Introduction: Privacy in the Workplace
I. Why the concern about workplace privacy?
The increased use of technology in the workplace has created new concerns for both employers and employees in the area of privacy. The reasons for the vast expansion in the use of technology in the workplace are far from surprising. Use of email and the Internet can immensely reduce operating costs through automation of human tasks, facilitate communication on innumerable levels, clearly increase efficiency in almost all tasks, allow for geographic and other business expansion, and less obviously, it can even reduce the amount of real estate and inventory that companies require. Susan E. Gindin, Guide to Email and Internet in the Workplace, at http://www.info-law.com/guide.html. Hence most employees, as opposed to ten years ago, now have access to email, and Internet access in the workplace has also exploded. According to an IDC Corporation study, two-thirds of employees in medium and large companies in the United States had Internet access in 1997. Gindin at http://www.info-law.com/guide.html. Today, those numbers are exponentially higher.
While this technology can be lauded for the ways in which it has helped business, it also raises concerns that previously did not exist. This module will explore how employers have technological access to both work-related and personal information about their employees, why employers want the information, what they do with it and why employees should be concerned, what legal framework addresses such privacy concerns, how employers can protect themselves from privacy suits, and finally, what employees should and can be doing to protect their privacy while at work.
II. Many employers have technological access to employee information
A survey conducted by the American Management Association in 1999 revealed that 45% of all U.S. companies conducted some sort of electronic surveillance at that time. And since 1999, there has been an explosion in technology designed to aid employers in such surveillance. One example of an overall computer monitoring system is a software program called Investigator 2.0 that costs under $100. It is easily installed on a PC and once installed, it monitors everything done on the target PC and routinely emails reports to the boss summarizing the activity. “Silent Watch” is another example of software that gives employers access to every keystroke that employees make. This increase in technology that aids in surveillance and the associated decrease in the cost of the technology, means that the number of employers who partake in electronic surveillance and the extent to which they do so, is sure to increase.
For a complete description of how email works, see Module One of this course. For our purposes here, suffice it to say that email communications have a long life. Before an email even arrives in one’s “inbox,” the capacity for it to be intercepted is vast. And even after an email appears to have been “deleted” by the recipient, it can usually be retrieved from a number of locations, including the network, local hard drives, and backups. Gindin at http://www.info-law.com/guide.html. For this reason, it is usually quite easy for a boss to gain access to the private communications of his or her employees.
What may be less obvious is that many employers also have access to employees’ clickstream data, or “the aggregation of the electronic information generated as a Web user communicates with other computers and networks over the Internet”. Employee Internet access is typically provided in one of two ways. Either an employer contracts with an independent Internet Service Provider (ISP), the most well known example of which is AOL, to provide Internet access in its offices or, alternately, employers can set-up systems that are run in-house. These systems can either give direct Internet access or are often forms of intranets and extranets.
If an ISP is the method used to secure Internet access, that ISP can monitor and record an entire clickstream because all of a user’s online commands are sent through the ISP. In-house systems have the identical capacity in that employees utilize the employer’s network for all Internet use. Programs have even been developed that automate the monitoring of clickstream data. eSniff.com, (http://www.vericept.com/) a Colorado start-up company, has introduced a product that monitors all network traffic and flags activities that could be problematic. Numerous other products exist with similar capabilities.
Although it is not the focus of this module, note that other workplace monitoring is also accomplished through video equipment, pen registers, telephone recording devices, and magnetic “active” badges, to name a few frequently used employer techniques.Digital cameras, for instance, are so small that they fit on a one-inch by two-inch chip. Because prices are expected to fall to just a few dollars each, use of these cameras and other devices can be expected to proliferate. Froomkin, 52 Stan. L. Rev. 1461.
III. Employer reasons for collecting information about their employees
Employers have obvious reasons for wanting to monitor the performance of their employees. In the age of technology, though, employers have some even more specific concerns. For instance, guarding trade secrets is an essential element of many businesses. Monitoring the electronic communications of employees is one tool for employers to ensure that trade secrets do not escape. Reasonable measures might include formation of policies on email usage. Employers worried about trade secret security might justify their monitoring of employee email, K. Robert Bertram, Avoiding Pitfalls in Effective Use of Electronic Mail, 69 P.A.B.A.Q. 11 (1998), though it is unclear how even systematic monitoring would avoid intentional disclosure. Still, this fear provides an incentive for some companies who harbor important confidential information to electronically monitor their employees
Finally, some employers claim that monitoring an employee’s computer usage performance is a more reliable means of reviewing employee performance than second-hand reports. Monitoring for performance indicators, then, is a common use.
