By Karla Grossenbacher, Esq. of Seyfarth Shaw LLP
Over the last decade, communication via email and text has become a vital part of how many of us communicate in the workplace. In fact, most employees could not fathom the idea of performing their jobs without the use of email. For convenience, employees often use one device for both personal and work-related communications, whether that device is employee-owned or employer-provided. Some employees even combine their personal and work email accounts into one inbox (which sometimes results in work emails being accidentally sent from a personal account). This blurring of the lines between personal and work-related communications creates novel legal issues when it comes to determining whether an employer has the right to access and review all work-related communications made by its employees.
Employers have legitimate business reasons for monitoring employee communications. Take, for example, the scenario in which an employee leaves her employment, and the employer is concerned that she has taken proprietary information or solicited clients in violation of her duty of loyalty or a contractual agreement. Another common scenario that gives rise to the need for employers to review all of an employee’s work-related emails is when the employer is in litigation that requires production of employee communications.
Most employers are comfortable with the notion that, with a properly worded policy that provides notice to employees of the ability and intent to monitor email, an employer can access emails on an email server provided by the employer. However, what about cases in which the employer does not provide the email service? With employees using web-based emails, like Gmail and Hotmail, and texts to communicate in the workplace, the relevant communications may be elsewhere. In these situations, what are an employer’s rights to access and review such communications?
An employer’s ability to review electronic communications is governed by the Electronic Communication Privacy Act (ECPA) and the Stored Communications Act (SCA). The ECPA prohibits the interception of electronic communications, and the term “interception” as used in the ECPA has been interpreted so narrowly that this title of the ECPA rarely comes into play in cases involving an employer’s review of employee email or texts. The SCA makes it illegal to access without authorization a facility through which electronic communication service is provided and thereby obtain access to communications in electronic storage.
With regard to an employer’s review of employee emails sent through web-based email accounts like Gmail or Hotmail, the most frequent scenario confronted by courts is one in which a former employer accesses the web-based email of a former employee, looking for evidence of malfeasance. In these cases, the former employer is typically able to access the former employee’s web-based email account because the employee has saved her username and password on a device provided by the employer, which was returned at termination, or failed to delink an account from such a device. In these cases, courts have been reluctant to punish the former employee for failing to take appropriate steps to secure their own personal, and allegedly private, communications.
For example, a district court in New York considered an employee’s claim that his former employer’s review of emails in his Hotmail account after his termination violated the SCA because it was unauthorized. The defendant argued that its review of the emails did not violate the SCA because the employee had implicitly authorized its review of the emails on his Hotmail account because the employee had stored his username and password on the employer’s computer system or forgot to remove such an account from an employer-provided phone before returning it.
The court rejected this argument, holding that it was tantamount to arguing that, if the employee had left his house keys on the reception desk at the office, he would have been implicitly authorizing his employer to enter his home without his knowledge. The court also noted that the employer’s computer usage policy did not provide the necessary authorization because it only referred to communications sent over the employer’s systems.
Likewise, a district court in Ohio confronted with similar facts, refused to hold the plaintiff responsible for his own failure to safeguard his information. In this case, the employee had turned in a company-issued blackberry upon termination without first deleting the Gmail account he had added to the phone. The former employer reviewed the emails in the former employee’s Gmail account, and the former employee alleged that this violated the SCA. The former employer argued that the former employee had negligently or implicitly consented to their review of the emails in her Gmail account by returning the blackberry to the company without deleting the account. However, the court held that the employee’s “negligence” in leaving the Gmail account on her phone when she turned it in was not tantamount to her authorizing the defendant to review the emails on her Gmail account.