Courts Say E-Monitoring of Employees Is Legal

Readers submitted questions, which our expert answered.

Q: What rights, if any, does an employee have in protecting his privacy in the workplace?

A: When it comes to workplace e-mail, courts have tended to reject privacy claims based on employer monitoring. A handful of courts have held that an employee does not have a reasonable expectation of privacy in e-mail communication made over a company e-mail system—leaving employees with little recourse against employers that snoop through their e-mail. One federal court went so far as to say that an employee has no reasonable expectation of privacy in his workplace e-mail even when a company assures him that such communications will not be intercepted. One thing is clear, however: A court is highly unlikely to conclude that an employee has a reasonable expectation of privacy in his e-mail communications when the employer has a policy clearly stating that such communications are subject to monitoring. As such, employers are free to monitor their employees’ use of their networks so long as the company does not violate labor and antidiscrimination laws—for example, by targeting union organizers or minorities.

Q: My company has a policy that restricts the use of company e-mail accounts for personal use. Can the company access my personal AOL account if I use its computer and Internet connection to check e-mail?

A: Court decisions that have upheld an employer’s right to monitor employee e-mail seem to center on the fact that the messages are accessed through and stored on company-owned computer resources. The fact that the messages may come from a “personal” account, such as Hotmail or AOL, would not likely alter the rationale of these decisions, unless, of course, a company policy expressly states otherwise.

For instance, in a recent Texas appellate court decision, the court held that an employee did not suffer an invasion of privacy when his employer reviewed and disseminated e-mail messages that were stored in a “personal folders” application on his office computer. Notably, the court’s analysis honed in on the misconception that an employee’s personal workstation is the equivalent to his personal property.

Following the rationale of that Texas court, it appears to make no difference whether the employer was monitoring messages stored on the computer from a work e-mail account or a personal e-mail account. An employee would not have a reasonable expectation of privacy in the contents of any application or file stored on a company-owned computer. Because your company has expressed prohibition against personal use of e-mail, you would be well-advised to refrain from using the company’s computer and Internet connection to access your personal messaging account.

Q: It seems as though companies will get sued for a hostile workplace if they don’t monitor employees’ e-mail and will get sued for privacy invasion or bias if they do monitor it! In your opinion, which course of action is the most prudent?

A: While the burgeoning risks associated with e-mail continue to emerge in today’s information society, the trigger point for an employer’s liability stems from a longstanding legal principle—the Respondeat Superior doctrine, which imposes liability on employers for the misconduct of their employees when it occurs in the scope of their employment.

An employer may also be directly liable for damages resulting from the negligent supervision of its employee’s activities. Under this theory, the employer’s liability is direct, not vicarious (as under Respondeat Superior), and the employer’s duty of care may extend to actions outside the scope of employment.

In order to take a preemptive strike at those forms of liability, an employer must exercise reasonable care to prevent the harm that could potentially be caused by its employees. Therefore, an employer who endeavors to institute policies and procedures to prevent and correct discriminatory or harassing behavior, for example, will have an affirmative defense available against an action brought under the theories of vicarious liability or negligent supervision. To foster this preemptive strike, many companies have decided to institute various forms of computer monitoring programs, ranging from content-filtering to keystroke monitoring. Statistics show that the share of major U.S. companies checking employee e-mail messages has jumped from 14.9 percent in 1997 to 46.5 percent in 2001, according to a survey conducted by the American Management Association. Currently, the case law on this point has resolved the debate in the company’s favor, leaving employees with little recourse against employers that snoop through their e-mail. However, excessive monitoring may sometimes lead to a higher standard of care. Therefore, it may be preferable for your company to reserve the right to monitor e-mail at any time and without further notice, while focusing actual monitoring on investigations or suspicion of e-mail system misuse.

Q: I am writing a best practices document for internal e-mail distribution. Is there a public policy or guideline so that I don’t have to create one from scratch?

A: I have seen a number of articles on e-mail dos and don’ts that set forth guidelines that require e-mail users to be concise, stop and think before sending a message, avoid e-mail threads, limit the use of ALL CAPS and limit distribution lists. Michael Overly’s E-policy: How to Develop Computer, E-mail and Internet Guidelines to Protect Your Company and Its Assets (Amacom, 1998) is a great resource for exploring issues of e-mail etiquette and policy development.

However, I would not give up on the idea of creating a policy from scratch. Currently, there is no such thing as an ironclad policy that will safeguard employers from areas of exposure and risk. The entire concept of an e-mail policy remains in its embryonic stage, while employers are becoming increasingly embroiled in litigation stemming from misuse of workplace e-mail. Given the patchwork of inconsistent rules that currently extend to e-mail in the workplace, the safest course for businesses today is to assess their own electronic infrastructure and work environment, and tailor messaging policies to their particular business needs.