You suspect an employee has been using his personal e-mail account on a company laptop to run his own business on company time.
Is the company within its rights to review e-mails sent or received from that account because the worker is using the organization's equipment? Or would the employer be violating privacy laws?
Those are tricky questions—and confusion abounds over if and when a company can review an employee's work or personal e-mails.
The Legality of Monitoring Work E-Mail
Employees should have no expectation of privacy on an employer's e-mail system, said Nancy Flynn, founder and executive director of The ePolicy Institute, a Columbus, Ohio-based organization that provides electronic policy training and consulting.
"The federal Electronic Communications Privacy Act makes clear that workplace e-mail [is] the property of the employer, and employees should not expect privacy when sending, receiving, downloading, uploading, printing or otherwise transmitting electronic messages," she said.
At least two-thirds of companies monitor employees for e-mail infractions, and half have fired workers for those infractions, according to research by Flynn.
The most common kinds of misuse tend to be violation of company policies, inappropriate language, excessive personal use or breaking confidentiality.
Courts have ruled that if an employer owns the computers and runs the computer network, it's generally free to read employee e-mail messages, as long as there's a valid business purpose for doing so.
So what constitutes a "valid business purpose"? Human resource experts and employment lawyers say there can be several valid reasons.
One reason might be to protect a company from theft or from damage to its reputation or brand. Another might be to secure evidence in the case of a lawsuit. A third may be to ensure that the workplace is free of harassment. A company may also want to monitor the e-mails of an employee suspected of sending proprietary or inappropriate information to a competitor.
[SHRM members-only toolkit: Managing Workplace Monitoring and Surveillance]
There is a gray area: The National Labor Relations Board (NLRB) has ruled that employees have a presumptive right to use their employer's e-mail system for union organizing. Labor laws restrict employers from surveillance of union-organizing activities. That means the NLRB may eventually conclude that employers are not able to monitor e-mails related to union organizing, even if they are sent using the employer's server or equipment.
Viewing Personal E-Mails
Whether an employer should view the contents of personal e-mail accounts on company-owned computers depends on the circumstances.
State laws addressing invasion of privacy may forbid an employer from intruding into the private e-mails of an employee if that intrusion would be "highly offensive to a reasonable person," said Karla Grossenbacher, an attorney with Seyfarth Shaw in Chicago.
However, some cases involving workers who sent private e-mails on employer time and equipment have gone against the employees, particularly if the company had a compelling reason to read the e-mails (for example, to investigate a harassment claim). In March, the California Supreme Court held that texts and e-mails sent by public employees on their personal devices or from their personal accounts are a matter of public record if they deal with official business.
State-level cases have gone both ways. In Stengart v. Loving Care Agency, Inc., decided in 2010, an employee e-mailed her lawyer on a company laptop through her personal, password-protected Yahoo account. The New Jersey Supreme Court held that the e-mails were protected by attorney-client privilege.
However, in Holmes v. Petrovich Development Company LLC, decided in 2011, an employee contacted her attorney on a company computer with a company e-mail account. The California Court of Appeal for the Third District found that the e-mails were not protected by either a right of privacy or attorney-client privilege. Using the company account and system waived the privilege, and company policies precluded any expectation of privacy, the court found.
In Sitton v. Print Direction, Inc., also decided in 2011, a Georgia appellate court ruled that an employer did not violate an employee's privacy rights by accessing his personal laptop to print out personal e-mail messages. The employee had been using his personal laptop at work to help his wife run their printing business. The trial court and appeals court found that the employer had a legitimate interest in investigating whether the employee was running another business from the employer's worksite on the employer's time.
Pick Your Battles
Just because you can legally monitor e-mails doesn't mean that you should or that it is good management practice.
While employees are typically discouraged from using company e-mail for personal reasons, personal use often happens, and it's usually so harmless that it's not worth an employer's time to monitor it, said Hope Eastman, an attorney in the employment law practice of Paley Rothman Attorneys at Law in Bethesda, Md.
"Employees do a lot of benign actions on company resources," she said. "It's not worth pursuing."
In addition, employees should be made aware of the nature, extent of and reasons for any e-mail monitoring, said Michael Cobb, founder and managing director of U.K.-based data security consultancy Cobweb Applications and author of IIS Security (McGraw-Hill/Osborne, 2002).
Cobb suggests employers post signs and send e-mail reminders about how computer activity is logged and monitored. Some IT departments go so far as to monitor workers' e-mails for words such as "sex" to ensure that employees aren't using the company's computer system for inappropriate messages.
An employee e-mail monitoring policy should:
- Spell out expectations for behavior, Flynn said. "Use policy and training to explain e-mail risks facing the company, such as lawsuits, regulatory fines, security breaches, productivity problems, lost and mismanaged business records, and PR nightmares," she said. "Explain that monitoring is intended to help the organization minimize risks and maximize compliance. Once employees understand the 'why' behind the company's e-mail policy monitoring procedures, workers are more likely to adhere to the rules and accept the reality of monitoring."
- Include a clear statement that workers have no expectation to privacy regarding e-mails sent through the company's system and that the employer reserves the right to monitor work accounts, Eastman said.
- Notify employees that they should not use e-mail on company-provided equipment for personal tasks like finding a job, shopping or scheduling vacations.
- Be clear about the consequences employees will face for violating the policy.
Lisa Frye is a freelance writer in Alexandria, Va.
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
Advertisement
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.
Advertisement