['HR Policies', 'Privacy and Data Security']
['Privacy and Data Security', 'Policies and Procedures']
09/20/2024
Copyright 2024 J. J. Keller & Associate, Inc. For re-use options please contact copyright@jjkeller.com or call 800-558-5011.
...
Almost every employer has employees that regularly use email and social media for personal use, and in many cases, such activities don’t overlap with the workplace. However, when online activity does become the concern of the employer (because its conducted on work time or because the activity directly affects the workplace), employers are often unsure about what actions they can and cannot take in response.
For starters, employers may monitor employees’ email and internet access. For instance, you can access the history of websites an employee has visited to determine if they are work-related (you should have a policy on this and make sure employees are aware of it). However, if an employee accesses a personal email account or personal website (such as Hotmail, Yahoo, Gmail, or Facebook), you may not be able to read the content of those emails or postings. You can still impose discipline for accessing these sites at work (as inappropriate use of company computer equipment or abuse of internet privileges) but the content of the message or posting may be protected – even if these sites were accessed using a company computer.
Employers can also prohibit or even block employees from visiting certain nonwork sites.
When employees do use company equipment for personal use, employers may not access employees’ personal emails or communications if they go through an outside server (rather than through the company email system). Doing so may violate the Stored Wire and Electronic Communications and Transactional Records Access law (also called the Stored Communications Act or SCA, United States Code Title 18, Chapter 121) which prohibits the intentional unauthorized access of communications which are stored with an internet service provider.
For example, if an employee writes an email on work time to a friend on her Gmail account, you could discipline her for visiting a personal mail site, or for engaging in nonwork activity on work time, but you cannot impose discipline on her because of what she wrote in the personal email — because the email is not stored on your company’s servers.
As another example, if an employee writes an email to a coworker using her company email account (which is stored on the company’s server), the contents of that email belong to the employer and therefore can be accessed by the employer. While employees should not have an expectation of privacy with company email, it ’s still a good idea to make sure that the company policy spells this out and reminds employees that such communications may be regularly monitored and reviewed.
Court rulings offer guidance
A company computer is company property, and employees should not expect privacy when using company equipment. In one case, an employee used a company computer to look at child pornography. A company representative unlocked the employee’s office and provided a copy of the hard drive to the FBI for investigation. The employee argued that he had a reasonable expectation of privacy because his office was locked and his computer could only be accessed with a password. However, the court disagreed. The employer had complete access to company computers, monitored internet use, and informed employees of this. Employees were told specifically not to use work computers for personal activities. In short, the computer remained in the control of the employer, who gave consent to turn it over. (United States v. Ziegler, Ninth Circuit, January 30, 2007)
In another case, an employee quit and filed suit against the company, alleging sexual harassment by one of the owners. During a deposition, the owner admitted he had accessed her personal AOL account and read her emails after she quit. She sued for violation of her rights under the SCA. While employers can view personal emails that are stored on the employer’s server, the SCA makes it unlawful to view personal emails stored on an outside server. (Van Alstyne v. Electronic Scriptorium Ltd., Fourth Circuit, March 18, 2009)
Another court found that employers can’t impose discipline for the content of personal blogs when access is restricted, if the company did not obtain voluntary authorization for access. In this case, an employee said she feared for her job when management asked for her password to a site set up by another employee to “vent” about work. She gave her password to a manger, who in turn gave it to another manager. The court found that this was not “authorized” access, and allowed the claim for unauthorized access to proceed to litigation. (Pietrylo v. Hillstone Restaurant Group, U.S. District Court of New Jersey, July 24, 2008)
In a similar case, an employee created a website that was critical of the company and invited two other employees to join. They never accepted the invitations until the vice president asked them for access. Since they had never visited the site, the court found they were not “users” and therefore could not authorize access to the vice president. This could mean that even if you are voluntarily given a password by someone who has been invited to join a website, the access may not be “authorized” if the person giving the password has never visited the site. (Konop v. Hawaiian Airlines, Inc., Ninth Circuit, 2002)
Finally, a New Jersey court addressed whether an employer could access emails sent using a personal account, even if that account was accessed using a company computer. In this case, an employee filed a discrimination claim against her employer. She also communicated with her attorney using a personal email account that she accessed through a company computer. The employer was later able to retrieve (and read) these emails from stored data. The company policy did clarify that emails were considered company records. However, the policy also permitted limited personal email use. The policy did not distinguish between company email and private accounts. The court deemed it unreasonable for emails from personal accounts to be considered company property. Finally, the court noted that even though a policy can create a contract between the employer and employee, the terms must be reasonable and understandable. (Stengart v. Loving Care Agency, N.J. Superior Court, June 26, 2009)
The question of what constitutes “authorized” access is still determined by courts, since the SCA does not specifically define this term. The above cases indicate that access gained through coercion (such as implied threat of termination) may not be considered voluntary authorization. Also, the New Jersey case illustrates that a policy could be ambiguous, and certain provisions may therefore be unenforceable. In particular, employers who permit occasional internet use for personal reasons may have to be able to explain when such use becomes excessive, and therefore subject to discipline or termination.
READ MORESHOW LESS
['HR Policies', 'Privacy and Data Security']
['Privacy and Data Security', 'Policies and Procedures']
Load More
J. J. Keller is the trusted source for DOT / Transportation, OSHA / Workplace Safety, Human Resources, Construction Safety and Hazmat / Hazardous Materials regulation compliance products and services. J. J. Keller helps you increase safety awareness, reduce risk, follow best practices, improve safety training, and stay current with changing regulations.
Copyright 2024 J. J. Keller & Associate, Inc. For re-use options please contact copyright@jjkeller.com or call 800-558-5011.