Introduction: Privacy in the
Workplace[1]
I. Why the concern about workplace privacy?
The increased use of technology in the workplace has created new concerns for both employers and employees in the area of privacy. The reasons for the vast expansion in the use of technology in the workplace are far from surprising. Use of email and the Internet can immensely reduce operating costs through automation of human tasks, facilitate communication on innumerable levels, clearly increase efficiency in almost all tasks, allow for geographic and other business expansion, and less obviously, it can even reduce the amount of real estate and inventory that companies require. Susan E. Gindin, Guide to Email and Internet in the Workplace, at http://www.info-law.com/guide.html. Hence most employees, as opposed to ten years ago, now have access to email, and Internet access in the workplace has also exploded. According to an IDC Corporation study, two-thirds of employees in medium and large companies in the United States had Internet access in 1997. Gindin at http://www.info-law.com/guide.html. Today, those numbers are exponentially higher.
While this
technology can be lauded for the ways in which it has helped business, it also
raises concerns that previously did not exist.
This module will explore how employers have technological access to both
work-related and personal information about their employees, why employers want
the information, what they do with it and why employees should be concerned,
what legal framework addresses such privacy concerns, how employers can protect
themselves from privacy suits, and finally, what employees should and can be
doing to protect their privacy while at work.
II. Many employers have technological access to employee
information
A survey conducted by the American Management Association in 1999 revealed that 45% of all U.S. companies conducted some sort of electronic surveillance at that time. And since 1999, there has been an explosion in technology designed to aid employers in such surveillance. One example of an overall computer monitoring system is a software program called Investigator 2.0 that costs under $100. It is easily installed on a PC and once installed, it monitors everything done on the target PC and routinely emails reports to the boss summarizing the activity. “Silent Watch” is another example of software that gives employers access to every keystroke that employees make. This increase in technology that aids in surveillance and the associated decrease in the cost of the technology, means that the number of employers who partake in electronic surveillance and the extent to which they do so, is sure to increase.
For a complete description of how email works, see Module One of this course. For our purposes here, suffice it to say that email communications have a long life. Before an email even arrives in one’s “inbox,” the capacity for it to be intercepted is vast. And even after an email appears to have been “deleted” by the recipient, it can usually be retrieved from a number of locations, including the network, local hard drives, and backups. Gindin at http://www.info-law.com/guide.html. For this reason, it is usually quite easy for a boss to gain access to the private communications of his or her employees.
What may be
less obvious is that many employers also have access to employees’ clickstream data,
or “the aggregation of the electronic information generated as a Web user
communicates with other computers and networks over the Internet”. Employee Internet access is typically
provided in one of two ways. Either an
employer contracts with an independent Internet Service Provider (ISP), the
most well known example of which is AOL, to provide Internet access in its
offices or, alternately, employers can set-up systems that are run
in-house. These systems can either give
direct Internet access or are often forms of intranets and extranets.
If an ISP is
the method used to secure Internet access, that ISP can monitor and record an
entire clickstream because all of a user’s online commands are sent through the
ISP. In-house systems have the identical
capacity in that employees utilize the employer’s network for all Internet
use. Programs have even been developed
that automate the monitoring of clickstream data. eSniff.com, (http://www.vericept.com/)
a Colorado start-up company, has introduced a product that monitors all network
traffic and flags activities that could be problematic. Numerous other products exist with similar
capabilities.
Although it is
not the focus of this module, note that other workplace monitoring is also
accomplished through video equipment, pen registers, telephone recording
devices, and magnetic “active” badges, to name a few frequently used employer
techniques.Digital cameras, for instance, are so small that they fit on a
one-inch by two-inch chip. Because
prices are expected to fall to just a few dollars each, use of these cameras
and other devices can be expected to proliferate. Froomkin,
52 Stan. L. Rev. 1461.
III.
