Employee Electronic Communications Monitoring: The Potential Risks

Posted: July 28, 2020 | News

The COVID-19 pandemic has induced most businesses to re-deploying their workforce to working remotely and in far-flung places across cities, states, the nation, and even the world. This has called for new tools to manage workforce performance and productivity, protect confidential business information, minimize liability for worker misconduct, and protect system security.  More frequently now, companies are utilizing employee monitoring software or related tools that monitor employee emails, voicemails, text messages, and other online activity.  There are pros and cons to this practice. The benefit is risk reduction and effective employee management. But the negative consequences are not always considered and can greatly increase a company’s legal risks, if not used in compliance with the law.

Both federal and state laws govern the use of electronic surveillance software by private companies to monitor their workers’ electronic communications. Among all online activity monitoring tools, those giving rise to the greatest potential legal problems, are tools that enable real-time monitoring or storage of employee communications for later review. A variety of laws provide enhanced protection for personal communications, even those of employees who are on the job.

Tools of special concern are those that enable monitoring and extend to employees who are working from home and using their own electronics. Businesses currently using surveillance software and tools that enable employee monitoring or review of online activity, should assess how such tools might lead to, or increase, an employer’s risk of potential privacy-related claims. A variety of federal and state laws including wiretapping laws, data privacy and security laws, and common law and statutory privacy protections, can be implicated by employee electronic monitoring practices. Below are a few of these laws that should be considered.

WIRETAPPING LAWS

On-line monitoring tools used by employers must comply with the federal Wiretap Act (as amended by the Electronic Communications Privacy Act of 1986), which prohibits the live or real-time interception of the contents of wire, oral, and electronic communications including telephone, email, text messages, and Internet chats, unless a statutory exception applies. The definition of "intercept" with respect to emails and electronic communications remains an unsettled point of law. But the basic distinction is between (i) obtaining a communication in real time (like a conventional wiretap), and (ii) accessing a stored communication (such as an email or text message in storage). Accessing stored communications is governed by the Stored Communications Act, discussed in the next section.

Employers that use electronic monitoring tools in the workplace typically rely on employees' consent. This is an exception under both federal and state wiretap laws, except where state law – such as California—requires all parties to a conversation provide consent to listening in or recording. Employers usually can infer employees' consent when employees use company-provided electronic equipment, and after employees receive explicit notice of the business' acceptable use policies and a statement, that the company will enforce such policies. Ideally, the policies explicitly state that use of company equipment constitutes consent to monitoring such use and the content of any messages sent or received on the equipment or its systems. Businesses should ensure that such policies are clear regarding the kinds of communications that are prohibited (e.g., excessive use of email for personal communications), so that the business can properly infer consent to the monitoring of potentially unacceptable activity. Recording live conversations, however, would require another level of consent if other parties to a call or email reside in a two-or-all-party consent state, such as California.

Before using surveillance tools to monitor employee emails, text messages, internet chats, and other electronic communications in real time, employers should first carefully evaluate whether an exception clearly applies. Again, the most common exception is employee consent, as described above. Violations of the Wiretap Act are punishable by civil and criminal sanctions and may include injunctive relief, damages, attorneys' fees and costs, criminal fines for the employer, and imprisonment of corporate employees.

In addition to the Wiretap Act, many state laws impose other or additional restrictions on "wiretapping" by private persons. Further, many specifically address different types of workplace surveillance. The federal Wiretap Act does not preempt state wiretapping laws, so employers must be alert to their legal obligations under both federal and state law.

In California for example, an employer would be subject to criminal sanctions if he or she records or otherwise eavesdrops on an employee's private telephone or email conversations, without prior consent of all parties to the communication (see Cal. Penal Code §§ 631, 632). Similarly, other states (e.g., Connecticut and Delaware) require prior written notice employees that the employee plans to monitor  phone or email communications (see Conn. Gen. Stat. Ann § 31-48d(b)(1); 19 Del. C. § 705(b)). Both civil and criminal sanctions are available for violations of these statutes including fines and imprisonment.

