Reviewing Employee E-Mails: When You Should, When You Shouldn't
By Lisa Frye
May 15, 2017 - SHRM
You suspect an employee has been using his personal e-mail account on a
company laptop to run his own business on company time.
Is the company within its rights to review e-mails sent or received from that
account because the worker is using the organization's equipment? Or would the
employer be violating privacy laws?
Those are tricky questions—and confusion abounds over if and when a company
can review an employee's work or personal e-mails.
The Legality of Monitoring Work E-Mail
Employees should have no expectation of privacy on an
employer's e-mail system, said Nancy Flynn, founder and executive director of
The ePolicy Institute, a Columbus, Ohio-based organization that provides
electronic policy training and consulting.
"The federal Electronic Communications Privacy Act makes clear that workplace
e-mail [is] the property of the employer, and employees should not expect
privacy when sending, receiving, downloading, uploading, printing or otherwise
transmitting electronic messages," she said.
At least two-thirds of companies monitor employees for e-mail infractions,
and half have fired workers for those infractions, according to research by
Flynn.
The most common kinds of misuse tend to be violation of company policies,
inappropriate language, excessive personal use or breaking
confidentiality.
Courts have ruled that if an employer owns the computers and runs the
computer network, it's generally free to read employee e-mail messages, as long
as there's a valid business purpose for doing so.
So what constitutes a "valid business purpose"? Human resource experts and
employment lawyers say there can be several valid reasons.
One reason might be to protect a company from theft or from damage to its
reputation or brand. Another might be to secure evidence in the case of a
lawsuit. A third may be to ensure that the workplace is free of harassment. A
company may also want to monitor the e-mails of an employee suspected of sending
proprietary or inappropriate information to a competitor.
There is a gray area: The National Labor Relations Board (NLRB) has ruled that
employees have a presumptive right to use their employer's e-mail system for
union organizing. Labor laws restrict employers from surveillance of
union-organizing activities. That means the NLRB may eventually conclude that
employers are not able to monitor e-mails related to union organizing, even if
they are sent using the employer's server or equipment.
Viewing Personal E-Mails
Whether an employer should view the contents of personal e-mail accounts on
company-owned computers depends on the circumstances.
State laws addressing invasion of privacy may forbid an employer from
intruding into the private e-mails of an employee if that intrusion would be
"highly offensive to a reasonable person," said Karla Grossenbacher, an attorney
with Seyfarth Shaw in Chicago.
However, some cases involving workers who sent private e-mails on employer
time and equipment have gone against the employees, particularly if the company
had a compelling reason to read the e-mails (for example, to investigate a
harassment claim). In March, the California Supreme Court held that texts and e-mails
sent by public employees on their personal devices or from their personal
accounts are a matter of public record if they deal with official
business.
State-level cases have gone both ways. In Stengart v. Loving Care
Agency, Inc., decided in 2010, an employee e-mailed her lawyer on
a company laptop through her personal, password-protected Yahoo account. The New
Jersey Supreme Court held that the e-mails were protected by attorney-client
privilege.
However, in Holmes v. Petrovich Development Company LLC, decided in
2011, an employee contacted her attorney on a company computer with a company
e-mail account. The California Court of Appeal for the Third District found that
the e-mails were not protected by either a right of privacy or attorney-client
privilege. Using the company account and system waived the privilege, and
company policies precluded any expectation of privacy, the court found.
In Sitton v. Print Direction, Inc., also decided in 2011, a Georgia
appellate court ruled that an employer did not violate an employee's privacy
rights by accessing his personal laptop to print out personal e-mail messages.
The employee had been using his personal laptop at work to help his wife run
their printing business. The trial court and appeals court found that the
employer had a legitimate interest in investigating whether the employee was
running another business from the employer's worksite on the employer's time.
Pick Your Battles
Just because you can legally monitor e-mails doesn't mean that you should or
that it is good management practice.
While employees are typically discouraged from using company e-mail for
personal reasons, personal use often happens, and it's usually so harmless that
it's not worth an employer's time to monitor it, said Hope Eastman, an attorney
in the employment law practice of Paley Rothman Attorneys at Law in Bethesda,
Md.
"Employees do a lot of benign actions on company resources," she said. "It's
not worth pursuing."
In addition, employees should be made aware of the nature, extent of and
reasons for any e-mail monitoring, said Michael Cobb, founder and managing
director of U.K.-based data security consultancy Cobweb Applications and author
of IIS Security (McGraw-Hill/Osborne, 2002).
Cobb suggests employers post signs and send e-mail reminders about how
computer activity is logged and monitored. Some IT departments go so far as to
monitor workers' e-mails for words such as "sex" to ensure that employees aren't
using the company's computer system for inappropriate messages.
An employee e-mail monitoring policy should:
- Spell out expectations for behavior, Flynn said. "Use policy and training
to explain e-mail risks facing the company, such as lawsuits, regulatory
fines, security breaches, productivity problems, lost and mismanaged business
records, and PR nightmares," she said. "Explain that monitoring is intended to
help the organization minimize risks and maximize compliance. Once employees
understand the 'why' behind the company's e-mail policy monitoring procedures,
workers are more likely to adhere to the rules and accept the reality of
monitoring."
- Include a clear statement that workers have no expectation to privacy
regarding e-mails sent through the company's system and that the employer
reserves the right to monitor work accounts, Eastman said.
- Notify employees that they should not use e-mail on company-provided
equipment for personal tasks like finding a job, shopping or scheduling
vacations.
- Be clear about the consequences employees will face for violating the
policy.
Lisa Frye is a freelance writer in Alexandria, Va.