Employer reasons for collecting information about their employees
Employers have obvious reasons for wanting to monitor the performance of their employees. In the age of technology, though, employers have some even more specific concerns. For instance, guarding trade secrets is an essential element of many businesses. Monitoring the electronic communications of employees is one tool for employers to ensure that trade secrets do not escape. Reasonable measures might include formation of policies on email usage. Employers worried about trade secret security might justify their monitoring of employee email, K. Robert Bertram, Avoiding Pitfalls in Effective Use of Electronic Mail, 69 P.A.B.A.Q. 11 (1998), though it is unclear how even systematic monitoring would avoid intentional disclosure. Still, this fear provides an incentive for some companies who harbor important confidential information to electronically monitor their employees
Finally, some employers claim that monitoring an employee’s computer usage performance is a more reliable means of reviewing employee performance than second-hand reports. Monitoring for performance indicators, then, is a common use.
To avoid liability for certain wrongs, employers also have good reasons to conduct electronic surveillance. For instance, in harassment and discrimination cases, employers are typically held liable for acts done by their supervisory employees, regardless of whether or not the employer was aware of the harassment. Burlington Industries, Inc. v. Ellerth, 141 L.Ed.2d 633 (U.S. 1998) and Faragher v. City of Boca Raton, 524 U.S. 775 (U.S. 1998). In a recent example, Chevron Corporation was required to pay four plaintiffs $2.2 million, in total, when email evidence of sexual harassment was found by the plaintiffs’ attorneys. If Chevron had been closely monitoring its employees’ email, it might have been able to prevent the liability that resulted from an inappropriate forward of jokes that had circulated within the firm.
Finally, to the extent that some courts have
considered communications sent on company “letterhead” (electronic “letterhead”
does count) to be “employer authorized,” employers also have an interest in
monitoring electronic communications to avoid liability.
IV. Employer use of
employee information collected by surveillance
Employers use most personal information that they collect about their employees, internally. Data about employee performance, for instance, can be used for better planning and resource allocation or to locate areas where more training might be needed for their employees.
Employees should realize, however, that from their perspective, not all use of the information gleaned from them is positive. For instance, one 1997 survey by PC World, found that 20% of employers had discovered inappropriate Internet usage by an employee and had to suspend the employee’s Internet usage, or even discharge them. Gindin at http://www.info-law.com/guide.html.
style='color:windowtext;text-decoration:none;text-underline:none'>Of further concern is that email messages and website tracking information is delivered without explanation. In lacking the proper context, the likelihood that information could be construed improperly, or simply incorrectly, is large. Thus, information could unnecessarily damage an employee’s reputation with an employer or cause unneeded suspicion.
B. Interaction with other entities
Sometimes personal information is not kept within the company. USA Today reported in 1999 that employers gave millions of employment and salary records to outside companies who subsequently shared the data with landlords and others. With the proliferation of information actually gleaned from employees’ clickstreams, it is certainly possible that employers will, in the future, share other valuable employee information with outside entities. Some of this information is regulated by statute. (See D. Specific Protections, below).
Accuracy of information is also a particular concern when dealing with outside entities. Consider that according to a congressional report, half of all credit reports and background checks contain mistakes. Consider, then, that a similar potential for mistakes abounds in information that is taken about employees from their email messages and clickstream information and transferred to outside companies.
V. Legal issues involved in workplace privacy
Privacy
protection in the workplace can be found in a variety of sources, including the
Fourth Amendment (providing protection from unreasonable searches and seizures
by the government only), the federal Electronic Communications Privacy Act,
state constitutions and statutes, and common law remedies for invasion of
privacy. Specific contracts or
collective bargaining agreements could also limit the monitoring of employees, but
“both practical and legal difficulties exist that make this rare.”
