Key cards, private email accounts, audio and video surveillance, password-protected computer workstations – they all make the workplace more efficient and safe, and they also have changed the landscape of employee privacy dramatically within a generation. Monitoring technology allows employers to guard against a range of employee misconduct, from unproductive uses of the Internet to fraud and other sources of significant liability for both the employee and the employer. Management is no longer limited to direct observation governed by human limitations as technological advancements have allowed companies to “supervise” their employees on a much wider scale. Employers can now use technology to monitor employees and make sure that productivity stays high, while employer fraud, theft, and other misconduct stays low. Yet employers must also be mindful of applicable local, state, and federal laws that may protect employees.
As employers increase their ability to monitor and record their employees’ workplace conduct, so does the risk that employees will complain. Some employees have even sued their employers, claiming violations of their “right to privacy.” Federal law and the laws of most states do recognize some employee privacy interests. Thus, an employer must consider employee privacy interests when it monitors employee conduct.
Employers should be aware of all applicable state and federal laws – and understand that the law of privacy is constantly changing – when formulating policies to monitor employee conduct. An employer should also be mindful of the effect of monitoring policies on employee morale. A monitoring policy that is legal but that employees view as unfair and unnecessary may ultimately hurt productivity. An employee who thinks that his/her employer has unfairly invaded his/her privacy is more likely to seek a lawyer, pursue litigation, or campaign for more protective laws.
The idea of an individual’s right to privacy in the United States originates with the Constitution. Both the Bill of Rights and the 14th Amendment address privacy rights. The Bill of Rights guards against unreasonable searches and seizures by the federal government, and the 14th Amendment applies these privacy protections to state and local governments. These provisions protect public sector employees, such as postal workers and state employees, from unjustified invasions of privacy by federal, state, and local government employers.
The federal privacy rights described in the U.S. Constitution protect citizens against government action only; private employers are not restricted by the Constitution in monitoring workplace conduct. However, this does not mean that private employees are without privacy rights.
Congress passed the Electronic Communications Privacy Act of 1986 (ECPA) in reaction to increasing concern that new threats to civil liberties were being made possible by emerging technology. The ECPA essentially modified some of the provisions of the federal Wiretap Act and added a new section, the Stored Communications Act. The ECPA is the controlling federal law dealing with surveillance and monitoring through telephone and other electronic means.
The ECPA amendments are not very clear, and courts have been critical of the ECPA’s statutory language. The Wiretap Act forbids the unauthorized “interception, use, and disclosure” of any “wire, oral, or electronic communication,” and the Stored Communications Act (SCA) forbids unauthorized “access” to an “electronic communication while it is in electronic storage.”
Courts have grappled with the interaction between these two provisions, as well as the respective legal boundaries of each act.
A private right of action under the Wiretap Act allows recovery of actual and punitive damages, plus attorneys’ fees and costs. The Wiretap Act also provides for statutory damages, which usually are awarded in daily increments, computed at $100 dollars a day, and capped at $10,000. Damages are awarded on a daily basis even though many different types of violations may happen within the course of the same day.
An oral communication is anything “uttered by a person exhibiting an expectation that such communication is not subject to interception under such circumstances justifying such expectation.” Conversations among employees, even in a public workspace, can sometimes be protected “oral communications” if spoken in private beyond the hearing range of others.
This category includes communications using the human voice, transmitted on any system that can function in interstate commerce, which covers telephone communication and possibly fax communication.
Electronic communications include many of the communications that are widely used in today’s workplace, such as email, voicemail, and messages transmitted over the Internet.
Interception under the Wiretap Act is “acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Courts have interpreted interception in a variety of ways. One court held that a defendant intercepted a communication when she retrieved and forwarded to her own personal mailbox a voicemail message from the recipient’s mailbox before it had been received by the recipient.
(In another case, a court held that viewing an email message on the plaintiff’s computer screen did not constitute “interception.”)
The Wiretap Act’s general prohibition on interception has three major exceptions:
This does not limit an employer’s right to discipline an employee for excessive personal phone calls while at work.
The SCA prohibits unauthorized access, interception, and disclosure of information stored in electronic form. Stored communications can take many forms, but they most commonly include computer files and email messages that have been archived.
