E-mail Privacy Rights in the Workplace
Table of Contents
The enormous rise in e-mail popularity in the workplace is not surprising. E-mail has many business benefits, including vastly improved communication capabilities, relatively low implementation costs, portability and ubiquity.
Speed and ease of use, however, are also responsible for some of the dangers of e-mail.
A. Intentional Acts
Employees sitting at their desks and using employer-provided e-mail systems can commit crimes and torts with a few keystrokes. Trade secrets can be revealed, confidentialities can be breached, reputations can be harmed, gossip can be shared, and productivity can be lost much more easily than ever before.
Significant e-mail retrieval burdens can be placed on companies that store old messages.
B. Inadvertent Acts
Inadvertent dangers also exist. E-mail can be sent to the wrong person. It is also informal and thus subject to inaccuracies. And the fact that it is not face-to-face greatly increases the chances for misinterpretation.
Unintentional backup copies may exist. Thus even where e-mail is deleted or documents are destroyed pursuant to the company's document retention policy, copies could still exist.
Electronic documents could also contain information unavailable with paper copies, which could be helpful to the party seeking the documents in ways that were never contemplated with paper copies. For example, documents could include metadata, such as who read the document and when, who edited it, and what the prior drafts looked like.
As a result of those dangers, employers have understandably sought to protect their interests by monitoring e-mail sent their employees. The courts have agreed that they have a right to protect their business interests. But where does the line get drawn?
Theories of Liability
The law of e-mail privacy rights, in Illinois and elsewhere, is largely still emerging. No Illinois laws and few court decisions define the extent to which employers can monitor employee e-mail and the extent to which employees are protected from such monitoring.
If an employee were to sue an employer for monitoring his or her e-mail, two theories would most likely be used: the tort of invasion of privacy and a claim under the Electronic Communications Privacy Act.
A. Invasion of Privacy
Although most states recognize four branches of the invasion of privacy, the only one relevant here is the unreasonable intrusion upon the seclusion of another.
Although uncertainty exists as to whether the tort of unreasonable intrusion upon the seclusion of another is viable in Illinois, it probably does exist. Karraker v. Rent-A-Center, Inc., 239 F. Supp. 2d 828 (C.D. Ill. 2003) (acknowledging that the Illinois Supreme Court would probably recognize it after stating that "Illinois courts are in conflict about whether to recognize the tort").
The four elements of intrusion upon seclusion are: (1) an unauthorized intrusion or prying, (2) the intrusion was offensive or objectionable to a reasonable person, (3) the matter was private, and (4) the intrusion caused suffering. Morris v. Ameritech Illinois, 271 Ill. Dec. 411, 785 N.E. 2d 62, 337 Ill. App. 3d 40 (Ill. App. 1 Dist. 2003).
- The Muick Case
The most relevant Illinois employee privacy case involved an employer's seizure of an employee's company-provided laptop. The laptop contained images of child pornography, which the employer confiscated and held until the government obtained a search warrant.
In rejecting the employee's claim for intrusion upon the seclusion of another, the court said that an employee has no right of privacy in a computer that the employer lends him for use in the workplace. Muick v. Glenayre Electronics, 280 F. 3d 741, 743 (7th Cir. 2002.) In fact, because the employer owned the computer, it can place any conditions on its use it wants, even those that are unreasonable. Id. at 743. Reserving a right to inspect as the employer did in this case, however, was "so far from being unreasonable that the failure to do so might well be thought irresponsible." Id. at 743.
Expectation of Privacy
Cases involving invasion of privacy, in determining whether a matter is private, often borrow the concept of "expectation of privacy" from constitutional search and seizure law. Under that analysis, employees would be protected from employer monitoring in any e-mail or other material in which they had an expectation of privacy.
In Muick, company policy specifically provided that the employer had the right to inspect laptops. Such a policy, the court said, "destroyed any reasonable expectation of privacy" the employee had. Id. at 743.
Although an employer policy explicitly telling employees that their e-mail is private would presumably create an expectation of privacy, such policies do not always create complete privacy rights. In one Pennsylvania case, for example, the federal court ruled that the employee had no reasonable expectation of privacy in e-mail sent through an employer's system, even though the employer policy specifically provided that all e-mail would be private and confidential. Smyth v. Pillsbury, 914 F. Supp. 97 (E.D. Pa. 1996).