The
Fourth Amendment to the U.S. Constitution guarantees "[t]he right of the
people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures" (U.S. Const., amend. IV § 1). In O'Connor
v. Ortega, the Supreme Court acknowledged that the Fourth Amendment may be
applicable to situations where employee information is gleaned from electronic
surveillance. O’Connor
v. Ortega, 480 U.S. 709, 716 (U.S. 1987). However, the Fourth Amendment applies only
to government actions, not to actions of private employers. As a result government employees may appear
to have a somewhat stronger claim for protection against electronic monitoring
and surveillance than private sector employees. In practice, this difference in
minimal. A key legal determination in
cases of governmental invasion of privacy seems to be whether the government
employee has a "reasonable expectation of privacy" in relation to the
act in question. Id. Thus, “the government employer's control of
the premises and the equipment, the implied consent of the worker who is
generally informed that monitoring might take place and the balancing of the
magnitude of the intrusion into the employee's control over personal intimacy
or information against the business necessities and efficiency of the public
employer all combine to greatly limit a government employee's reasonable
expectation of privacy." Rothstein,
19 N.Y.L. Sch. J. Int’l & Comp. L.
379.
The Electronic
Communications Privacy Act (ECPA) was revamped by Congress in 1986 and now
covers all forms of digital communications, including private email. Electronic
Communications Privacy Act, 18 U.S.C. §§ 2510-20 and that the coverage of the act is limited,
however, by the forum in which one is communicating. For instance, to the extent that thhey are considered the
equivalent of public forums, usenets, newsgroups, listservs, and similar
applications are not covered under the ECPA.
The ECPA
generally prohibits “(1) unauthorized and intentional ‘interception’ of wire,
oral, and electronic communications during the transmission phase, and (2)
unauthorized ‘accessing’ of electronically stored wire or electronic
communications.”
Due to the
fact that employers tend to provide the network over which employee
communication takes place, the ECPA provides the least protection to employees
in terms of employer “intrusions.”
Largely, employers are exempt from the ECPA under one of two statutory
exceptions. Ann Beeson, Privacy in Cyberspace: Is Your Email Safe
From the Boss, the SysOp, the Hackers, and the Cops? at http://www.aclu.org/issues/cyber/priv/privpap.html.
First, the “service provider” exception applies if a) the employer is actually the provider of services (as opposed to an external ISP) or b) the employer is considered an agent of the ISP who actually provides the service. The exception reads as follows:
”It shall not
be unlawful . . . for . . . a provider
of wire or electronic communication service, whose facilities are used in
the transmission of a wire communication, to intercept, disclose, or use that
communication in the normal course of his employment while engaged in any
activity which is a necessary incident to the rendition of his service or to
the protection of the rights or property of the provider of that service,
except that a provider of wire communication service to the public shall not
utilize service observing or random monitoring except for mechanical or service
quality control checks.”
Under this provision, most employers can be considered exempt from liability for ECPA invasion of privacy. It is possible, however, that employers may not fall under part b. If an employer contracts with a third party to provide Internet service, they may not be considered a "provider" of the e-mail service so as to qualify for the provider exception. (Cheek)
The second exception is the “consent” exception, under which the employer need only acquire the implied or express consent of the employee to avoid ECPA violations. If an employee has knowledge of the employer’s policy and he or she continues to use the system anyway, this will likely fall under the consent exception. In practice, moreover, many employers routinely require employees to acknowledge—if not explicity sign away any residual rights—that the employer may monitor computer usage including internet and email access.
While 48 states have statutes similar to the ECPA, most states (at least 31 and D.C.) have statutes that appear even stricter than the ECPA as long as the interception occurs within their jurisdiction. For instance, legislation in Virginia, Georgia, and West Virginia makes it illegal to use a computer to examine personal information without proper authority (i.e. permission from the owner). Sometimes, however, apparent heightened protection can be deceptive. For instance, Illinois courts have interpreted their requirement of “all party” consent, which appears to be a heightened standard over the requirement of consent from only one party, to mean consent from at least one party.
In one California state case, Shoars v. Epson, an employee was fired due to her refusal to participate in her supervisors' monitoring of employee e-mail. She relied on a California state law that prohibits electronic surveillance, but she lost her wrongful termination lawsuit when the court held that the statute's protections did not extend to email.