One important exception to the SCA is when a provider of wire or electronic communications service is given access to an employer’s stored electronic communications, which would presumably enable the employer to monitor email that is archived on its communication system. What constitutes storage, however, is not well defined. Some courts have distinguished different types of storage, such as “intermediate storage,” “backup protection storage,” and “post-transmission storage.”
At least one federal court has found that text messages do not meet this exception. As such, in that case, an employer’s reading of text messages was a violation.
Another exception to the SCA allows access to stored electronic communications that have been made by or sent to a user if the user consents.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act) may influence workplace privacy significantly. This act, which is mainly designed to combat terrorism, gives agencies of the government more extensive search powers, allowing them to conduct surveillance both traditionally and electronically to track and apprehend terrorists.
Certain provisions of the act – the so-called “sneak and peek” portions – allow the government to conduct surveillance without getting a court order or warrant. As long as the government can demonstrate reasonable cause for investigating without giving notification (basically, that notifying the target would negatively impact the investigation), the act allows the government to delay notification. The government can monitor someone’s office, computer, or email without notifying the individual until after the monitoring has been done. Employers now face the reality that their communications systems are completely open to the government and therefore have a critical interest in making sure that no illegal communication or information is being transmitted or stored on their information systems.
The Employee Polygraph Protection Act of 1988 (EPPA) prohibits most private employers from using lie detector tests prior to employment and during the course of employment. Specifically, employers may not do any of the following:
request, require, suggest or cause (directly or indirectly) any current or prospective employee to take a lie detector test
Not all private employers are prohibited from using lie detector tests. Employers whose primary business purpose consists of providing security services (for example, armored car, alarm systems, security guards) or manufacturing, distributing, or dispensing controlled substances may use lie detector tests.
Additionally, a private employer may request that an employee submit to a lie detector test if the test is to be used in connection with an ongoing investigation involving economic loss or injury to the business. In those instances where testing is permitted, an employer is required to follow certain detailed procedures before, during, and after the administration of a lie detector test.
The EPPA does not apply to federal, state, and local governments, or any political subdivision of a state or local government. The law also does not apply to tests given by the federal government to persons engaged in national security related activities.
As of July 2015, Virginia employers cannot request or require access to social networking or electronic accounts of applicants or employees. Employers are also prohibited from requiring an employee to add an employee, supervisor, or an administrator to the list of contacts associated with the employee’s social media account. The law does not prohibit an employer from viewing information about a current or prospective employee that is publicly available.
For purposes of the law, “social media account” is defined broadly and includes any “personal account with an electronic medium or service where users may create, share, or view user-generated content, including, without limitation, videos, photographs, blogs, podcasts, messages, emails, or website profiles or locations.” The law does not apply to social media accounts opened by an employee on behalf of an employer, or to accounts provided to an employee by an employer, such as the employer's email account or other software programs owned or operated exclusively by the employer. Employers may maintain access to those accounts.
Employers should also monitor other regulations that impact federal privacy rights, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which restricts access to personal health information.
In addition, in the case of large multi-national companies, other countries may have restrictions on access to personal information that can further complicate privacy compliance. For instance, the European Union’s data privacy directive requires companies to abide by its protocols for the protection of its member state citizens’ and residents’ personal information.
There are four distinct legal claims that address invasions of privacy:
In an employment situation, intrusion upon seclusion can occur in situations such as alcohol and drug testing, gathering medical and other personal information, conducting surveillance, unauthorized eavesdropping or wiretapping, or obtaining certain confidential information to determine eligibility for employment. However, reasonable investigation or surveillance in connection with a lawsuit, or surveillance in certain areas, even including non-private areas of a restroom, to protect against crime, does not give rise to an intrusion claim. In addition, using a speakerphone to monitor employees’ calls at work is not an unlawful intrusion if employees are told that telephones are for business use only and will be monitored.
Unlawful public disclosure in the employment context happens when an employer is searching for background information about an employee or applicant, or when it publishes personal information about an employee’s or applicant’s health or personal information that goes beyond the range of individuals who have a need to know the information. Notably, the truth of the information disclosed is not a defense (in contrast to defamation claims, discussed later).
There is no legal claim for the employee for public disclosure where the employee also informs others of the embarrassing facts, or where the employer discloses facts that are a matter of public record, such as criminal records.
Employee manuals, collective bargaining agreements, and employment agreements can be the source of privacy rights; employers should make clear that such agreements are not intended to create rights.
