Recent developments in privacy law and a rise in class action lawsuits related to data collection offer a cautionary tale about understanding legal and ethical boundaries of monitoring “on-the-clock” employee conduct. With a hodgepodge of federal, state, and local legislation governing employee privacy rights, employers are often left to navigate a complicated legal landscape while balancing the practical need to understand how employees are using company information and equipment. Employers, for example, have a legitimate interest in protecting company trade secrets, detecting unlawful transmission of unlicensed material, and improving work productivity. Employees, on the other hand, may have a reasonable expectation of privacy in certain contexts while at work.
This quandary begs the question, where do employers draw the line?
A recent survey conducted by the American Management Association found that around 80% of major companies in the United States monitor employees’ e-mail, internet and telephone usage. With the proliferation of cloud-based communication platforms, bring-your-own-device (BYOD) policies, and the use of social media for work-related purposes, personal and professional lines are becoming more blurred than ever before. A few of these gray areas are explored below.
Company Devices and Work E-mails
Generally, employees do not have a reasonable expectation of privacy in e-mails transmitted using their company-provided e-mail address. Under the federal Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510-22, employers are generally permitted to monitor employee use of company-provided devices, including cell phones, laptops, and computers. However, an employer who intentionally monitors personal communications or telephone calls may run afoul of certain laws state and federal laws.
- TIP: Employers should consider maintaining a written Acceptable Use Policy expressly setting forth the extent to which employees enjoy any expectation of privacy when using company devices.
Bring Your Own Device (BYOD)
Some companies expect their employees to use their personal devices (including cellphones, laptops, or tablets) to conduct company business. Inherent in a BYOD policy is the assumption that employees will use it for both personal and work-related reasons. Therefore, monitoring personal devices is risky because employees likely have a higher expectation of privacy in a personal device than a work device; the former of which is likely used to access personal email accounts, to conduct personal internet searches, or for storing sensitive information (including, for example, medical information).
- TIP: As a best practice, companies who allow employees to use personal devices for work purposes should maintain a written BYOD policy explicitly addressing privacy limitations when using personal devices for work, including: (1) the company’s right to have reasonable access to the device (e.g., for compliance with investigations and litigation demands involving the company); (2) describing how the company manages lost or stolen devices (e.g., that this may require a complete data wipe); and (3) mandating that devices be secured in a manner that protects company confidential information.
Social Media Screening
As a recent trend, companies have begun leveraging social media networks such as Twitter as part of their go-to-market strategies. However, employers face legal risks when monitoring employees and applicants on social media, particularly when attempting to gain access to non-public information (e.g., creating a fictitious profile to view non-public information). Several states have introduced legislation creating a private right of action when an employer requests username and password information to access personal accounts, including social media.
Monitoring employees on social media or obtaining a third-party social media background report may also trigger the Fair Credit Reporting Act (FCRA). In certain circumstances, the FCRA requires individual authorization before obtaining such report, and imposes legal obligations on an employer to properly secure and dispose of private information.
Employers should also be aware that employees’ posts may be considered “concerted activity” under the National Labor Relations Act, or could otherwise fall within the protections of the First Amendment. Thus, inappropriate monitoring of social media profiles may give rise to various civil claims, including for discrimination and retaliation. (Note: whether or not an employer can discipline employees for untoward or inappropriate social media “posts” is an entirely separate blog topic unto itself).
- TIP: As a general rule, employers should never require employees or applicants to provide user names or passwords to their social media networks, and should be cautious when collecting employee information from social media profiles, avoiding private areas altogether. Maintaining a written social media policy that prohibits employees from “posting” about confidential company information is also advisable.
A company may have legitimate reasons for having video surveillance on its premises, including crime deterrence. That said, various state laws limit the use of surveillance cameras in private areas, including restrooms and locker rooms.
- TIP: Before installing security cameras, employers should consult with a privacy lawyer to determine whether the location of the monitoring device might be considered offensive to a reasonable person, or is otherwise unlawful.
Because privacy laws affecting the workplace are vast and ever-evolving, employers should: (1) maintain formal workplace policies related to monitoring and acceptable use of company IT equipment; and (2) consult with legal counsel before implementing any monitoring practices that may be potentially invasive.
Employers should also consider whether there are any “non-gray” areas which expressly limit their ability to monitor employees at work, including, for example, the existence of a collective bargaining agreement.