Electronic mail (e-mail) has become a common communication tool within
companies and institutions today. Its popularity has soared in recent
years due to use by individuals at home and at work. It is the use of e-
mail in the workplace that has given rise to a number of issues that
have not been adequately addressed by law. Surveys have shown that a
good percentage of federal and private organizations monitor their
employees' communication activities.
This article examines the relationship between e-mail and employee
privacy rights. Part One summarizes current litigation involving the
privacy issue. Part Two is divided into two sections: Section A examines
the Electronic Communications Privacy Act of 1986, and Section B
examines proposed bill H.R. 1900--the Privacy for Consumers and Workers
Act. Part Three proposes some suggestions concerning employee e-mail
privacy that can be used to avoid possible undesirable litigation.
Part One
The following cases represent only a fraction of the suits currently
filed in the courts. Both cases profile the topic of employee e-mail
privacy.
Alana Shoars v. Epson America, Inc. (1990). Alana Shoars worked as an e-
mail coordinator at Epson America, Inc. Shoars was instructed to monitor
Epson employees' e-mail transmissions. The company placed a tap on the
e-mail gateway where the mainframe computer interfaced with the outside
MCI Mail Communication Service. Employees were using company equipment
on company premises as well as company phone lines.
When Shoars objected to Epson's monitoring of employees' electronic
transmissions, she was fired. Shoars filed a class action suit against
Epson America, Inc., in Los Angeles Superior Court in 1990. She alleged
that Epson had violated California Penal Code S 631 when it invaded its
employees' right of privacy and wrongfully terminated her.
Symantec Corp. v. Borland International, Inc. (1992). Eugene Wang was
executive vice president of Borland International, Inc. Two days after
Wang resigned from Borland to join Symantec, Borland reviewed his e-mail
files and discovered "sensitive information" concerning Borland and
Symantec.
In September 1992, Borland brought suit in Santa Cruz County
Superior Court against Wang and Gordon Burbanks, CEO of Symantec. The
privacy issue was expected to be the focus of the case. However,
Symantec argued that the e-mail messages consisted of business
information that contained stolen trade secrets. Thus, the focus of the
case shifted from the privacy issue to the actual contents of e-mail.
Symantec argued that the transmission between Wang and Burbanks
constituted a criminal offense under California Penal Code S 499c. The
court will have to determine whether Borland's search of Wang's MCI Mail
mailbox violated Wang's rights under federal and state laws designed to
protect the privacy of electronic communications.
Part Two
Section A: Electronic Communications Privacy Act. The general issue of
e-mail privacy, excluding employee e-mail, was addressed by Congress
eight years ago. In 1986, Congress passed the Electronic Communications
Privacy Act (ECPA) to respond to the inadequacies it had found in the
Omnibus Crime Control and Safe Streets Act (wiretap law). The wiretap
law prevents unauthorized listening to telephone conversations or
communications that can be either overheard by the human ear or sent via
common carrier. Electronic communications that are digitized and carried
by private telephone networks (like MCI or Sprint) are not covered by
the wiretap law. Thus, prior to the wiretap law, electronic
communications that were not transported by common carrier or heard by
the human ear could be subject to unauthorized disclosure or
surveillance. In response to this problem, Congress passed the ECPA to
amend the wiretap law. Under ECPA, it is unlawful for a person or entity
furnishing electronic communication service to the public to knowingly
disclose to a third party the contents of a communication that is in
electronic storage, carried, or maintained by the service.
Section B: Privacy for Consumers and Workers Act. The Shoars and
Symantec cases indicate that e-mail users have become increasingly aware
that ECPA does not adequately cover employees who transmit electronic
communications. ECPA applies only to persons or entities providing
service to the public and not to employers who electronically monitor or
disclose electronic communications transmitted by their employees.
On April 28, 1993, Rep. Pat Williams introduced H.R. 1900--the
Privacy for Consumers and Workers Act (PCWA)--to ensure employees some
of the same protections guaranteed by ECPA. PCWA addresses from two
perspectives the issue of employer monitoring of employees: electronic
monitoring and telephone call accounting. In addressing the issue of
electronic monitoring, PCWA can be analyzed in five parts: permitted
monitoring, notice of monitoring, prohibited monitoring, data obtained
from monitoring, and penalties.
Permitted monitoring. Generally, PCWA does not apply to law enforcement
agencies, which are lawfully permitted to monitor for criminal
investigations. Nor does it apply to employers who monitor based on
court order, who monitor in connection with the investigation of a
workers' compensation claim who are registered under the Commodity
Exchange Act or Securities Exchange Act, who are a gaming facility or
involved in gaming, who are a financial institution, or who monitor
employees with significant financial responsibility that involves the
use of independent judgment. However, monitoring is permitted for the
types of employers whom PCWA does cover, but only in specific
situations.