The use of video cameras to monitor employees at work – which is on the rise in many workplaces due to terrorism threats and increased levels of security – can have the unintended effect of impacting employee privacy rights. Video monitoring may violate privacy rights in at least three circumstances:
Video surveillance may violate state common law or statutes that protect employees. Generally speaking, the use of video cameras may infringe on employees’ rights in situations where the employee has a reasonable expectation of privacy – bathrooms, locker rooms, or other locations where employees can reasonably expect to be free from surveillance. An employer can eliminate this expectation, however, if it has a legitimate business need to conduct video monitoring and notifies employees of the monitoring.
Unquestionably, employers have a significant interest in monitoring the workplace to minimize employee theft, drug abuse, and other wrongdoing. Especially in light of post-9/11 security concerns, employers also have an important interest in ensuring workplace safety. Employee searches are one way that employers can prevent wrongdoing and maintain a safe work environment, but employers must recognize that there are limits on intrusive, unwarranted workplace searches.
Searches at work may take a number of forms. Sometimes the employer needs to search company property – such as offices, desks, drawers, or lockers – that has been provided for employee use. The employer may also want to search the property of an employee, like a purse, gym bag, or briefcase. Finally, an employer might also search an employee’s person, as with a pat-down search. These searches, some of which are more intrusive than others, can constitute an invasion of employee privacy rights.
Whether a search is justified depends on both the need for the search and the privacy interests of the employee. Non-investigatory searches, such as entering an employee’s office or opening a desk drawer to locate necessary business items, are generally allowed if the employer has a legitimate business reason and the search is limited to what is necessary. If possible, an employer should contact the employee before conducting this type of search.
Investigatory searches, such as a search for illegal drugs or a concealed weapon, should generally be limited to situations where the employer has a specific reason to believe an employee is engaged in wrongdoing. The more intrusive the search, the more likely it will amount to an invasion of privacy. For instance, a search of an open bag left in an employee’s cubicle is less intrusive (and therefore less likely to violate privacy rights) than a search of a locker sealed with an employee-provided lock or key.
An employer can limit an employee’s reasonable expectation of privacy by maintaining appropriate policies. Employers should notify employees, either in an employee handbook or by posting a policy, that lockers, desks, and offices may be searched. Employers should also be discreet and, when possible, avoid contact with the employee’s person or using force. Solutions that do not involve searches – such as inventory control systems and systems for tracking Internet use – can eliminate the need for many searches.
Another way employers may monitor employees is by conducting investigations consisting of making inquiries to others about the employee; reviewing prior employment records, credit reports, and school records; and investigating workplace harassment or other wrongdoing.
Employee testing is yet another way of monitoring workplace conduct. Testing may be as simple as a drug test, or as complicated as a battery of questions for psychological evaluation. What makes testing different from other types of monitoring is that the information is supplied directly by the employee. Certain testing, such as physical examinations, may be prohibited by statutes such as the Americans with Disabilities Act (ADA). Psychological tests may have an adverse impact on minority applicants or employees and therefore raise an inference of discrimination. As a general rule, employers should work with counsel to develop testing policies that comply with all applicable employment laws.
The ability to post videos on YouTube and other websites creates enormous risks for employers. Trade secrets may be compromised or reputations maligned by employees who are engaging in prank behavior. Take the case of Domino’s Pizza, which found itself maligned by two employees who posted a video showing one of them preparing sandwiches for delivery while putting cheese up his nose and performing other un-hygienic acts. After more than one million views on YouTube, the video was removed, but not before Domino’s suffered major damage to its reputation. Although there is no way to prevent such conduct from occurring, it might - in some cases - be prevented by adopting and publicizing a policy making it clear that such conduct is prohibited. Before adopting such a policy, however, employers need to be mindful that an overbroad rule may result in an unfair labor practice finding by the NLRB.
Sometimes employees can create nightmares for their companies by trying to be helpful, such as by endorsing the company’s products on Internet blog sites. This can run afoul of laws prohibiting certain unfair and deceptive practices in commerce. The U.S. Federal Trade Commission (FTC) issued rules pertaining to the use of endorsements and testimonials in advertising that highlight the need to disclose any connection between the seller of the product or service and the person endorsing it.