To avoid liability for certain wrongs, employers also have good reasons to conduct electronic surveillance. For instance, in harassment and discrimination cases, employers are typically held liable for acts done by their supervisory employees, regardless of whether or not the employer was aware of the harassment. Burlington Industries, Inc. v. Ellerth, 141 L.Ed.2d 633 (U.S. 1998) and Faragher v. City of Boca Raton, 524 U.S. 775 (U.S. 1998). In a recent example, Chevron Corporation was required to pay four plaintiffs $2.2 million, in total, when email evidence of sexual harassment was found by the plaintiffs’ attorneys. If Chevron had been closely monitoring its employees’ email, it might have been able to prevent the liability that resulted from an inappropriate forward of jokes that had circulated within the firm.
Finally, to the extent that some courts have considered communications sent on company “letterhead” (electronic “letterhead” does count) to be “employer authorized,” employers also have an interest in monitoring electronic communications to avoid liability.
IV. Employer use of employee information collected by surveillance
Employers use most personal information that they collect about their employees, internally. Data about employee performance, for instance, can be used for better planning and resource allocation or to locate areas where more training might be needed for their employees.
Employees should realize, however, that from their perspective, not all use of the information gleaned from them is positive. For instance, one 1997 survey by PC World, found that 20% of employers had discovered inappropriate Internet usage by an employee and had to suspend the employee’s Internet usage, or even discharge them. Gindin at http://www.info-law.com/guide.html.
style='color:windowtext;text-decoration:none;text-underline:none'>Of further concern is that email messages and website tracking information is delivered without explanation. In lacking the proper context, the likelihood that information could be construed improperly, or simply incorrectly, is large. Thus, information could unnecessarily damage an employee’s reputation with an employer or cause unneeded suspicion.
B. Interaction with other entities
Sometimes personal information is not kept within the company. USA Today reported in 1999 that employers gave millions of employment and salary records to outside companies who subsequently shared the data with landlords and others. With the proliferation of information actually gleaned from employees’ clickstreams, it is certainly possible that employers will, in the future, share other valuable employee information with outside entities. Some of this information is regulated by statute. (See D. Specific Protections, below).
Accuracy of information is also a particular concern when dealing with outside entities. Consider that according to a congressional report, half of all credit reports and background checks contain mistakes. Consider, then, that a similar potential for mistakes abounds in information that is taken about employees from their email messages and clickstream information and transferred to outside companies.
V. Legal issues involved in workplace privacy
Privacy protection in the workplace can be found in a variety of sources, including the Fourth Amendment (providing protection from unreasonable searches and seizures by the government only), the federal Electronic Communications Privacy Act, state constitutions and statutes, and common law remedies for invasion of privacy. Specific contracts or collective bargaining agreements could also limit the monitoring of employees, but “both practical and legal difficulties exist that make this rare.”
The Fourth Amendment to the U.S. Constitution guarantees "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" (U.S. Const., amend. IV § 1). In O'Connor v. Ortega, the Supreme Court acknowledged that the Fourth Amendment may be applicable to situations where employee information is gleaned from electronic surveillance. O’Connor v. Ortega, 480 U.S. 709, 716 (U.S. 1987). However, the Fourth Amendment applies only to government actions, not to actions of private employers. As a result government employees may appear to have a somewhat stronger claim for protection against electronic monitoring and surveillance than private sector employees. In practice, this difference in minimal. A key legal determination in cases of governmental invasion of privacy seems to be whether the government employee has a "reasonable expectation of privacy" in relation to the act in question. Id. Thus, “the government employer's control of the premises and the equipment, the implied consent of the worker who is generally informed that monitoring might take place and the balancing of the magnitude of the intrusion into the employee's control over personal intimacy or information against the business necessities and efficiency of the public employer all combine to greatly limit a government employee's reasonable expectation of privacy." Rothstein, 19 N.Y.L. Sch. J. Int’l & Comp. L. 379.
The Electronic Communications Privacy Act (ECPA) was revamped by Congress in 1986 and now covers all forms of digital communications, including private email. Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-20 and that the coverage of the act is limited, however, by the forum in which one is communicating. For instance, to the extent that thhey are considered the equivalent of public forums, usenets, newsgroups, listservs, and similar applications are not covered under the ECPA.
The ECPA generally prohibits “(1) unauthorized and intentional ‘interception’ of wire, oral, and electronic communications during the transmission phase, and (2) unauthorized ‘accessing’ of electronically stored wire or electronic communications.”
Due to the fact that employers tend to provide the network over which employee communication takes place, the ECPA provides the least protection to employees in terms of employer “intrusions.” Largely, employers are exempt from the ECPA under one of two statutory exceptions. Ann Beeson, Privacy in Cyberspace: Is Your Email Safe From the Boss, the SysOp, the Hackers, and the Cops? at http://www.aclu.org/issues/cyber/priv/privpap.html.
First, the “service provider” exception applies if a) the employer is actually the provider of services (as opposed to an external ISP) or b) the employer is considered an agent of the ISP who actually provides the service. The exception reads as follows:
”It shall not be unlawful . . . for . . . a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.”
Under this provision, most employers can be considered exempt from liability for ECPA invasion of privacy. It is possible, however, that employers may not fall under part b. If an employer contracts with a third party to provide Internet service, they may not be considered a "provider" of the e-mail service so as to qualify for the provider exception. (Cheek)
The second exception is the “consent” exception, under which the employer need only acquire the implied or express consent of the employee to avoid ECPA violations. If an employee has knowledge of the employer’s policy and he or she continues to use the system anyway, this will likely fall under the consent exception. In practice, moreover, many employers routinely require employees to acknowledge—if not explicity sign away any residual rights—that the employer may monitor computer usage including internet and email access.
While 48 states have statutes similar to the ECPA, most states (at least 31 and D.C.) have statutes that appear even stricter than the ECPA as long as the interception occurs within their jurisdiction. For instance, legislation in Virginia, Georgia, and West Virginia makes it illegal to use a computer to examine personal information without proper authority (i.e. permission from the owner). Sometimes, however, apparent heightened protection can be deceptive. For instance, Illinois courts have interpreted their requirement of “all party” consent, which appears to be a heightened standard over the requirement of consent from only one party, to mean consent from at least one party.
In one California state case, Shoars v. Epson, an employee was fired due to her refusal to participate in her supervisors' monitoring of employee e-mail. She relied on a California state law that prohibits electronic surveillance, but she lost her wrongful termination lawsuit when the court held that the statute's protections did not extend to email.
Also, prosecution under state statutes has also been relatively limited. Members of state legislatures have attempted to pass bills that would strengthen the protections of workers against electronic monitoring in the workplace, but they have generally failed because of sustained and effective corporate lobbying.
A proliferation of suits has been brought against employers for tortious invasion of privacy. These suits tend to fail, however, for lack of an objectively reasonable expectation of privacy. Even with a privacy expectation, if the privacy interest is outweighed by the countervailing legitimate business interests of the employer, the employee still loses.
In 1999, a Texas Court of Appeals, in McLaren v. Microsoft Corporation, dismissed a cause of action for invasion of privacy when an employer reviewed the contents of an employee’s “personal folder” despite it being restricted by two separate passwords. McLaren v. Microsoft Corp., 1999 W.L 339015 (Tex. App. Dallas 1999). The court found that McLaren had no legitimate expectation of privacy in that the folder was stored on a company-owned machine and that emails had been sent over the company network and, therefore, could have been intercepted at any time. Id. Agreeing with Federal District Court in Philadelphia’s decision in Smyth v. Pillsbury Co. (holding that employee termination for sending inappropriate email over employer’s system was not an invasion of privacy and did not violate public policy, despite employer’s prior assurance that employee email would remain confidential), the court further held that even if there had been an expectation of privacy, “the company’s interest in preventing inappropriate and unprofessional comments . . . over its email system” would outweigh any employee privacy interest. Smyth v. Pillsbury, 54 USLW 2564 (E.D. Pa. 1999) and McLaren v. Microsoft Corp., 1999 W.L. 339015 at 5. See also Bourke v. Nissan Motors Corp
One of the early courts thus far to address a government employee’s constitutional claim of privacy in clickstream data (as opposed to email) was the United States Court of Appeals for the Fourth Circuit in US v. Simons, 206 F.3d 392 (4th Cir. 2000). In Simons, a government agency notified employees that it would "audit, inspect, and/or monitor" employees' use of the Internet, including all file transfers, all websites visited, and all e-mail messages, "as deemed appropriate." The Court held that that written policy placed employees on notice that they could not reasonably expect that their Internet activity would be private, and thus the employee had no “reasonable expectation of privacy” in downloaded computer files. It has not been tested in the courts whether clickstream data is protected by statute, but to the extent that it is protected by the each state’s common law, it would seem that employees should face similar obstacles to winning civil invasion of privacy suits as are faced by employees when email is the technology at issue. As a general matter, however, when courts have confronted privacy claims made against private (as opposed to governmental entities), they have tended to reach decisions similar to those made in the constitutional context.
VI. Employer liability for invasion of privacy suits for monitoring employees?
While private employers appear to have certain legal protections over invasion of privacy suits, the law in this area is new and evolving. Up to now, courts have tended to treat the employment relationship as one in which employers hold the power to decide whether to monitor employee email or mouseclicks. The general idea has been that the employer owns the equipment, and can therefore set the terms of its use. Even under current law, which has been deferential to employer monitoring, this does not mean that employers are free to monitor or not monitor at will. It is not clear, for example, whether employers who fail to notify their employees that they monitor their mouseclicks will avoid liability for invasion of privacy. Moreover, even if employers issue a general notice to employees that they “may” be monitored, an employee might argue that more specific notice is required. Some states, for example, are considering such an approach.
Although it is usually deemed legal, employers should at least consider minimizing the amount of electronic surveillance and general monitoring that they do. Some research has shown a link between monitoring and increased psychological and physical health problems in employees. High tension, anxiety, depression, anger, fatigue, and musculoskeletal problems are all concerns. In 1992 Swiss economist Bruno Frey found that certain forms of monitoring, instead of increasing employee efficiency and bettering their performance, actually negatively affected employee morale and hence, their performance worsened, as well.
While it may not solve email-monitoring problems, some employers have implemented filtering of Internet sites that employees are allowed to visit. Filtering software has become increasingly popular in the workplace, particularly to filter out sexually oriented sites, or other sites that may be personal in nature that employers wish to discourage employees from visiting during business hours (http://www.cyberpatrol.com/).
VII. How employees can protect themselves
The balance of power in electronic surveillance clearly weighs on the side of employers. There are few measures that employees can take to shield their computer use.
Much anxiety experienced by employees derives from uncertainty concerning their employers’ monitoring practices. Currently, Connecticut is the only state where employers are required to divulge to their employees when they are being electronically monitored. California lawmakers have considered a similar bill and on the national scene, the “The Notice of Electronic Monitoring Act” was a bill proposed in the Senate that would require employers to “notify employees about whether, when and how they monitor employee email, computer and Internet usage and phone calls.” ACLU Applauds Bipartisan Legislation at http://www.aclu.org/news/2000/n072000b.html. Nevertheless, such notice is currently not required in most places, and in fact, 1/5 of companies surveyed by the American Management Association in 1999 did not tell their employees when they were being watched. It is unlikely employers would be willing to provide this information voluntarily if asked.
Employees can also try to contract with their employers for more privacy rights. Unless employees have bargaining power (e.g., through a union), however, such an approach is unlikely to succeed. The trend has been for less privacy protection, not more.
Particularly for protection of email, encryption is an increasingly used option. Encryption “scrambles” messages while they are in transport such that an intercepted email could not be “deciphered.” Note, however, that encryption can raise suspicion with employers. It also offers no legal protection should emails be discoverable in a lawsuit. Michael J. McCarthy, Snoop Dog: Web Surfers Beware: The Company Tech May be a Secret Agent, Wall Street Journal, (Jan. 10, 2000 at A1).
C. Government Employees
The story for public sector employees is somewhat different from that of private sector employees in that government employers are subject to federal constitutional constraints because their conduct is considered "state action." Private employers are not subject to constitutional claims unless their investigations become intertwined with a state investigation. Therefore, a search of an employee's office by a governmental employer is justifiable only "when there are reasonable grounds for suspecting that the search will turn up evidence ... of work-related misconduct, or that the search is necessary for a noninvestigatory, work-related purpose such as to retrieve a needed file.” O’Connor v. Ortega, 480 U.S. 709, 716. Although, in practice, this requirement may not truly limit employer rights (see section on Fourth Amendment above), public employees may raise a constitutional claim.
D. Specific protections
Also, specific types of information are protected by statute. For instance, collection of financial information about applicants and employees is statutorily addressed in the Fair Credit Reporting Act ("FCRA") (see Zamora v. Valley Federal Savings & Loan Ass'n, where the Tenth Circuit affirmed a judgment under the FCRA against an employer for obtaining, under false pretenses, credit information on an employee's spouse in order to determine the employee's trustworthiness) (Cornish).
The American with Disabilities Act ("ADA") protects medical information such that applicants and employees are not required to disclose certain medical information to employers. And once medical information is obtained by an employer, the ADA imposes strict limits on access to and disclosure of such information (see