Employers can periodically monitor new employees who have been
employed for less than sixty days or employees who have worked for the
employer for less than five years if monitored while part of a group of
employees.
Notice of monitoring. Employers who monitor their employees must notify
the employees of when and how they are being monitored, of what type of
personal data (data) will be collected, and of how the data will be
used. The notice must be posted in a conspicuous place. In addition,
during the first personal interview, employers must notify prospective
employees that employees are monitored.
Notice is not required when the employer has a reasonable suspicion
that an employee is engaged in unlawful activity or willful gross
misconduct that adversely affects the employer's (or the employer's
employees') interests.
Prohibited monitoring. An employer cannot monitor employees who are
engaged in their First Amendment rights or who have five years' or more
employment with the company unless the employer has a reasonable
suspicion that the employee is engaged in unlawful conduct in accordance
with Section 5 of PCWA.
Data obtained from monitoring. An employer must give an employee a
reasonable opportunity to review all data obtained from monitoring.
However, the employer does not have to provide a reasonable opportunity
to review if the employer reasonably suspects the employee is engaged in
unlawful conduct in accordance with Section 5 of PCWA.
An employee can review data after monitoring, if review is limited
to specific data that the employer believes are relevant to the
employee's work. An employer can also access data controlled by an
employee if (1) the employer has an immediate business need and the
employee is not available, (2) the data are alphanumeric, (3) the data
shall not be used for performance evaluation or discipline, and (4) the
employer tells the employee within a reasonable time that the data were
accessed.
The employer cannot disclose to any person other than the employee
the data obtained by monitoring unless (1) the employee has given prior
written consent, (2) the information is given to other company officers
or employees who have a legitimate need for the information to perform
their duties, (3) the employer is carrying out a court order, (4) the
data are given to a law enforcement agency for investigation purpose, or
(5) the employee is a public official and the information is being
publicly disclosed because it has a direct impact on public health and
safety.
Penalties. An employee must commence an action within three years of
knowing of the employer's unlawful monitoring or of a time when the
employee could reasonably be expected to know of the unlawful conduct.
If an employee either learns of such activity and institutes
proceedings, or testifies about a violation of PCWA, or discloses
information relevant to PCWA, the employer cannot discharge, discipline,
or discriminate against the employee. Employers who are found guilty of
violating PCWA are civilly liable for not more than $10,000 per
violation.
Part Three
The public is generally familiar with the legally protected privacy of
mail delivered by the U.S. Postal Service. Many people believe the same
protections are extended to e-mail, but that is not the case. All data
transferred on networked e-mail systems, local area networks,
mainframes, and microcomputer e-mail systems are accessible. Although a
majority of such communication activities require a password for access,
a network manager can virtually retrieve every aspect of the networked
computing environment without the user's approval or knowledge. Some
networks even allow the network administrator (manager) to change
passwords, read, delete, or alter any messages on the server. Thus there
is a need to develop policies that will protect e-mail privacy without
discouraging the use of e-mail.
In the formulation of an e-mail policy, a good source to use is
Access to and Use and Disclosure of Electronic Mail on Company Computer
Systems: A Tool Kit for Formulating Your Company's Policy. The kit
explains various issues to be considered when a policy is in
formulation: privacy rights of employees, employer's need to protect
security and company resources, rights of third-party access to files,
who should participate, what assets should be considered in the
formulation of a workplace privacy policy, and a range of other related
issues. The kit recommends that the policy be formulated by a working
group of company personnel who represent different interests and levels
of responsibilities. The group should consider company needs, employees'
reasonable expectations, the rights of outsiders, and other complex
interests. If that type of policy is drafted and H.R. 1900 becomes law,
then a better working environment for both employees and employers will
result.
Endnotes
Johnson, David R., and John Podesta. Access to and Use and
Disclosure of Electronic Mail on Company Computer Systems: A Tool Kit
for Formulating Your Company's Policy. Arlington, Va.: Electronic Mail
Association, 1991.
Podesta, John, and Michael Sher. Protecting Electronic Messaging: A
Guide to the Electronic Communications Privacy Act of 1986. Arlington,
Va.: Electronic Mail Association, 1990.
Jackie Shieh is Catalog Librarian and Assistant Professor at Georgia
State University Law Library.
Rhea A-L Ballard is Public Services Librarian and Assistant Professor
at Georgia State University Law Library.