Also,
prosecution under state statutes has also been relatively limited. Members of state
legislatures have attempted to pass bills that would strengthen the protections
of workers against electronic monitoring in the workplace, but they have
generally failed because of sustained and effective corporate lobbying.
A proliferation of suits has been brought against employers for tortious invasion of privacy. These suits tend to fail, however, for lack of an objectively reasonable expectation of privacy. Even with a privacy expectation, if the privacy interest is outweighed by the countervailing legitimate business interests of the employer, the employee still loses.
In 1999, a Texas
Court of Appeals, in McLaren v. Microsoft
Corporation, dismissed a cause of action for invasion of privacy when
an employer reviewed the contents of an employee’s “personal folder” despite
it being restricted by two separate passwords. McLaren v. Microsoft
Corp., 1999 W.L 339015 (Tex. App. Dallas 1999).
The court found that McLaren had no legitimate expectation of privacy in that
the folder was stored on a company-owned machine and that emails had been
sent over the company network and, therefore, could have been intercepted
at any time. Id. Agreeing with Federal District Court in Philadelphia’s
decision in Smyth v. Pillsbury Co.
(holding that employee termination for sending inappropriate email over employer’s
system was not an invasion of privacy and did not violate public policy, despite
employer’s prior assurance that employee email would remain confidential),
the court further held that even if there had been an expectation of privacy, “the
company’s interest in preventing inappropriate and unprofessional comments
. . . over its email system” would outweigh any employee privacy interest.
Smyth v. Pillsbury,
54 USLW 2564 (E.D. Pa. 1999) and McLaren v. Microsoft
Corp., 1999 W.L. 339015 at 5.
See also Bourke v. Nissan Motors Corp
One of the
early courts thus far to address a government employee’s constitutional claim
of privacy in clickstream data (as opposed to email) was the United States
Court of Appeals for the Fourth Circuit in US
v. Simons, 206 F.3d 392 (4th Cir. 2000). In Simons, a government
agency notified employees that it would "audit, inspect, and/or
monitor" employees' use of the Internet, including all file transfers, all
websites visited, and all e-mail messages, "as deemed appropriate."
The Court held that that written policy placed employees on notice that they
could not reasonably expect that their Internet activity would be private, and
thus the employee had no “reasonable expectation of privacy” in downloaded
computer files. It has not been tested in the courts whether clickstream data
is protected by statute, but to the extent that it is protected by the each
state’s common law, it would seem that employees should face similar obstacles
to winning civil invasion of privacy suits as are faced by employees when email
is the technology at issue. As a
general matter, however, when courts
have confronted privacy claims made against private
(as opposed to governmental entities), they have tended to reach decisions
similar to those made in the constitutional context.
VI. Employer liability for invasion of privacy suits for
monitoring employees?
While private employers appear to
have certain legal protections over invasion of privacy suits, the law in this
area is new and evolving. Up to now,
courts have tended to treat the employment relationship as one in which
employers hold the power to decide whether to monitor employee email or
mouseclicks. The general idea has been
that the employer owns the equipment, and can therefore set the terms of its
use. Even under current law, which has
been deferential to employer monitoring, this does not mean that employers are
free to monitor or not monitor at will.
It is not clear, for example, whether employers who fail to notify their
employees that they monitor their mouseclicks will avoid liability for invasion
of privacy. Moreover, even if employers
issue a general notice to employees that they “may” be monitored, an employee
might argue that more specific notice is required. Some states, for example, are considering such an approach.
First, policies regarding proper use of technology in the workplace, and the means that will be used to monitor such use, are highly recommended. Experts recommend that the notice be as specific as possible by including what types of monitoring will be used, how frequently monitoring will occur, and what purpose the employer hopes to accomplish through the monitoring. With an express privacy policy, an employee’s “expectation of privacy” is avoided—at least as courts have currently interpreted the law. Employment lawyers suggest that the policy be disseminated to all employees and “agreed” to by them, as well.Michael K. McCrystal, Coping with the Legal Perils of Employee Email, Wisconsin Lawyer (March 1999).
