Employee expectations of privacy in the workplace only improving in very specific contexts
With the current interest focused on revisiting the Electronic Communications Privacy Act (ECPA), including plans announced by members of both the House and Senate to initiate formal reviews of the 1986 law and the extent to which its provisions should be updated to reflect the modern state of communications technology, it seems like a good time to check on the state of privacy in the workplace. The baseline position is that companies have broad latitude when it comes to capturing and monitoring communication occurring in the workplace, especially when the communication uses company-owned or provided equipment and services. Assuming they follow the stipulations about electronic communications monitoring in ECPA, such as describing planned, potential, or actual monitoring activities and providing notification of them to employees, customers, partners, or others who will be subject to the monitoring, companies have the right to watch what’s happening within their own environments. Many states require companies to obtain consent of one or both (or all) parties to an electronic conversation before it can be monitored or recorded, but when it comes to employees, as long as the monitoring activity is provided to employees as a standard operating practice, employees are assumed to have given consent by virtue of agreeing to work for the company. The standard by which non-employees can be considered to have given consent varies somewhat by jurisdiction and type of communication, but in general, if the intent to monitor is disclosed up front, the continued participation by a party to the conversation is tantamount to consent. This is the primary driver between the familiar recorded declaration, “This call may be monitored or recorded for quality assurance purposes.” If you don’t want your interaction with a company recorded, presumably you hang up and send an email or write a letter instead.
So the starting assumption for employees would seem to be, you have no reasonable expectation of privacy in the workplace. Some recent well-publicized court cases have suggested that this statement is too absolute, and in fact employees may have some expectation of privacy for their personal communications, even when those communications take place using employer resources. While there is no intention to trivialize these victories for personal privacy, the rulings address very specific sets of facts, so may not be indicative of any significant retrenchment of employer’s rights to monitor employee communications. The cases are also instructive to both companies and their employees in terms of what expectations of privacy are likely to be considered “reasonable,” and clearly spell out the need for companies to be very explicit in writing policies governing employee behavior, communications, use of company systems and services, and their plans to monitor such behavior and enforce its policies. Perhaps the most remarkable implication of the cases recent argued and others cited as precedents within those decisions is that the Courts do not appear to hold individual employees accountable for having any knowledge of the functional or technical aspects of the electronic communication systems they use, whether that functionality is specific to their employer or a standard feature of widely used communications applications like email and text messaging.
In a case argued before the New Jersey Supreme Court in December and decided last week, employee Marina Stengart sued her former employer, Loving Care, for violating her right to privacy under attorney-client privilege when the company, using computer forensic analysis, recovered cached copied of emails between Stengart and her lawyer, who was helping Stengart in a lawsuit filed against Loving Care. The email communications used Stengart’s personal, password-protected Yahoo! email account, which she accessed using her employer-issued laptop from within Loving Care’s network environment. Stengart made no active attempt to store local copies of the emails; her intention seems to have been the opposite, and her low level of technical knowledge made her ignorant of the fact that web browsers routinely store copies of viewed web pages in a temporary cache on the computer running the browser. Because she didn’t know about the temporary file cache, she made no effort to clear the cache before returning the laptop to her employer upon leaving the company. The company searched the computer it had issued her looking specifically for information that could assist Loving Care in defending against Stengart’s lawsuit. The core question in the case that made it to the NJ Supreme Court is, by using a company-issued computer to access her web-based personal email account, did Stengart waive her attorney-client privilege? The court said she did not, and remanded the case back to the trial court to determine an appropriate remedy, finding that the company, when it realized the emails were communications between Stengart and her lawyer, should have immediately notified her attorney and either returned or destroyed the emails, rather than examining their content. Essentially, the case only addresses employee expectations of privacy for personal emails exchanged with an attorney; it says little about the privacy of personal communications in general.
The ruling in Stengart is useful (it’s well worth reading the ruling itself; it’s only about a dozen pages) in a few areas beyond the narrow scope of the facts in this case. Chief Justice Rabner, in describing the reasoning and legal precedents for the court’s decision, provides a number of other cases that address secondary issues raised in the Stengart case, including the specificity required in company policies about personal use of company resources and monitoring of that use. Some of the cases cited involve (justifiable) company inspection of ostensibly private employee communications because of suspected criminal activity or violation of acceptable use policies, but neither of those situations apply to Stengart. Other cases also highlight the importance of addressing the extent to which the content associated with permitted Internet use will be monitored; while employees generally can claim no expectation of privacy when communicating using their employee email address and employer’s email server or system, the same does not apply for email communication conducted outside the company environment using a personal, rather than company, email address. The court suggested that individual expectations of privacy, even when communicating with an attorney, are less justified when the employee uses a company email system for the communication. A 2006 state court decision from Massachusetts was cited not only as a precedent that the default browser behavior of storing local temporary copies of web-based emails viewed using the browser is not sufficient on its own to invalidate attorney-client privilege, and also to suggest that employee expectations of privacy, even when using a company-issued computer, are somewhat greater if the communication takes place from home or another non-company location, such as a scenario when personal email is sent or received using a company laptop connected to a home network and ISP. The court also specifically noted that no matter how specific Loving Care’s policy might have been (in its actual form the court considered it ambiguous on how the company treated personal communications), no policy can override the compelling public policy interests supported by maintaining the privilege attached to attorney-client communications. This is another reason it is hard to generalize the findings in Stengart to other personal communication contexts — presumably similar findings in favor of individual privacy rights would only be made where the subject matter of the communication was explicitly a legally protected type of content.
