What is an employee’s right of expectation of privacy when utilizing his employer-provided computer to conduct e-mail communications with other persons who are not employees, and also non-business related communications with co-workers?
While there is not yet a large amount of litigation and case law on this issue, the present trend in the law is that employees in the workplace have no reasonable expectation of privacy with regard to their e-mail messages. While the cases generally uphold an employer’s right to monitor the e-mails of their employees, the right is not absolute and depends on the facts of each case as well as the communication made to the employee about privacy expectations. Thus, it is important, from the employer’s point of view, to take adequate steps to inform the employee of the prohibition on non-business use of company computer systems and affirmatively state the employer’s right to monitor computer usage and e-mails to verify that their policy is being followed. Aspen – Employment Law & Practice, §14.04 Monitoring Programs and Employee Privacy.
Thus, the employer’s most prudent course of action is to develop a clear written policy limiting the use of the e-mail system for company business use only and to inform employees that all e-mails may be subject to review by the employer. The policy should also indicate that the company does not control access to e-mails when those e-mails have been transmitted outside the company’s network. It is also a good idea to have employees acknowledge the policy by signing a form. From the employee’s perspective, he or she should check with the employer to determine the type of policy applied to employee e-mail. Generally, it is best for the employee to assume that all e-mails sent or received on company computers are not private. Aspen – The Law of the Internet, §6.02 Privacy and Electronic Mail.
A written e-mail policy such as that described above and signed by the employee creates a contract upon which an employer can rely if they want to monitor the contents of e-mails. Also, if a dispute arises, the employer can refer to the signed statement as evidence that it was unreasonable for the employee to think the e-mail was private. Determining an employee’s reasonable expectation of privacy in e-mails comes down to the custom and practice of each particular workplace and the courts will generally find that an employee’s e-mail is private only if the employer has acted in a way that supports this conclusion. Findlaw article – Email Privacy.
The following are several of the major cases discussing this issue. As previously noted, there is not a lot of case law on the issue at the present time. In Florida, there was only one case I could find addressing the issue of e-mail privacy but it did not really apply to this discussion as it dealt with local government workers.
In TBG Insurance Services v. Superior Court, 117 Cal. Rptr. 2d 155 (Cal. Ct. App. 2002), an employer provided two computers for the employee’s use – one for the office and one for the employee to work at home. The employee had singed his employer’s policy statement and agreed in writing that his computers could be monitored by the employer. He was subsequently terminated from his employment for misuse of his office computer. The California Court of Appeal held that given the employee’s consent to his employer’s monitoring of both computers, the employee had no reasonable expectation of privacy when he used the home computer for personal matters.
The court explained that in order to prove a constitutionally prohibited invasion of privacy, the plaintiff must establish that: (1) there was a legally protected privacy interest; (2) that there was a reasonable expectation of privacy in the circumstances; and (3) that the conduct of the defendant constituted a serious invasion of privacy. The court further found that the employee’s expectation of privacy involves any accepted community norms, advance notice to the employee of the policy statement, and whether the employee had the opportunity to consent to or reject the very thing that constitutes the invasion. Because the company had given the employee advance notice of its computer policy and an opportunity to accept or reject it, the court found that such notice combined with his written consent to the policy defeated his privacy claim. Since the employee had fully and voluntarily relinquished his privacy rights by consenting to the company policy regarding computer use, the court held that he could not now be heard to say he nevertheless had a reasonable expectation of privacy.
Another important case is Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996). There, the company assured its employees that e-mail would not be intercepted or used against employees as grounds for termination or reprimand. Despite this assurance, the company later reviewed e-mails from an employee to a supervisor and used it as a basis for termination. The court ruled that regardless of the company’s statements, it was not reasonable for an employee to expect privacy in e-mail sent to a supervisor over a company e-mail system. According to the court, the company’s interest in preventing inappropriate comments or illegal activity over its e-mail system outweighed any privacy interest the employee might have. The court further held that even if the employee did have a reasonable expectation of privacy, the employer’s interception did not rise to the level of a substantial and highly offensive invasion of privacy.
