Over the last decade, communication via email and text has become a vital part of how many of us communicate in the workplace. In fact, most employees could not fathom the idea of performing their jobs without the use of email. For convenience, employees often use one device for both personal and work-related communications, whether that device is employee-owned or employer-provided. Some employees even combine their personal and work email accounts into one inbox (which sometimes results in work emails being accidentally sent from a personal account). This blurring of the lines between personal and work-related communications creates novel legal issues when it comes to determining whether an employer has the right to access and review all work-related communications made by its employees.
Employers have legitimate business reasons for monitoring employee communications. Take, for example, the scenario in which an employee leaves her employment, and the employer is concerned that she has taken proprietary information or solicited clients in violation of her duty of loyalty or a contractual agreement. Another common scenario that gives rise to the need for employers to review all of an employee’s work-related emails is when the employer is in litigation that requires production of employee communications.
Most employers are comfortable with the notion that, with a properly worded policy that provides notice to employees of the ability and intent to monitor email, an employer can access emails on an email server provided by the employer. However, what about cases in which the employer does not provide the email service? With employees using web-based emails, like Gmail and Hotmail, and texts to communicate in the workplace, the relevant communications may be elsewhere. In these situations, what are an employer’s rights to access and review such communications?
An employer’s ability to review electronic communications is governed by the Electronic Communication Privacy Act (ECPA) and the Stored Communications Act (SCA). The ECPA prohibits the interception of electronic communications, and the term “interception” as used in the ECPA has been interpreted so narrowly that this title of the ECPA rarely comes into play in cases involving an employer’s review of employee email or texts. The SCA makes it illegal to access without authorization a facility through which electronic communication service is provided and thereby obtain access to communications in electronic storage.
With regard to an employer’s review of employee emails sent through web-based email accounts like Gmail or Hotmail, the most frequent scenario confronted by courts is one in which a former employer accesses the web-based email of a former employee, looking for evidence of malfeasance. In these cases, the former employer is typically able to access the former employee’s web-based email account because the employee has saved her username and password on a device provided by the employer, which was returned at termination, or failed to delink an account from such a device. In these cases, courts have been reluctant to punish the former employee for failing to take appropriate steps to secure their own personal, and allegedly private, communications.
For example, a district court in New York considered an employee’s claim that his former employer’s review of emails in his Hotmail account after his termination violated the SCA because it was unauthorized. The defendant argued that its review of the emails did not violate the SCA because the employee had implicitly authorized its review of the emails on his Hotmail account because the employee had stored his username and password on the employer’s computer system or forgot to remove such an account from an employer-provided phone before returning it.
The court rejected this argument, holding that it was tantamount to arguing that, if the employee had left his house keys on the reception desk at the office, he would have been implicitly authorizing his employer to enter his home without his knowledge. The court also noted that the employer’s computer usage policy did not provide the necessary authorization because it only referred to communications sent over the employer’s systems.
Likewise, a district court in Ohio confronted with similar facts, refused to hold the plaintiff responsible for his own failure to safeguard his information. In this case, the employee had turned in a company-issued blackberry upon termination without first deleting the Gmail account he had added to the phone. The former employer reviewed the emails in the former employee’s Gmail account, and the former employee alleged that this violated the SCA. The former employer argued that the former employee had negligently or implicitly consented to their review of the emails in her Gmail account by returning the blackberry to the company without deleting the account. However, the court held that the employee’s “negligence” in leaving the Gmail account on her phone when she turned it in was not tantamount to her authorizing the defendant to review the emails on her Gmail account.
However, a federal district court in California reached a different result in a case involving text messages. In this case, a company had sued its former employee for misappropriating trade secrets when it discovered, upon his termination, a number of text messages on the former employee’s company-issued iPhone that documented his misappropriation. The former employee had forgotten to delink his Apple account from the company phone he returned, and thus, his text messages continued to go to the phone — and his former employer. The court granted the company’s motion to dismiss the former employee’s counter claim that the company’s review of his text messages violated the SCA. The court held that text messages stored on phones are not in “electronic storage” within the meaning of the SCA, citing a Fifth Circuit case that reached the same conclusion about text messages. Of course, a violation of the SCA is not the only issue in these cases.
For example, in this case, the employee also alleged that his employer had invaded his privacy. However, the court held that the employee had no reasonable expectation of privacy in a company-owned phone that was no longer in his possession. In contrast to the two cases above, the court found that the employee’s failure to undertake precautions to maintain the privacy of his text messages showed he had no right to exclude others from accessing them.
The main lesson from these cases is that, if an employer wants to have the ability to review all employee communications that take place in the workplace, the employer needs to have, at a minimum, a policy that specifically provides for the right to monitor and review, for legitimate business reasons, any work-related communications made by the employee on a device provided by the company or a personal device used for work purposes. (Although the SCA does not require any showing about the employer’s motives in accessing the emails, a traditional invasion of privacy analysis would take this into account.) As a practical matter, the employer may not have the ability to access such accounts, but where access is available, this policy language is critical.