An employer's encouragement to employees to have private passwords and e-mail folders won't necessarily create an expectation of privacy either. In rejecting that argument, a Massachusetts court ruled that no expectation of privacy existed in e-mail (in this case, pornographic e-mails) that company policy specifically prohibited. Garrity v. John Hancock Mutual Life Insurance Co., 18 IER Cases 981 (Mass. Dist. Ct. 2002).
Certain conditions, however, can presumably create expectations of privacy. For example, personal papers placed in an employer-provided safe or file cabinet would be private and beyond the employer's reach. Muick at 743. Also, public employers are bound by constitutional privacy limitations that are inapplicable to private employers. Id. At 743.
B. Electronic Communications Privacy Act
The other theory an employee could use against an employer that monitored e-mail is the Electronic Communications Privacy Act of 1986, a federal law that prohibits electronic communication intercepts. 18 USC §§2510-2522.
A private cause of action exists under the Act, making it unlawful for any person to intentionally intercept electronic communications. DIRECTV, Inc. v. Childers, 27 F.Supp. 2d 1287 (M.D. Ala. 2003). The ECPA, however, includes three exceptions, all of which could be applied to employers.
The first exception, for communication intercepts made by the provider of the communication service), has been applied to e-mail sent through a company e-mail system. 18 USC §2511(2)(a)(i). If the employee uses an e-mail system other than the employer's, such as a Web-based e-mail system like Yahoo, this exception may not apply.
The second exception, for communication intercepts in the ordinary course of business, has been interpreted to mean either that an employer may monitor business-related but not personal communications or that monitoring is permissible if a legitimate business justification exists. 18 USC §2511(2)(d).
Thus, presumably an employer could be protected from liability under the ECPA for monitoring e-mail sent through a system other than the employer-provided system, such as Yahoo, as long as the monitoring was either limited to business communications or a legitimate business justification existed (depending upon which analysis the court used).
The third exception, where consent exists, can be implied in those situations where the employer informs the employee that it is monitoring e-mail within its own system and the employee uses the system. 18 USC §2510(5)(a). If an employer's policy tells employees that the employer will monitor only business-related e-mails, consent will likely be determined to extend only to business-related e-mail. Watkins v. L.M. Berry & Co., 704 F.2d 577 (11th Cir. 1983) (where a similar rule was applied to phone calls).
C. Employer Activities Distinguished
Although employers enjoy wide latitude in monitoring e-mail within their own systems, courts have sometimes drawn a distinction between the act of viewing e-mail after transmission and the act of viewing e-mail as it is being transmitted. Wider latitude is given for viewing e-mail after transmission. In fact, reading e-mail stored on a computer after it was sent has been determined to not be an interception under the federal wiretapping statute. Steve Jackson Games v. U.S. Secret Service, 816 F.Supp 432, 442 (W.D.Tex. 1993), aff'd 36 F.3d 457, 460 (5th Cir. 1994).
Electronic documents are subject to discovery. Responding to such requests can be time-consuming, costly, and disruptive because the amount of electronic information to be retrieved can be enormous. Larger companies could take many months to collect all discoverable electronic documents.
Costs can quickly mount, as companies face not only the cost of either using company resources or paying an outside firm to retrieve the information, but also the legal costs in having the attorney review all the documents before they're provided to the other side.
Using a company's technology resources to retrieve documents can also, of course, be disruptive if they are forced to spend all their time retrieving documents for a single lawsuit.
A. Illinois Discovery Rules
In Illinois, a request for "documents" includes "all retrievable information in computer storage." Ill. S. Ct. Rule 201(b). The definition of "documents" was amended to eliminate any doubt about whether a party has to search its computer storage when responding to a request to produce documents. Committee comments to Ill. S. Ct. Rule 214.
A party served with a written request must produce "all retrievable information in computer storage in written form," which means that a party can't simply hand over tapes, discs, or other storage devices. Ill. S. Ct. Rule 214. If the request cannot be complied with, the proper response is a written objection. Id.
Where retrieval costs are significant in finding an allegedly inflammatory e-mail sent long ago, and the requesting party is unable to prove that the e-mail exists, the court may order the requesting party to pay the retrieval costs if it wants to proceed. Byers v. Illinois State Police, 2002 Dist. Lexis 9861, 2002 WL 1264004 (N.D. Ill.).
