The use of electronic mail ("email") and the Internet by employees has skyrocketed in the past few years. It now has reached the point that these tools of technology are required items for a modern and successful workplace. For example, most federal courts now require lawyers to file pleadings electronically and court notices and rulings are transmitted via email.
The use of the Internet and email in the workplace, however, has caused new problems for employers - use of these items for personal or unlawful reasons. In Websense, Inc's sixth annual Web@Work study, released in August, it found that 93% of all respondents to the survey spent at least some time accessing the Internet at work, up from 86% in the 2004 survey. http://ww2.websense.com/global/en/PressRoom/MediaCenter/Research/webatwork/webatwork2005.pdf. Fifty percent of employees surveyed who access the Internet at work, did so for both work and personal reasons (e.g., to check news, personal email, online banking, travel and shopping). The survey also found that 23% of men questioned had visited a pornographic web site on company time.
CareerJournal.com, on July 1, reported that in order to combat the misuse of company email and Internet systems, 76% of firms monitor which web sites employees visit and 55% review email messages. Andrea Coombes, Privacy at Work? Don't Count on It: Employers are Tracking Email, CareerJournal.com (July 1, 2005) at http://www/careerjournal.com/myc/killers/20050701-coombes.html. While monitoring has increased, questions arise about how far an employer can go in accessing and reviewing employee information without running afoul of the law.
This article reviews briefly certain federal laws in this area which employers should be aware of when establishing policies regarding Internet and email use by employees. Title I of the Electronic Communications Protection Act ("ECPA"), 18 U.S.C. § 2510 et seq., commonly referred to as the Wiretap Act, prohibits the unlawful interception of any wire, oral or electronic communication. 18 U.S.C. § 2511. The ECPA defines electronic communications to include email. 18 U.S.C. § 2510(12). A violation of Title I occurs when a person intercepts an electronic communication while it is actually in the process of traveling to its destination. 18 U.S.C. §2510. No violation of Title I occurs, however, if the electronic communications are "intercepted" or "accessed" with the consent of at least one participant to the communication. 18 U.S.C. §2511(2)(d). For this reason, many employers adopt email policies, which employees are required to sign, stating that the employee consents to the employer's interception and monitoring of email. Employers should be aware that some states have adopted their own wiretap laws, which require all parties to consent to the interception. See, e.g., MD. Code Ann., Cts. & Jud. Proc. § 10-402(c).
The question also arises over an employer's right to access information stored on the company's computer system. Title II of the ECPA created the Stored Communications Act (SCA), which was designed to prohibit the intentional, unauthorized access to stored wire and electronic communications and transactional records. 18 U.S.C.A. §§ 2701-2711. Electronic storage is defined as any "temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof" and "any storage of such communication by an electronic communication service for purposes of backup protection of such communication." 18 U.S.C. § 2510 (17)(A) and (B). It is not a violation, however, for the person or entity providing the wire or electronic communications service to access communications that are in that provider's electronic storage system. 18 U.S.C. §2701 (c)(1). Therefore, employers are not liable under Title II if they access emails stored on its computer systems.
In Borninski v. Williamson, 2005 WL 1206872 (N.D. Tex. May 17, 2005), the court found that copying an employee's hard drive, which contained saved emails from the company computer was not a violation of the ECPA. In Borninski, when the employee commenced employment, he signed the company's Internet policy, which provided, among other things, that by accessing the Internet through the employer's gateway systems, he gave implied consent to such monitoring. Borninski, 2005 WL 1206872 at *3.
The employer investigated the employee to determine whether he was in breach of its security protocol or policies. Id . at *5. In accordance with the company's Internet policy, the employer copied the contents of the company-issued hard drive used by the employee. Id . The employer also remotely logged onto the employee's workplace computer through the company network, which physically linked all employee computers to a central server. Id . The employer did not access the employee's Hotmail account while copying the contents of his hard drive. Id . at *11. The employee claimed that these actions violated the ECPA. Id . at *10.
The court held that the employer did not violate the ECPA by copying the contents of the employee's hard drive because the emails were retrieved from the computer's hard drive, as opposed to his Hotmail account. Id . at *12. The court reasoned that "as the electronic communications had ended, Borninski's company-issued computer hard drive would not qualify as 'temporary [or] intermediate storage of a wire or electronic communication incidental to the electronic transmission' nor would it qualify as 'storageÉby an electronic communication service for purposes of backup protection of such communication...'" Id . The court also held that the employer's review of the employee's company-issued computer was not "access[ing] without authorization" because the company exercises ownership control over its network and the computers attached to the network. Id . The court reasoned that "[c]ompanies routinely exercise control over such equipment, including maintenance of the software and hardware, and revocation of access rights when an employee's employment is terminated." Id. at *12.
The court also found no violation of the ECPA by the employer because the employee consented to the monitoring of his Internet activity by signing the employer's "Application for Internet Access," which "advises employees that the Internet access should be limited to 'business use only'É" Id . at *13. The court therefore ordered summary judgment in the defendants' favor on this issue.
The Borninski decision is consistent with the Third Circuit's decision in Fraser v. Nationwide Mutual Ins. Co., 352 F.3d 107 (3d Cir. 2003), remanded to 334 F.Supp.2d 755 (E.D.Pa 2004). In Fraser, the plaintiff was terminated because he was disloyal to Nationwide. Fraser, 352 F.3d at 109. Nationwide became concerned that the plaintiff might be revealing company secrets to its competitors. Id . at 110. Nationwide therefore "searched its main file server - on which all of Fraser's email was lodged - for any email to or from Fraser that showed similar improper behavior." Id . This search confirmed Fraser's disloyalty, and Fraser was terminated. Id . Fraser filed suit against his employer for, among other things, violation of Title II of the ECPA. Nationwide filed a motion for summary judgment.
The Third Circuit affirmed the District Court's conclusion that Nationwide's search of Fraser's email did not violate Title II of the ECPA because Fraser's emails were neither in "temporary, immediate storage" nor in "backup" storage. Id . at 114. They were in final storage on the server. The court also held that Nationwide's search of the emails falls within the exception that "seizures of email authorized 'by the person or entity providing a wire or electronic communications service'" applies because "Fraser's email was stored on Nationwide's system (which Nationwide administered)É" Fraser, 352 F.3d at 114-115. See 18 U.S.C. § 2701(c)(1).
While the use of email in the workplace is on the rise, employers need to make employees aware of how those systems are to be used. Clear, concise written policies should outline whether these electronic systems may be used for personal reasons. Employees should be regularly reminded that the systems belong to the employer and information stored on the system may be accessed from storage and reviewed by the employer. As noted above, actual interception of email may present a danger because there is always the chance it will violate state laws regarding two-party consent. Furthermore, employers must be consistent in their application of such policies to avoid claims of discrimination by employers in protected categories. Employers who access stored email should also make certain that the hardware or servers are actually owned by the employer and not owned by a third-party vendor, such as America Online or Hotmail . The email and Internet are tools of the workplace that are here to stay, and employers must have lawful and effective policies in place to ensure they are used properly by employees.
Published October 1, 2005.
