purely by a legitimate business need and if it is not excessive in scope. For example, in City of Ontario v. Quon, 78 U.S. L. W. 4591, 201WL 2400087 (U.S. June 17, 2010) (No. 08-1332), it was decided that the employer was reasonable in procuring two months’ worth of text message records of the employee’s, because the employer only wanted to determine if the monthly limit on characters on the current plan was too low for sending work-related messages and if the limit should be increased to accommodate legitimate business requirements.
An IAUP should be a written policy covering all modes of electronic communications, not just internet use. Each employee should sign a copy of the company IAUP in acknowledgement of receipt, and the signed copy should be kept in the employee’s file. The policy should clearly establish a code of conduct and specify what is not allowed, e.g. access to pornographic or racist websites; revelation of company trade secrets; obscene, profane, or abusive language; offensive or derogatory images on screen savers; and so forth. The policy should also specify the consequences of violating the policies, such as whether warnings will be issued, or when immediate termination of employment can be expected. Employers should review their IAUP every one or two years to make sure that any new technological advances in communications or changes in the law are addressed.
Another means of protecting the employer (as well as the employee) is to implement periodic training sessions to sensitize employees as to what is not only questionable but is in direct violation of the IAUP; and to emphasize the legal and other consequences of a violation of the IAUP both for the employee and for the company.
Electronic communication is here to stay. Although it provides many advantages to businesses, certain uses of it by employees can also expose an employer to serious risk and liability. The best protection for the employer is to establish a written, comprehensive policy concerning employee use of email, the internet, texting and cell phones. The policy should be periodically updated and reinforced by training sessions.
If you need assistance in drafting an effective Internet Acceptable Use Policy, please contact your attorney.