Image by Peggy und Marco Lachmann-Anke from Pixabay.
With the ongoing events that began in 2020 (the COVID-19 pandemic and ensuing quarantine), many U.S. employers transitioned to remote work arrangements to accommodate local or state stay-at-home mandates. During this time, some employers engaged in certain types of remote workplace monitoring, such as the use of mobile device management (MDM) or productivity monitoring software.
There are many legitimate reasons why employers may monitor their employees in the U.S.
- Customer-imposed contractual security requirements might require video surveillance on premises or implement data loss prevention (DLP) technology to prevent the unauthorized access or deletion of confidential data.
- New privacy and security laws require employers to protect the confidentiality and privacy of consumer data, which requires monitoring of access to personal information.
- Employers are required to protect access to proprietary information, or it may lose trade secret status if disclosed too broadly.
- Employers can also generally monitor to improve the quality of their services and workforce productivity and satisfaction, such as through call monitoring or review of employee internet use.
- Finally, employers have an overwhelming legitimate interest in preventing workplace harassment and criminal actions, which may require investigation and review of employees.
E-mails and Company Equipment (Computers, Phones)
U.S. employers generally have the right to monitor employees on company computers, phones, and other devices when (i) monitoring is done in the ordinary course of business, and (ii) employees are notified of the monitoring. In this situation, courts usually find that employees do not have an expectation of privacy regarding their communications and other activities on these devices.
The Electronic Communications Privacy Act (ECPA) prohibits the interception of electronic communications in most circumstances, but there is an exception for employer monitoring. The ECPA permits monitoring if one or all parties has given consent, or the interception is done in the ordinary course of business. “Most employers choose to monitor work email accounts, or at least reserve the right to do so, for a host of legitimate business reasons.” In re Info. Mgmt. Servs., Inc. Derivative Litig., 81 A.3d 278, 286 (Del. Ch. 2013) (discussing possible reasons for employer monitoring, including for legal compliance, legal liability, performance review, productivity measures, and security concerns).
Courts have differed on whether monitoring of employee calls and emails constitute “the ordinary course of business”. Watkins v. L.M. Berry & Co., 704 F.2d 577 (11th Cir. 1983) (finding call center worker making personal calls on work phone had an ECPA claim, when she only expected sales calls to be monitored); Adams v. City of Battle Creek, 250 F.3d 980, 984 (6th Cir. 2001)(police officer did not consent to monitoring of pager, where company had not notified him of the monitoring). As a result, employers should obtain employees’ implied consent to monitoring by provide notice to employees of such monitoring. This notice should occur upon onboarding and routinely during employment, and be contained in the employer’s workplace policies and/or employee handbook.
Please note, however, that if you choose to monitor employee phone calls in two-party consent jurisdictions, like California, you will still need the implicit or explicit consent of the other party to the call. For example, customers should be notified on customer service call with an employee that the call will be recorded.
A similar analysis applies to state statute and common law claims for invasion of privacy. These cases typically examine whether the employer violated an employee’s reasonable expectation of privacy. To determine whether an employee has a reasonable expectation of privacy in their computer files and emails, these four factors may be considered:
(1) does the corporation maintain a policy banning personal or other objectionable use,
(2) does the company monitor the use of the employee’s computer or e-mail,
(3) do third parties have a right of access to the computer or e-mails, and
(4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?
In re Asia Glob. Crossing, Ltd., 322 B.R. 247, 257 (Bankr. S.D.N.Y. 2005).
Personal Devices (BYOD)
Whereas employers may generally monitor employee communications made over employer-owned equipment, networks, and cloud services, the line becomes blurred where personal devices are authorized for use in employment, such as in BYOD (Bring Your Own Device) workplaces.
The Stored Communications Act (SCA) prohibits intentional, unauthorized access to private communications in electronic storage. This statute generally does not apply to communications sent over work devices (since those communications are not expected to remain “private”). However, the SCA is commonly implicated where employers have attempted to access information on an employee’s private social media account or personal email account —- e.g. where an employer continues to access social media, emails, or texts of a terminated employee. In these cases, an employer can limit SCA claims by having a BYOD policy that clearly outlines the processes terminating or deleting company assets on a personal device.
Regardless of whether the employer uses corporate devices or a BYOD policy, it is the employer’s responsibility to provide adequate notice and training to their employees regarding workplace monitoring expectations. This notice should be provided in policies or handbooks presented at the time of hiring, and periodically updated or revisited from time to time.
