Several months into COVID-19, many businesses find themselves relying on a decentralized workforce dispersed across a city, state, or even the country. Increasing numbers of businesses are investing in employee monitoring software to manage employee productivity and performance, protect confidential business information, ensure system security, and limit liability for employee misconduct. While these tools can play a critical role in certain kinds of risk mitigation, they also can significantly increase businesses' legal risk if not used properly.
Here we look at federal and state laws that govern private employers' use of electronic surveillance tools to monitor their employees' electronic communications. Tools or software that permit real-time monitoring or later review of stored employee communications are particularly concerning because laws tend to provide greater protection to personal communications, even those of employees on the job, than to some other online activities.
These concerns become acute when employees are monitored while working from home. Before launching a surveillance tool that permits review or monitoring of employee emails, voicemails, text messages, or other online communications, businesses should consider how the use of such tools might increase their exposure to potential privacy-related claims. The privacy implications of using employee monitoring software under federal and state wiretapping laws, data privacy and security laws, and statutory and common law privacy protections are briefly discussed below.
Employers must ensure that any use of online monitoring tools complies with the federal Wiretap Act (as amended by the Electronic Communications Privacy Act of 1986), which prohibits the live or real-time interception of the contents of wire, oral, and electronic communications, including telephone, email, text messages, and Internet chats, unless a statutory exception applies. The definition of "intercept" with respect to emails and electronic communications remains an unsettled point of law, but the key distinction is between obtaining a communication in real time (like a conventional wiretap), and accessing a stored communication (such as an email or text message in storage). Accessing stored communications is governed by the Stored Communications Act, discussed in the next section.
Employers that use electronic monitoring tools in the workplace typically rely on employees' consent, which is an exception under both federal and state wiretap laws except where state law requires all parties to a conversation to consent to listening in or recording. Employers generally can infer employees' consent when employees use company-provided electronic equipment after receiving explicit notice of the business's acceptable use policies and a statement that the company will enforce such policies.
Ideally, the policies explicitly state that use of company equipment constitutes consent to monitoring such use and the content of any messages sent or received on the equipment or its systems. Businesses should ensure that such policies are clear regarding the kinds of communications that are prohibited (e.g., excessive use of email for personal communications) so that the business can properly infer consent to the monitoring of potentially unacceptable activity. But recording live conversations would require another level of consent if other parties to a call or email reside in a two- or all-party consent state.
Businesses should consider carefully whether to use surveillance tools to monitor employee emails, text messages, internet chats, and other electronic communications in real time and, if they do, to do so only when an exception clearly applies. Again, the most common exception is employee consent, as described above. Violations of the Wiretap Act are punishable by civil and criminal sanctions and may include injunctive relief, damages, attorneys' fees and costs, criminal fines for the employer, and imprisonment of corporate employees.
Aside from the Wiretap Act, many state laws impose additional or different restrictions on "wiretapping" by private actors, and many specifically address different types of workplace surveillance. And, many courts have held that the federal Wiretap Act does not preempt state wiretapping laws, so employers should be aware of their obligations under both federal and applicable state law.
In California, for example, criminal sanctions may be imposed on an employer that eavesdrops on or records an employee's private telephone or email conversations absent prior consent of all parties to the communication (see Cal. Penal Code §§ 631, 632). Other states, such as Connecticut and Delaware, require employers to provide monitored employees with advance written notice of the planned monitoring (see Conn. Gen. Stat. Ann § 31-48d(b)(1); 19 Del. C. § 705(b)). Penalties include both civil and criminal sanctions ranging from minor fines to imprisonment.
Law Protecting Stored Communications
The federal Stored Communications Act protects wire and electronic communications and records in electronic storage (i.e., "stored communications") that are intended to be private. The Stored Communications Act would not prevent an employer from accessing communications stored on employer-provided wire or electronic communications services (e.g., emails) in a manner consistent with the employer's own policies that are clearly disclosed to employees.
It would, however, require the employer to obtain permission from the employee to obtain communications that are stored elsewhere, such as on an employee's private social media account or personal email account with a third-party service provider. Violations are punishable by civil penalties including damages, injunctions, and attorneys' fees, as well as criminal penalties ranging from fines to imprisonment.
States may also have their own laws that protect stored electronic records from unauthorized access, which are not necessarily preempted by the Stored Communications Act (see, for example, Florida Statute § 934.21 and Iowa Code 716.6B, both of which provide for criminal sanctions).
State Law Privacy Protections
Employees are also protected by state statutory and common law rights to privacy, such as the tort of intrusion upon seclusion. An employee's ability to sustain a claim for invasion of privacy against an employer for monitoring communications will be necessarily fact-specific, but the legal analysis typically turns on whether the employee had a reasonable expectation of privacy in the particular communication and whether the employer had a legitimate business interest that outweighed the employee's expectation of privacy.
The Supreme Court of New Jersey, for example, held in Stengart v. Loving Care Agency, Inc., that email communications between an employee and her private attorney using her private email account but accessed via her work-issued laptop remained protected by attorney-client privilege and, therefore, could not be used by the employer in related litigation because the employer's monitoring policy did not clearly include the contents of personal emails.
In addition to losing access to and use of unlawfully monitored communications, employers found liable for violating an employee's privacy rights may be subject to civil penalties such as injunctions, damages, and attorneys' fees and costs. As such, employers who deploy communication surveillance tools should do so only after providing clear advance notice and in accordance with established policy, even where such measures are not explicitly required by law.
Risk Mitigation Strategies
Employers can satisfy many obligations under the above-described laws and mitigate attendant risk by taking one or a combination of the following steps:
- Establishing a policy that work-related communications or communications that are conducted over employer-provided assets may be subject to monitoring.
- Providing employees with advance notice of the monitoring with clear statements regarding the scope of acceptable use of the business's equipment, network, and systems.
- Obtaining employees' explicit prior consent to the monitoring (although consent can be inferred in many cases, records of written consent can strengthen a business's position in the event of litigation).
- Obtaining prior consent for monitoring that will extend beyond what has previously been stated in employee-facing policies.
This post covers only a few of the laws that might apply to a business's surveillance of its employees' communications. Though beyond the scope of this post, employers with unionized workforces should also consult legal counsel with respect to their obligations under the National Labor Relations Act. Similarly, government employers should anticipate arguments by employees that monitoring violates their Fourth Amendment rights.
Additionally, businesses with employees residing abroad must also consider the laws applicable to workplace monitoring and surveillance in the relevant jurisdictions—for example, the European Union General Data Protection Regulation (GDPR) and EU Member States' laws offer significantly greater privacy protections to individuals and employees than U.S. law.
The legal implications of employee monitoring for a particular business will thus depend on the surveillance tool in question, the controls made available to the employer and employee for using the tool, the extent of notice provided to the employee, and how the tool is deployed. Businesses should be sure they understand how the surveillance features of a new product operate, identify the business case for their use, and have a thoughtful plan for implementation before a new employee monitoring program is launched.
The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.
DWT will continue to provide up-to-date insights and virtual events regarding COVID-19 concerns. Our most recent insights, as well as information about recorded and upcoming virtual events, are available at www.dwt.com/COVID-19.