As Stengart aptly illustrates, not all cases raise 4th Amendment issues, although there are many court cases and examples of criminal investigations that illustrate how the existence of probable cause in an investigation can and will override individual privacy protections, irrespective of company policies or legal requirements governing the treatment of certain types of personal information. There is of course a presumption in such 4th Amendment matters that the parties doing the investigation are acting appropriately in seeking to search for information and are in fact pursuing legitimate lines of investigation. A recent decision by the 11th Circuit Court illustrates one of the more egregious violations of this presumption, when an individual acting as a whistleblower on his employer was subjected to a search of his personal email by a local prosecutor who allegedly conspired with the employer and obtained a subpoena for the individual’s email records under false pretenses, and then used that information to falsify evidence in order to charge the whistleblower with burglary and assault, neither of which actually occurred. Despite the fact that the prosecutor’s actions are not in dispute, the 11th Circuit Court ruled that the individual’s 4th Amendment rights protecting against unreasonable search and seizure had not been violated. Last week the Electronic Frontier Foundation joined the counsel for the individual in asking the 11th Circuit panel to review several aspects of its ruling, which the EFF asserts did not follow the law.
While we can’t offer the sort of expert legal analysis on any of these cases that you might find from privacy lawyers like Hunton and Williams, there are some practical implications for both employers and employees that come out of the Stengart ruling. Following the logic the justices used in Stengart, employers should:
- Have explicit policies in place about whether personal use of company resources is permitted at all, and if it is, what limitations (if any) there are on such use
- Also spell out in explicit terms rights the employer asserts about use of and data stored within its computing and communications assets, network environment, and employer-provided services
- If the employer does or intends to monitor employee communications, say so, and include in the scope of the statement all forms of media and types of communication that are subject to monitoring
- Include statements about whether the contents of such communication will be examined and under what circumstances, recognizing that there may be certain types of content (attorney communications, including with internal counsel; health records; information about employees’ children, etc.) that may be legally protected in ways that trump the employer’s rights or desire to inspect the content
- If, in the course of following the stated policy, content is identified that falls into one of the categories of information protected by state or federal privacy laws, stop reading and don’t proceed further until checking with legal
- If there are valid reasons to prevent employee use of personal email from work (such as data loss prevention), implement measures to block access to web-based email
- Understand that the assertion of ownership or rights to monitor employee information does not apply the same way to communications conducted through third-party service providers, whether or not the employer pays for those third-party services
- Make sure that the policies and procedures put in place comply with all relevant legal requirements, with special attention on regulations covering monitoring and interception of communications and rights to access stored content such as messages, call logs, or transaction records
The list above is far from exhaustive, but assuming a company wants to proactively minimize the reasonable expectation of individual privacy in the workplace, these practices would be constructive to that end. While all employers must balance employee productivity, convenience, and trust with restrictions on employee behavior in the furtherance of their business interests, it appears that employers can establish the clearest legal standing by completely prohibiting personal communication using company systems and resources.
For their part, there are also steps individual employees can take to help ensure their personal communications remain private, and to minimize the chance of inadvertent personal information disclosure such as what happened with Stengart. These include:
- Read, understand, and follow your employer’s policies on personal use of employer-provided communications equipment and services, including definitions of acceptable use
- For any communications deemed sensitive by the employee, try not to use employer-provided resources to conduct those communications, even if policy says that you can
- If you do use your employer-provided devices for personal communications, try to conduct them when offsite, such as using your home ISP to connect devices to the Internet, so your communications traffic doesn’t flow through your employer’s services and network environment
- Don’t use employer-provided email for personal communications
- Learn enough about the tools you use (web browsers, email clients, messaging services) to understand whether local copies are being made of your activities “out in the Internet,” and if so, learn how to prevent local storage (such as using “private browsing” features) or remove the copies afterward (understanding that merely deleting a temporary file cache may not prevent the later retrieval of the cache’s content by a forensic analyst)
- If you leave an employer, when you return your laptop, pager, PDA, smartphone, or other device, remove all personal data from the device and “wipe clean” the storage media using a tool like Eraser on a computer or equivalent comprehensive data destruction available on many handheld devices
- The courts seem to believe that employee ignorance is no reason to diminish expectations of privacy, but this benefit only applies reliably for specially protected types of information, so don’t rely on ignorance — instead be well informed and aware of the security and privacy implications of your environment