Although it is usually deemed legal, employers should at least consider minimizing the amount of electronic surveillance and general monitoring that they do. Some research has shown a link between monitoring and increased psychological and physical health problems in employees. High tension, anxiety, depression, anger, fatigue, and musculoskeletal problems are all concerns. In 1992 Swiss economist Bruno Frey found that certain forms of monitoring, instead of increasing employee efficiency and bettering their performance, actually negatively affected employee morale and hence, their performance worsened, as well.
While it may
not solve email-monitoring problems, some employers have implemented filtering
of Internet sites that employees are allowed to visit. Filtering software has become increasingly
popular in the workplace, particularly to filter out sexually oriented sites,
or other sites that may be personal in nature that employers wish to discourage
employees from visiting during business hours (http://www.cyberpatrol.com/).
VII. How employees can protect themselves
The balance of power in
electronic surveillance clearly weighs on the side of employers. There are few measures that employees can
take to shield their computer use.
Much anxiety experienced by employees derives from uncertainty concerning their employers’ monitoring practices. Currently, Connecticut is the only state where employers are required to divulge to their employees when they are being electronically monitored. California lawmakers have considered a similar bill and on the national scene, the “The Notice of Electronic Monitoring Act” was a bill proposed in the Senate that would require employers to “notify employees about whether, when and how they monitor employee email, computer and Internet usage and phone calls.” ACLU Applauds Bipartisan Legislation at http://www.aclu.org/news/2000/n072000b.html. Nevertheless, such notice is currently not required in most places, and in fact, 1/5 of companies surveyed by the American Management Association in 1999 did not tell their employees when they were being watched. It is unlikely employers would be willing to provide this information voluntarily if asked.
Employees can also try to contract with their employers for more privacy rights. Unless employees have bargaining power (e.g., through a union), however, such an approach is unlikely to succeed. The trend has been for less privacy protection, not more.
Particularly for protection of email, encryption
is an increasingly used option. Encryption
“scrambles” messages while they are in transport such that an intercepted
email could not be “deciphered.” Note,
however, that encryption can raise suspicion with employers. It also offers no legal protection should emails
be discoverable in a lawsuit. Michael J. McCarthy, Snoop
Dog: Web Surfers Beware: The Company Tech May be a Secret Agent, Wall Street Journal, (Jan. 10, 2000 at
A1).
C. Government Employees
The story for
public sector employees is somewhat different from that of private sector
employees in that government employers are subject to federal constitutional
constraints because their conduct is considered "state action." Private employers are not subject to
constitutional claims unless their investigations become intertwined with a
state investigation. Therefore, a
search of an employee's office by a governmental employer is justifiable only
"when there are reasonable grounds for suspecting that the search will
turn up evidence ... of work-related misconduct, or that the search is
necessary for a noninvestigatory, work-related purpose such as to retrieve a
needed file.” O’Connor v. Ortega, 480 U.S. 709, 716.
Although, in practice, this requirement may not truly limit employer rights
(see section on Fourth Amendment above), public employees may raise a
constitutional claim.
D. Specific protections
Also, specific
types of information are protected by statute.
For instance, collection of financial information about applicants and
employees is statutorily addressed in the Fair Credit Reporting Act
("FCRA") (see Zamora v. Valley Federal Savings & Loan
Ass'n, where the Tenth Circuit affirmed a judgment under the FCRA against
an employer for obtaining, under false pretenses, credit information on an
employee's spouse in order to determine the employee's trustworthiness)
(Cornish).
Zamora v. Valley Federal Savings & Loan
Ass’n, 55 USLW 2469 (10th Circuit 1987).
The American with Disabilities Act ("ADA") protects medical information such that applicants and employees are not required to disclose certain medical information to employers. And once medical information is obtained by an employer, the ADA imposes strict limits on access to and disclosure of such information (see