STORED COMMUNICATIONS

Employers must also consider the federal Stored Communications Act before accessing employee communications. The Act protects wire and electronic communications and records in electronic storage (i.e., "stored communications") that are intended to be private. To be clear, the Act does not bar an employer from accessing communications stored on employer-provided email systems (wire or electronic communications services), pursuant to the employer’s announced policies that are disclosed to employees.

The Act does require the employer first to obtain the employee’s permission to access communications stored elsewhere—for example—on an employee's private email with a service provider or private social media account. A violation carries a civil penalty including damages, injunctive relief, and attorneys’ fees, as well as criminal penalties.

States may also have their own laws protecting stored electronic records from unauthorized access, which are not necessarily preempted by the Stored Communications Act (see, for example, Florida Statute § 934.21 and Iowa Code 716.6B, both of which provide for criminal sanctions).

PRIVACY CONCERNS UNDER STATE LAW

State statutory and common law (case law) rights of privacy protect employees from employer access to certain private information.  The essential issue is whether the employee had a reasonable expectation of privacy in the particular communication. When the employer provides notice to employees that any use of company electronic equipment is subject to monitoring, this can help demonstrate the employee had no reasonable expectation of privacy in private emails on company electronic equipment.

In California, employers are subject to the requirements of the California Consumer Privacy Act (“CCPA” or the “Act”) of 2018. The CCPA imposes a privacy notice requirement. It mandates that covered businesses must provide privacy notices to employees in California. The CCPA states that the notice must describe “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”

Personal information is defined broadly by the CCPA to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information frequently collected by employers include social security numbers, employment history, financial information, medical information, and emergency contacts.

The privacy notice must be furnished to employees “at or before the point of collection” and employers must provide a copy of, or link to, their privacy policy. The revised draft regulations explain that employees do not have to be given a “Do Not Sell My Personal Information” link. Additionally, the notice may provide a link to the business’s privacy policies for employees, applicants, etc., rather than the privacy policy that applies to other consumers.

If employers intend to use previously collected, personal information for a previously undisclosed purpose, the CCPA requires that a new notice be provided to affected individuals.

STRATEGIES TO REDUCE RISK

Employers can satisfy many obligations under the above-described laws and mitigate attendant risk, by taking one or a combination of the following steps:

• Establishing a company-wide policy stating, work-related communications or communications that are conducted over employer-provided assets, may be subject to monitoring
• Providing employees with advance notice of the monitoring with clear statements regarding the scope of acceptable use of the business's equipment, network, and systems
• Obtaining employees' explicit prior consent to the monitoring, although consent can be inferred in many cases, and records of written consent can strengthen a business' position in the event of litigation
• Obtaining prior consent for monitoring that will extend beyond what has previously been stated in employee policies

This article is limited to only a handful of laws that could apply to a business' surveillance of its employees' communications. Employers with a unionized workforce should consider their obligations under the National Labor Relations Act. Similarly, government employers should consider whether monitoring violates employees’ fourth amendment rights and protections under applicable statutes.

Additionally, businesses with employees residing oversees must consider the laws applicable to workplace monitoring and surveillance in the relevant jurisdictions. For example, the European Union General Data Protection Regulation (GDPR) and EU Member States' laws offer greater privacy protections to employees and other persons than U.S. law.

The legal implications of employee monitoring for a particular business will depend on the surveillance tool in question, the controls made available to the employer and employee for using the tool, the extent of notice provided to the employee, and how the tool is deployed. Businesses should be certain they understand how the surveillance features of a new product operate, identify the business case for their use, and have a thoughtful plan for implementation before a new employee monitoring program is launched.

If you have questions or require guidance, please contact the attorneys at North & Nash, A Professional Law Corporation, as we are knowledgeable in this area of the law and are here for your support

Author: Partners at North & Nash, A Professional Law Corporation