B. Federal Discovery Rules
The federal rules are similar. A party may discover "data compilations," which include e-mail, voicemail, telephone records, and other stored documents. Fed.R.Civ.Proc. Rule 34(a).
A party served with a request must respond within 30 days. Fed.R.Civ.Proc. Rule 34(b). If the request cannot be complied with, the proper response is a written objection. Id.
The discovery right, however, is not open-ended. A party can't use the discovery request to go on a wild goose chase. Courts have begun to understand better the burden electronic document requests place on companies and have been more receptive to restrictions on the scope of discovery and to orders requiring that costs be shared.
Under Illinois rules, courts may order a party that fails to produce documents without justification to pay for the costs incurred by the requesting party in obtaining an order compelling production. Ill. S. Ct. Rule 219(a). The courts have at their disposal additional punishments, including barring a party from pursuing a claim or defense related to their refusal to respond adequately to the document request. Ill. S. Ct. Rule 219(c).
The federal courts have similar powers. Fed.R.Civ.Proc. Rule 37.
Sanctions may be imposed, of course, if the court determines that discoverable documents have been deleted or otherwise destroyed. But sanctions may also be imposed for documents deleted or destroyed prior to and without any knowledge of the litigation if the company in doing so has violated its own document retention policy. Zubulake v. UBS Warburg, 217 F.R.D. 309 (S.D.N.Y. 2003).
Courts may also order that the jury be given an adverse inference instruction regarding the absence of the documents.
D. Attorney Responsibilities
The sanctions outlined above can be imposed directly on the attorney, if he or she advised the conduct complained of. Ill. S. Ct. Rule 219(a).
Attorneys have an obligation to preserve and produce the documents, which begins when the litigation begins. The attorney, according to the court in Zubulake, "must become fully familiar with her client's document retention policies, as well as the client's data retention architecture."
A. Written E-mail Policy
All employers should have a written e-mail policy. The policy's existence both reduces e-mail misuse by making employees aware of prohibited conduct and demonstrates the company's efforts to deter misuse should it occur. The policy should contain at least the following components:
A statement of prohibited content. Among the types of content that should be prohibited are (1) offensive comments involving race, gender, age, sexual orientation, pornography, religious beliefs, national origin, or disability; comments revealing mergers, acquisitions, executive departures, company stock sell-offs, trade secrets, or any other potentially sensitive business information; and comments infringing on any copyright or other intellectual property.
A statement of the risks inherent in e-mail.
For those who handle company trade secrets, a statement of the rules, such as how message encryption is to be used, if it is to be used.
A statement of what to do if a message with prohibited content is received. For example, any employee who receives such a message should immediately contact his or her supervisor.
A statement of the punishment for violating the prohibited content rules.
B. Document Retention Policy
In addition, the e-mail policy should include a statement of the company's document retention policy. For example, state that all e-mail messages will be deleted after a certain number of days. Businesses required to keep archives of old e-mail messages, such as those in the health care and financial services industries, should keep archives, but everyone else should delete them regularly.
Explain to employees that hitting the delete key on an e-mail message doesn't necessarily delete the message from the system. Conversely, employers need to make sure that documents can't be deleted surreptitiously.
C. Monitoring Policy
The e-mail policy should also include a statement of the monitoring policy, if e-mail is to be monitored. Tell employees that they are not to have any expectation of privacy in company e-mail if that is to be the policy. Include a statement that the employer is not obliged to monitor messages (so that the employee can't later complain that the employer should have blocked a particular message). Also include a statement of whether and under what conditions employees are allowed to send personal e-mails.
D. Good Communication
The e-mail policy should be part of the employee handbook. It should be communicated to employees in their orientation meeting. And employees should be asked to sign a statement that they have read the policy. Develop best practices and share them with employees whenever possible.
E. Consistent Enforcement
Above all, make sure that enforcement is consistent, that it is not selective, and that the policies are actually followed. Monitor e-mail, but don't conduct secret monitoring. Don't acquire unnecessary employee information. Don't engage in non-business-related monitoring.
F. Who's Monitoring
Between 1997 and 2001 the percentage of employers that were storing and reviewing e-mail messages grew from 14.9% to 46.5% according to a survey by the American Management Association. A more recent survey by the Society for Human Resources Management found that nearly 75% of employers check employee e-mail. As monitoring rates grow, so will the rate of privacy suits filed by employees against their employers.