To limit potential liability, an advertiser should ensure that the advertising service provides guidance and training to its bloggers concerning the need to ensure that statements they make are truthful and substantiated. The advertiser should also monitor bloggers who are being paid to promote its products and take steps necessary to halt the continued publication of deceptive representations when they are discovered.
Employers need to pay attention to what their employees do and say so far as it relates to the products and services that the employer offers to the general public. Companies should develop a policy on whether employees should refrain from communicating with the general public through the Internet about their products and services. At a minimum, such policies should identify the types of statements that are inappropriate to post and the kinds of disclosures that should be made regarding the employee’s relationship with the company.
The FTC’s guides concerning the use of endorsements and testimonials in advertising are available at:
Many employers are adopting specific policies to cover the use of mobile electronic devices, primarily cellphones, in the workplace and in other locations while performing duties for the employer. This policy applies to not only the use of cellular phones for phone calls, but also for leaving messages, sending text messages, surfing the Internet, or downloading and allows for reading of and responding to work related messages and information whether the device is company supplied or personally owned.
Company-owned and -supplied devices
For company supplied devices, or for corporate accounts in which some portion of the service and access fees are paid, a policy should be in place regarding using the device while operating a vehicle. Any prohibition from use should also include both calls and texts as well as Internet surfing and email.
Cellphones in the workplace
A company should have a policy about using a cellular phone for business purposes during work hours. To ensure effectiveness during meetings, the company should consider a provision requiring employees to keep their phones at their desks. If circumstances require having the cellphone with them during a meeting, the cellphone should be allowed only on vibrate.
Address state laws about texting while driving.
Be reasonable with policies. If an employee is required to work long hours, allowing minimal cellphone usage may help morale.
Address camera phones, which are an ever-present issue in today’s technology. Intellectual property, trade secrets, personal customer information, or other confidential data can be captured and used easily with a camera phone. Camera, video, and audio recording capabilities also provide the possibility of misuse toward other employees and can lead to claims of harassment.
Texting and messaging in the workplace can pose serious safety and privacy concerns. Many view texting and instant messaging as an informal, social activity; unfortunately, some are not discriminating in topic and the most ready topic while one is at work is often work itself or co-workers. Additionally, a growing source of liability exists as business-related texting continues to increase. Employers must adopt policies to define the acceptable limits of text messaging in the workplace.
Some useful guidelines in implementing and maintaining electronic usage/texting policies include:
Because employers may be liable for injuries caused by accidents when their employees are driving and talking and/or texting on cellphones for work purposes, employers should adopt a distracted-driving policy. A distracted-driving policy should clearly state that it is against company rules to text, email, or use a hand-held phone or communication device while operating a company vehicle, driving a personal vehicle for business use, or using a company-issued communication device. The distracted-driving policy must be clearly communicated to employees, taken seriously, and enforced.
“Textual harassment” has moved into the workplace with the rise of usage of mobile electronic devices. Employment lawsuits sometimes start as the result of text messages, or the messages appear later as evidence of harassing conduct. Employees often think that texts are harmless and cannot be traced. However, text messages leave behind an electronic record that is increasingly retrievable and such records are being used to bolster litigation of claims. As stated previously, employers should put employees on notice that they should have no expectation of privacy in their electronic communications. A well-crafted and broadly distributed policy that puts employees on notice of how and when the employer will access these communications can go a long way toward strengthening the employer’s position in litigation. Employees should be advised that harassing comments made through any type of electronic media are prohibited and not tolerated, and that such conduct may lead to termination.
If employees communicate with management via text message, a policy should be in place regarding those communications. The policy should require that any communications regarding compensation or hours worked, medical or disability leaves or absences, and attendance should be made in a writing other than a text message (via letter or email) so that there is a clear record of the communication for the employees’ personnel files. If business issues are discussed via such messages, they should be retained to document the business discussion.
The courts continue to deal with the difficult tug-of-war between employers’ legitimate business interests and employees’ reasonable expectations of privacy. As technology develops new ways to monitor employees, employers will continue to need legal counsel to advise them of what sorts of monitoring may expose them to liability. What constitutes acceptable monitoring and investigation by employers, as well as what employee expectations are reasonable, continues to evolve. However, there are certain guidelines that employers can follow to avoid liability arising from monitoring their employees:
Be cautious about total prohibitions against non-work related communications. Union-related emails or postings cannot be prohibited if employees are allowed to make other non-work related communications on the same systems.