Privacy in the workplace, fact or fiction, and the value of an authorized use policy (AUP).

AuthorHuckabee, Gregory M.

Employers have long sought to control or oversee employee communications in the workplace. Given the prevalence of personal mobile devices in the work environment, the days of complete control are quickly becoming faded memories. As a result, employers are facing issues such as inappropriate use of the Internet, liabilities for harassment suits, drains on network resources, risks of wrongful access to their digital assets, possibilities of legal action taken by an employee who is terminated for abuse, and a host of other ethical and legal issues that ultimately place a substantial cost burden on the business and employees alike. To mitigate or even avoid these issues, employers need to implement an Authorized Use Policy ("AUP") outlining the expectations of acceptable behavior on both personal and company-owned electronic devices. This article informs business owners of privacy law in the United States as it applies to employees ' expectations and employers ' policies, case law on the benefits and pitfalls of implementing a policy, and provides a model sample policy for businesses to implement in the workplace.

  1. INTRODUCTION

    In Leventhal v. Knapek, (1) a state employee brought a [section]1983 civil rights action against his employer and the employer's officials. (2) The employee alleged that his employer violated his rights to due process and freedom from unreasonable searches when his employer conducted a search of his work computer and took disciplinary action against him based on the findings of the search. (3) 42 U.S.C. [section] 1983 authorizes a claim for relief against a person who, acting under color of state law, violated an individual's federally protected rights. (4) There are at least two major elements of a [section] 1983 claim: "First, the plaintiff must allege that some person has deprived him of a federal right. Second, he must allege that the person who has deprived him of that right acted under color of state or territorial law." (5) The Second Circuit Court of Appeals held that, even though the searches occurred on his work computer, the employee had a reasonable expectation of privacy because there was no clear policy or practice regarding regular monitoring of work computers. (6) Furthermore, the employee occupied a private office with a door, had exclusive use of the computer in his office, and did not share use of his computer with other employees or the public. (7)

    Looking beyond the workplace, there are increasingly blurred lines between work and free time, and the workplace and private places. These blurred lines increase an employer's risk that an employee's actions, while not at work, will be attributed to the employer even when the employee is not present in the workplace or otherwise subject to the employer's oversight. In the absence of an AUP--or in a case where a company expressly negates privacy expectations-- employee privacy claims may be difficult to determine. Where an employer adopts a monitoring policy pursuant to a good faith effort to protect itself and its property interests, it may be absolutely immune from state law liability for intercepting or reviewing employee communications. (8)

  2. PRIVACY LAW IN THE UNITED STATES

    1. THE FOURTH AMENDMENT

      We begin our discussion with a review of the law concerning expectation of privacy interests. The Fourth Amendment prohibits unreasonable government searches and seizures and protects legitimate expectations of privacy. (9) What constitutes a legitimate expectation of privacy? Courts have recently started to address the expectation of privacy with regard to Internet communications. (10) The Fourth Amendment, however, does not apply to the private employment arena, but rather, only government operated worksites or activities. (11) Instead, only federal and state statutory laws offer limited privacy protection to nongovernment employees. (12) To bring a claim for a violation under the Fourth Amendment against a governmental entity, "one must have a subjective and objective expectation of privacy in the place searched or items seized." (13) The United States Supreme Court explained that what "a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected." (14) In Hester v. United States, the Court explained that while the Fourth Amendment protects citizens in their persons, houses, papers, and effects as well as inside their homes and the surrounding curtilage, the protection does not extend to the open fields and wooded areas outside of the curtilage, (15) thus supporting the idea that no expectation of privacy exists for property and personal belongings held open to the public. (16)

    2. FEDERAL STATUTORY LAW

      In 1986, the United States Congress passed the Electronic Communications Privacy Act ("ECPA") to protect privacy in electronic communications. (17) Congress enacted the ECPA to protect privacy in electronic communications. (18) Courts have applied this Act to many electronic monitoring employment situations. (19)

      The ECPA has three titles, two of which relate to employers' rights to monitor their employees' electronic communications. (20) Title I of the Act is commonly known as the Wiretap Act and prohibits the intentional interception of electronic communications. (21) Title II, the Stored Communications Act ("SCA"), prohibits the intentional unauthorized access to stored communications. (22) According to the Wiretap Act, interception lasts for only a few seconds while the information is "in transmission" from place to place. (23) The exceptions include the Consent Exception (requiring one of the parties involved to consent), and the Course of Business Exception (requiring that the monitoring occur in the normal course of business). (24) The SCA includes both exceptions found in the Wiretap Act and adds a third, the Provider Exception, which protects employers who can show that their access was meant to protect its property. (25) Thus, the ECPA tends to favor the rights of employers and essentially provides little protection to employees.

      The Computer Fraud and Abuse Act ("CFAA"), governing cases with a compelling federal interest, prohibits accessing a "protected computer" without authorization and causing "damage" or "loss" (26) An employee can be liable to an employer for damages to company data (27) unless employees have proper authorization from their employers to access the data. (28) Even though an employer usually enjoys the right to view both personal and business emails on the employers system, a legitimate business purpose must exist in order for the employer or employer's agent to view the information. (29)

    3. COMMON LAW TORTS

      Tort law, in terms of personal injury, specifically the tort of inclusion upon seclusion, is applicable in the public and private arena. Cases involving tort law are generally determined on a case-by-case basis. The elements of inclusion upon seclusion include: (1) an intentional intrusion into a "place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy," and (2) an intrusion "in a manner highly offensive to a reasonable person." (30) Courts have held that a "plaintiff asserting a cause of action based on the tort of intrusion must clear a high threshold." (31) Stengart v. Loving Care Agency, Inc. is one of the rare cases in which a state court has found the employee had the requisite objective and subjective expectations of privacy in emails to her attorney. (32)

    4. STATE LAW

      Employers and employees may find guidance in the electronic monitoring arena by looking to their specific state law. Much of the statutory regulation of privacy issues is occurring at the state level as states pass new statutes and their courts find new applications for old ones.

      Specifically in South Dakota, the law provides employers cannot take adverse action based on employee off-duty activities or employee off-duty use of lawful products. (33) Regarding Interceptions of Electronic Communications, state law stipulates that only one party (either sender or receiver) need consent to the recording of a telephone communication. (34) However, monitoring in private places is banned by state legislation. (35) Because this is a relatively new area of the law, there are few applicable South Dakota cases or statutes addressing these issues. However, one thing is certain, employers and employees will face conflicts and potentially lawsuits if Authorized Use Policies are not put into place in the workplace, setting forth the standards and policies of each business, and putting the employee on notice of these policies.

    5. RECENT PRECEDENT

      Exploring federal case law, in City of Ontario v. Quon the United States Supreme Court expressed its views on the reasonable expectations of privacy and provided employers with steps to take in order to avoid privacy-based claims while still exercising their right to view employees' electronic communications such as text messages and email. (36) However, the Court refrained from outlining the general scope of permissible workplace monitoring. (37) The Court found that the police department had a "noninvestigatory, work-related purpose" and therefore acted reasonably in reviewing an officer's text messages on an employer-provided pager. Most importantly, the Court stressed the significance of a well-written Authorized Use Policy when defending against an employee's claim that an employer wrongfully reviewed the employee's electronic communications. (38) The Court also expressed that employers should ensure that their policies address not only email or text message communications transmitted through the company's e-mail server but also communications transmitted through third party servers. (40) While the Court ultimately found the officer had no...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT