E-mail Privacy in the Workplace — To What Extent?

Suppose you work for a large company that has an internal electronic mail (e-mail) system. Suppose further that, in the grand tradition, your relationship with your supervisor is seriously suboptimal. To amuse yourself and your trusted colleague in Marketing, you send him daily e-mail updates of your boss’s foibles and follies, in the belief that only you and your colleague have access to the e-mail messages you’ve been exchanging. Imagine your surprise when your boss (with his boss at his side — Personnel insists there always be a witness) calls you into his office, informs you he no longer considers you part of the “team,” and thwacks down on the table a stack of copies of the aforementioned unflattering e-mail messages. Through your shock, you can read your boss’s lips uttering the phrase, “opportunities outside the company.”

Does the law protect the privacy of e-mail communications made on a company’s internal e-mail system? Many people view use of their employer’s e-mail system as akin to making a telephone call, and thus feel the e-mail messages they send on their company’s internal system should be free from intrusion. Indeed, the Federal Electronic Communications Privacy Act (the law prohibiting “wire-tapping”) forbids eavesdropping on telephone calls and e-mail messages sent via public BBSs (except to a limited extent by BBS owners or sysops). But with respect to an employer’s privately-owned internal e-mail system, the prevalent view among lawyers is that employees do not have rights of privacy in e-mail communications they send and receive on their employer’s system unless the employer acts in a manner giving rise to a reasonable expectation of privacy.

An employer can possibly create this expectation of privacy if it is aware of the use of its e-mail system for personal communications among its employees and allows the system to be used for that purpose. Under these circumstances, an implied agreement is arguably created granting employees the right to expect that their private communications will not be monitored or accessed. An employer can of course also expressly permit its employees to use its e-mail system for personal communications by informing them in policy statements or personnel manuals that this practice is acceptable.

As with many issues presented by relatively new technologies, there is not a great deal of law directly on point. Courts are often asked to extrapolate from existing law protecting privacy rights in non-computer contexts to carve out additional rights of privacy in the on-line world. In a widely publicized lawsuit in California, an employee of Epson America sued Epson after being fired for refusing to assist in the company’s covert monitoring of internal e-mail. Epson claimed no right of privacy existed because the company owned the e-mail system. The fired employee claimed that a California statute forbidding the electronic surveillance by employers of employees (by means other than monitoring e-mail) was violated. The court disagreed, however, interpreting the statute to apply only to surreptitious monitoring of voice, i.e. telephone, conversations. Not wanting to make new law, the court said it was up to the legislature to extend the statute to new technologies.

If a company does not wish to allow its employees to use its e-mail system for private communications, how can it help protect itself from privacy violation claims from employees using the system? One way is to make clear to employees that the system is to be used exclusively for company business purposes, and not for personal communications. Employees should be informed of this through personnel manuals and published policy statements, which should also clearly state that the e-mail system is the property of the company, and employees should accordingly have no expectation of privacy with respect to information transmitted on the system. Notices to this effect should be placed on system start-up screens as well.

Many approaches to e-mail policies are available to companies considering them. They need not be all or nothing. For example, a company wishing to permit limited private e-mail communications between its employees might designate a certain portion of the system for that purpose. It could inform its employees that it would not monitor e-mail communications unless it believed the system was being used for activities harmful to the company. A variety of approaches are suggested by the Electronic Messaging Association in its pamphlet, “Access to and Use and Disclosure of Electronic Mail on Company Computer Systems: A Tool Kit for Formulating Your Company’s Policy.” The Electronic Mail Association can be reached via CompuServe, AT&T Mail, IEMA, MCI Mail and other e-mail services.

Attorney Eric Freibrun specializes in Computer law and Intellectual Property protection, providing legal services to information technology vendors and users. Tel.: 847-562-0099; Fax: 847-562-0033; E-mail: eric@freibrun.com.

May 2nd, 1994|