Personal telephone calls have long hobbled employee productivity. Recent bounds in communications technology pose additional, far greater threats to employers. Abuse of e-mail and internet privileges can have disastrous consequences. Inappropriate e-mails, downloads and internet address logs may reside undetected or forgotten on computer hard drives for years. They are embarrassing if uncovered in the course of a potential merger or acquisition, and positively hair-raising if discovered in the course of a discrimination lawsuit commenced by a disgruntled present or former employee.
Technology is available to monitor employee activity. It is technologically feasible to tap employee telephone conversations; software can be used to monitor e-mail and internet activity; computer hard drives can be searched for archived materials. A recent American Management Association/U.S. News and World Report survey shows that about 78% of major U.S. companies electronically monitor their employees’ telephone, e-mail or internet activities.
An employer might assume that ownership of a computer, furnished to an employee for business purposes, entitles the employer to monitor or search that computer. Not so. The law strikes a balance between an employer’s right to ensure appropriate use of employee time in the workplace and an employee’s right to privacy. Monitoring or searching by the employer gives rise to potential civil liability or criminal penalties. The law in this area is somewhat unsettled, but one bright line emerges: the prudent employer will obtain express or implied employee consent to any type of electronic monitoring or computer search.
Federal and state statutes create a right to workplace privacy. The federal Electronic Communications Privacy Act (ECPA) prohibits unauthorized interception of electronic information, and imposes civil and criminal penalties for violation. It also prohibits unauthorized access to stored information, though only in the case of temporary, intermediate storage incidental to electronic transmission. Thus, the ECPA bars real-time monitoring of e-mail or internet activity, but not a search of an employee’s computer files for information stored on a computer hard drive.
The federal Computer Fraud and Abuse Act provides additional civil and criminal penalties for unauthorized access to computers involved in interstate or foreign communication, such as computers with internet or e-mail access. Unlike the ECPA, the statute applies to stored materials, but is of limited application: Civil penalties are only available where there is impairment to the integrity or availability of data, a program, a system, or information that (a) causes loss aggregating at least $5,000 in value during any one-year period to one or more individuals; (b) impairs medical care; (c) causes physical injury, or (d) threatens public health or safety. These requirements may be met in the case of an employee sabotaging or absconding with company computer files, but will not be met in a typical employee-monitoring context.
Like federal law, New York law makes it illegal to intercept real time communications: it is a felony to eavesdrop, defined as “wiretapping, mechanical overhearing of a conversation, or intercepting or accessing of an electric communication.” (Penal Law ' 250.05) New York also makes it a felony to access stored materials without authorization: computer trespass is defined as unauthorized use of a computer or computer service to access computer material. (Penal Law '156.10) Thus, an employer could face a criminal prosecution for tapping telephones, intercepting e-mails, or accessing the hard drive of a computer used by an employee.
New York statute does not provide a private right of action for unauthorized interception or access. Further limiting a potential litigant’s causes of action, New York does not recognize a common law right to privacy, either. But the fact New York law does not provide the private litigant with any clear right of recovery does not foreclose the possibility of an expensive, protracted civil lawsuit. For example, an enterprising employee-litigant might maintain a successful civil action for computer trespass based on traditional trespass principles and analogy to criminal trespass.
The New Jersey Wiretap Act is identical to the ECPA. Like New York, New Jersey law also recognizes the crime of “computer theft,” which includes the unauthorized access or taking of data from a computer, computer system or network. Unlike New York, New Jersey also recognizes a common law right to privacy. Whether this common law right applies in a particular case will depend on case-specific factors, such as whether the employer has a legitimate reason for the search and whether the employee has a reasonable expectation of privacy under the circumstances.
Connecticut’s wiretap act is limited to telephone communication; absent state law addressing computer privacy, Connecticut courts look to the ECPA. Connecticut law makes it a crime to record telephone conversations without the consent of both parties. Connecticut also recognizes a common law right to privacy, violated where a person unreasonably and seriously interferes with another’s interest in not having his affairs known.
An employer in the Tri-State area who records or otherwise eavesdrops on an employee’s telephone conversation, or covertly intercepts an employee e-mail, monitors an employee’s internet activity, or searches an employee’s computer, may violate federal or state law and be exposed to the threat of criminal prosecution and civil penalties, unless the employee consents.