I Spy Something Read! Employer Monitoring of Personal Employee Webmail Accounts

• Publication year: 2003

Kevin W. Chapman⁰

An employee arrives at work, logs onto Hotmail, types a quick message to his wife, sends a quick e-mail to friends about catching tonight's game at the bar, and forwards the latest joke that is a little risque. This type of e-mail use is common in corporate America among employers of all sizes. However, use of personal e-mail at work is no minor distraction. Consider an average size company of 1,000 employees—if the employees spend only one hour of each day on the Internet or using e-mail, the cost to the company could be greater than $35 million dollars in lost productivity in one year.¹ Major companies such as Xerox, the New York Times, Chevron, and Microsoft have been forced either to fire employees or settle lawsuits relating to e-mail use at work.² Recently, employees have shifted to using personal, web-based emails at work.³ Recognizing these problems, employers are now using surveillance software, known as "spyware," that can "capture every keystroke a user types at a computer, or take screen shots at regular interval[s] of everything a computer user does. [This] include[s] logging Web-based e-mail activity."⁴

E-mail use is commonplace in work environments. Some use is for legitimate business purposes, but much is for personal purposes: corresponding with family and friends, forwarding the latest jokes, or planning social events. E-mail is a valuable resource for employers. At the same time, however, it poses many risks and problems.⁵ Many companies are choosing to monitor their employees' use of electronic resources such as e-mail, the Internet, and instant messaging.⁶ Companies also are implementing policies outlining to employees what kinds of information can and cannot be accessed from work.⁷ These "rules, policies and monitoring tools are designed to protect . . . companies [human and financial] assets, future and reputation."⁸ However, the existence of employer monitoring has resulted in some friction between employers and employees, as evidenced by recent litigation.

This Recent Development focuses on a specific type of surveillance: private employers' monitoring of their employees' personal webmail accounts, such as Yahoo or Hotmail. First, this Recent Development reviews two recent district court decisions that involve employee use of web-based e-mail accounts at work. The Recent Development then argues that given the unsettled state of the law of employer e-mail surveillance of webmail, the courts should expand the laws allowing employer monitoring to explicitly include personal employee webmail accounts accessed by employees on company computer networks or Internet connections. Finally, this Recent Development suggests ways employers can ensure that e-mail monitoring policies will withstand employee challenges.

I. Reasons for Monitoring

Employers give three main reasons for electronically monitoring employee e-mail use: minimizing liability, avoiding reduction in employee productivity, and protecting company assets.⁹ Employers consider legal liability the foremost reason to monitor employee e-mail. Employee use of e-mail at work can result in sexual or racial harassment, fraud, libel or securities fraud claims.¹⁰ Furthermore, most viruses are spread through use of email. An employee can unknowingly spread virus-infected e-mails to others, exposing the company to tremendous liability. The cost of downtime alone, while networks are repaired, can be a tremendous expense to employers.

Second, employers are concerned that personal Internet and e-mail use decreases employee productivity.¹¹ A recent American Management Association study reported that nearly half of all employers surveyed explained that a very important reason for monitoring e-mail and Internet use in the workplace is to measure employee productivity.¹² Studies show that employee use of Internet and e-mail while at work is staggering—one recent study claims that "70% of employees admit to viewing or sending adult-oriented personal e-mail while at work."¹³ A more recent article quotes even more astounding statistics regarding Internet and email use at the workplace: more than eighty-five percent of employees use e-mail at work for personal activities, and during the 2000 Christmas season, forty-six percent of online shopping was done while at work.¹⁴ Even if these statistics are inflated it becomes obvious that time spent on personal e-mail and Internet use can quickly add up, distracting an employee's attention from work. This leads to decreased worker productivity.¹⁵

Finally, companies monitor e-mail usage to protect their assets.¹⁶ Theft, unapproved sharing of trade secrets, embezzlement, and destruction or damage to computer resources via a virus are major concerns when employees use web-based email programs.¹⁷ Employers may be particularly concerned about the loss of confidential information or client lists in certain work environments. Monitoring, therefore, serves as a deterrent to employees who may share this information with outside sources.

II. Employee Causes of Action

Employees seeking legal recourse against employers for monitoring personal e-mail accounts accessed at work usually will seek one of two avenues. Federal statutes relating to the interception and storing of information may be applicable. Additionally, employees may seek legal action against their employers based on the theory of common law invasion of privacy. Both of these causes of action are important because they are applicable in situations involving the monitoring of personal, web-based e-mail.

A. Federal Statutes

The Electronic Communications Privacy Act ("ECPA"),¹⁸ which amended the Wiretap Act,¹⁹ "prohibits the intentional interception of wire, oral or electronic communications and the intentional disclosure of the contents . . . by one knowing or having reason to know that the information was obtained through an interception that violates the act."²⁰ To violate the ECPA, the acquisition of communication must occur during the transmission, not after the e-mail is received.²¹ Accessing stored, opened e-mail after receipt is not considered "intercepting" under the ECPA.²²

The Wiretap Act does have two relevant exceptions. The first exception applies when one party to the transaction consents to being monitored.²³ This is why many employers require their employees to consent to monitoring. If a company has a consent form, in writing, signed by the employee, the likelihood of that employee successfully bringing suit under the ECPA is significantly reduced. Some courts have even found implied consent where employees were notified of a company e-mail policy in an employee handbook, but still choose to use e-mail for personal use.²⁴

The second exception to the ECPA is the "provider exception." Providers of e-mail service are exempt from the ECPA's prohibitions on access and its prohibitions on disclosure.²⁵ This exception is another justification for employers to monitor their own proprietary e-mail account system without being in violation of the ECPA.²⁶

Therefore, employers will not violate the ECPA as long as they fit into one of three categories. First, employers are monitoring only post-receipt e-mails. This negates the interception requirement of the ECPA. Second, employers are providing the electronic service. This is an exception to the ECPA. Third, a consent policy is in place, another exception to the ECPA. A plain reading of the statute suggests that as few as one of these criteria would suffice, though employers should consider more.

Whereas the ECPA deals with interception of electronic communications, the Stored Communications Act ("SCA")²⁷ prevents "intentional access without authorization [of] a facility through which an electronic communication service is provided."²⁸ Thus, the SCA's focus is post-transmission. It generally prohibits unauthorized access to the contents of communications while in electronic storage.²⁹ Another action that would violate the SCA is the situation where someone, in this case an employer, exceeds authorization to access such stored contents.³⁰ In order for this to be a violation of the SCA, the employer must, in addition to overstepping its authorization, obtain, alter, or prevent the employee's authorized access to his own e-mail account.³¹ Similar to the ECPA, persons or entities providing the electronic communications service are exempt under the SCA.³² For this reason, the act usually is inapplicable in situations where an employer monitors employee use of a company, proprietary e-mail system.³³ However, the cases fail to explain how the SCA might apply to employer access to stored, personal webmail accessed from work computers via the company's Internet connection.³⁴

B. Common Law Claim

Some states recognize a common law invasion of privacy claim,³⁵ sometimes referred to as "intrusion upon seclusion."³⁶ Other states have codified this tort.³⁷ To prove this claim, plaintiffs must overcome two hurdles: first, the employees must show that a reasonable expectation of privacy exist and second, that the invasion of privacy was highly offensive to a reasonable person.³⁸ The expectation of privacy is measured not by reference to the specific employee challenging the invasion, but instead by whether the employee's expectation of privacy was reasonable .³⁹ This hurdle is a high one and many employees will fail to satisfy this first condition. Several court decisions have yet to get past this first requirement, holding that no reasonable expectation of privacy existed in situations where an employer was monitoring its employees' use of company proprietary e-mail accounts.⁴⁰

Further, even if such an expectation does exist, the court also must find that a reasonable person would consider the employee monitoring to be a substantial and highly offensive invasion of privacy.⁴¹ The courts must determine what would be "highly" offensive to a reasonable person. They often rely on the Restatement...