In Garrity v. John Hancock Mutual Life Insurance Co., 00-12143 (D. Mass. 2002), the U. S. District Court found that the employees had no reasonable expectation of privacy in e-mail sent and received on company computers. In that case, the employees were reminded to know and understand the company’s e-mail policy. Regardless of the policy, the employees claimed that they were led to believe these e-mails would be kept private with the use of personal passwords and personal e-mail folders. In finding no invasion of privacy, the court relied on the earlier Smyth case (discussed above). The court also relied on another case – McLaren v. Microsoft Corp., 1999 WL 339015 (Tx. Ct. App. 1999) – that held an employee had no reasonable expectation of privacy in e-mail messages transmitted over the network that were at some point accessible by a third party.
The court in Garrity further explained that the employees knew the company had the ability to look at e-mail on its system and knew they had to be careful about sending e-mails. The fact that they could create passwords and person e-mail folders did not abrogate the company’s right to review e-mails sent over company computers. Once again relying on McLaren, the court found that such e-mail messages were first transmitted over the network and were at some point accessible by a third party. Given such circumstances, the employee could not have a reasonable expectation of privacy in the e-mails, even by creating a personal password.
In Bourke v. Nissan Motor Corp., No. B068705 (Cal. Ct. App. 1993), an unpublished decision, the court held that the employee had no reasonable expectation of privacy because she had signed a statement restricting her e-mail to company business. The employee had also been expressly advised that e-mail messages were read by others from time to time. Thus, the employee’s belief that the e-mail messages would remain private, based on the fact that passwords were required to access the computer system, was not objectively reasonable as a matter of law.
In U.S. v. Angevine, 281 F. 3d 1130 (10th Cir. 2002), the court explained that whether an expectation of privacy exists involves 2 inquiries: (1) whether there is a subjective expectation of privacy in the area searched; and (2) that the expectation is one which society is prepared to recognize as reasonable. The court further noted that an employee’s expectation of privacy in the workplace must be addressed on a case-by-case basis.
The court explained that an expectation of privacy may be reduced by virtue of actual office practices and procedures or by legitimate regulation. Additional factors to be considered are the employee’s relationship to the item seized; whether the item was in the immediate control of the employee when seized; and whether the employee took actions to maintain his privacy in the item. However, the university’s policy here prevented its employees from reasonably expecting privacy in data downloaded from the internet onto university computers. The computer-use policy reserved the right to randomly audit internet use and to monitor specific employees suspected of misusing the computers. The policy specifically cautioned employees that information flowing through the university network is not confidential either in transit or in storage.
On this basis, the court concluded that because the computer was issued to the employee only for work-related purposes, reasonable people would expect the computer policies to constrain their expectations of privacy in the use of the university-owned computers. Thus, the court held that the employee could not have an objectively reasonable expectation of privacy here. See also Petition of Bd. Of Commrs. Arapahoe, 03CA0074 (Colo. Ct. App. 2003).
Finally, in the recent case of U.S. v. Bailey, 4:02CR3040, (D. Neb. 2003), the employee was given notice of the company computer-use policy. The court found he had no expectation of privacy to his e-mail files.
In its rationale, the court explained that absent a legitimate and constitutionally protected expectation of privacy in e-mail files, the employee cannot assert a violation. Factors relevant in determining if an expectation of privacy exists include ownership, possession and/or control of the area searched or item seized; the defendant’s historical use of the property or item; whether the defendant can exclude others from that place; whether he took precautions to maintain privacy; and whether he had a key to the premises. An employee’s expectation of privacy in the contents of offices, desks and files can be reduced by an employer’s practices, procedures and legitimate regulation of the use of the employer’s property.
The court found that an employer’s notice to an employee that workplace files, internet use, and e-mail may be monitored undermines the reasonableness of an employee’s claim that he believed such information was private and not subject to search. The court concluded that a company can legitimately regulate the use of its property and is entitled to adopt policies restricting the personal use of computers. An employee who has received such notice has no objectively reasonable basis to believe his computer activities are private and hence has no reasonable expectation of privacy in the information he stores or sends on company computers. See also Pidd v. Berquist Co., C2-01-2198 (Minn. Ct. App. 2002) (where employee signed company computer-use policy, he could be terminated for sending inappropriate e-mail).
An overview of the above case law shows that an employee does not generally have a reasonable expectation of privacy in e-mails or other information stored on company computers. It also demonstrates that in order to fully protect itself, an employer should establish a computer-use policy advising the employee that e-mails and anything else on the computer may be monitored, that the policy must be shown to the employee, and that it is advisable to have the employee sign a form acknowledging such policy.
More Information: For more information, please visit our employment law page
Attorney: Maurice Arcadier
Date Filed: November 2, 2012