Certain states, such as Connecticut and Delaware, explicitly require employers to provide employees with prior written notice of monitoring. See Conn. Gen. Stat. Ann § 31-48d(b)(1); 19 Del. C. § 705(b)). In these jurisdictions, employers are obligated to post readily available and conspicuous notices of the types of electronic monitoring they will engage in or otherwise collect the employee’s consent to monitoring in writing or electronically.
Employers should treat personal employee email accounts with caution. While employers generally have the right to continue monitoring emails received by a terminated employee’s work email address, they should not try to access the personal emails of any terminated employees, even if the login information is saved on employer equipment. In Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548 (S.D.N.Y. 2008), an employee’s personal accounts to Hotmail, Gmail, and other email accounts were accessed when the employee left his username and password information saved on his employer’s computers. The court held that the employer’s unauthorized access of the personal emails violated the SCA.
Employers should also be explicit about enforcing employee monitoring policies. In some situations, managers may informally unravel or fail to enforce written policies. For example, In City of Ontario, Cal. v. Quon, 560 U.S. 746 (2010), Quon, a police officer, sued his employer, the City of Ontario, for disclosing personal text messages on City-owned-and-issued pagers.
While there were written policies explained that there should be no expectation of privacy in the use of City resources, Quon’s employer told him that the pagers would not be audited if employees paid for overages. Quon paid for overages several times and claimed that the unraveling of the written policy meant that he had an expectation of privacy in the pagers. While the Supreme Court ultimately found for the City, protracted litigation may have been avoided had the written policy been strictly enforced. Though it may seem counterintuitive, the City may have avoided Quon’s privacy claims by actively notifying Quon of the City’s monitoring, and engaging in express routine monitoring of his pager.
A final note on video. Generally, individuals have less of an expectation of privacy on business premises than within a private home. See O’Connor v. Ortega, 480 U.S. 709 (1987). Employers can generally put video cameras at entrance and exit points, and may even have a duty to do so in order to protect the confidentiality of their data.
Employers cannot, however, install video surveillance devices in areas where there is traditionally an expectation of privacy, such as restrooms, locker rooms, or changing rooms. See, e.g., Cal. Lab. Code § 435.
As with other forms of monitoring, employers should put the employee on notice of the video surveillance by posting signage in the affected areas. In addition, the employer should consider other factors to assess whether the employee has a reasonable expectation of privacy in the surveilled area such as:
- whether the work area is for the employee’s exclusive use (a storage area versus a private office),
- the extent to which others had access to the area (unlocked versus locked desk/cabinet), and
- the nature of employment.
See Vega-Rodriguez v. Puerto Rico Telephone Co., 110 F.3d 174, 179-180 (1st Cir. 1997).
Generally, U.S. employers can monitor employees on company devices and networks if they follow best practices to notify employees.
Monitoring is more likely to be allowed if:
- The employer maintains and updates written policies for use of employer-owned equipment.
- The employer gave prior notice of written policies or obtained the employee’s consent to monitoring.
- The employer strictly enforces the written policies related to employee monitoring.
- The monitoring is in a public or semi-public, shared area.
- The employer consistently and continually monitors according to policy.
Monitoring might not be allowed if:
- The employer monitors a private, exclusive area (bathroom stall, locker, locked desk, or office).
- The employer conducts monitoring after the employee has been terminated on any remaining personal devices or accounts belonging to the employee.
- The employer conducts the monitoring surreptitiously (without good reason).
Employee Monitoring in Other Countries
As a caveat, the previous discussion addresses U.S. employers only. There may be specific local or country-level laws outside of the U.S. that further restrict employers’ rights to monitor employees or otherwise impose additional obligations upon the employer.
For instance, under the European General Data Protection Regulation (GDPR), prior to commencing any monitoring where the monitoring is likely to result in a high risk to the rights and freedoms of individuals, an employer may have to conduct a data privacy impact assessment (DPIA) to identify and mitigate privacy risks to employees. Employers should consult with local privacy or employment attorneys to determine the laws applicable to them and the risks and consequences of noncompliance.
Disclaimer: The article is offered for promotional, informational, or educational purposes, but is not intended to constitute legal advice. Do not act or rely on the information found here without consulting with a licensed attorney.