An Organization’s Right to Monitor User Actions and Traffic
The prevailing legal view is that employers have the right to monitor workers’ activities on company computers. This right is not absolute. In other words, it’s important that an organization act in accordance with its policies and the law. The policies must be clear and concise. This does not mean you need a policy that creates a right to monitor employees. That right is already written in law. The Electronic Communication Privacy Act (ECPA) gives employers the right to monitor employees in the ordinary course of business. These broad rights include monitoring telephone calls and computer usage such as email. Having such a policy reduces an employee’s argument that he or she perceived a right to privacy. It’s always best that organizations put in writing their intent to monitor workers’ activities on computers.
There are a number of good reasons to monitor workers’ computer activities. The following is a list of some of those reasons:
- Maintaining a productive workforce
- Detecting when security policies are not being followed
- Maintaining the security of sensitive data
- Ensuring quality and protecting the organization’s reputation
- Avoiding liability from pirated intellectual property such as software and music
Employers argue that because the computers are their property, they have the right to any information they contain. This is especially true when policy requires employee notification that computers are for company use only. All files contained in the computer potentially represent a record of the company’s business.
Not only does productivity drop when workers spend many hours writing personal emails, but there’s also a danger of viruses or security breaches. Companies argue that they have a have right to inspect all files on the computer, even when the file is a personal email sent from a work computer.
The acceptable use policy (AUP) typically includes statements regarding the employer’s intent to monitor. Employees typically read and sign this document. Many of these documents state that the employee should not expect any right to privacy while using company computers.
However, the right is not absolute. Assume you are a worker planning on suing your company. You use a company laptop to sign on to a personal email account to exchange messages with your attorney. It’s not a company email account, but rather a personal account such as Yahoo! or Gmail. After you leave the company and file your lawsuit, the company scans your laptop and finds portions of your communications. The company has a clear policy stating you have no right to privacy on company equipment. Did the company violate your privacy? Yes. Take a look at a specific court case to understand why.
The situation was reported in a New York Post article written in April 2010 and several online law sites such as the Sacramento Bankruptcy Lawyer blog. This is an older case, but in the legal world precedence is very important. The case, Marina Stengart v. Loving Care Agency, Inc., involved Marina Stengart, a woman who worked for a health company from home. She had exchanged emails with an attorney regarding a possible lawsuit against her company. Ms. Stengart had used her employer-issued laptop computer to access her web-based email. After leaving the company, she turned in her laptop. Her former employer scanned her laptop and found her conversations with her attorney. In this case, the court held there was a reasonable expectation of privacy on behalf of Ms. Stengart.
This was a significant case because until that time it was assumed that with the right policy in place, an organization could monitor any activity on a company device. When the lines between a worker’s personal and professional life blur, the court rulings become less clear. Organizations that allow the use of employee-owned devices may find themselves in the same situation. Some organizations, for example, allow personal smartphones to be used to send and received company emails. Even when these devices have the same encryption and other controls, the legal lines between work and personal life are blurred. Although this is done to reduce costs, it can quickly create legal entanglements.
There is little dispute that organizations can monitor employer-owned computers used during work hours through company accounts. There are typically three areas of monitoring employee actions:
- Internet
- Computers
Although the following sections will provide general guidance, it should be remembered that this author is not an attorney. Before implementing any employee monitoring process, it is advised that you consult with an attorney who specializes in privacy law or human resources law.
Internet Use
Internet use is typically monitored for access to inappropriate sites such as those that contain pornographic or obscene material. Access is also monitored for unauthorized access to subscription-only sites. Access to competitor sites or copyrighted material can be monitored. Uploading confidential material is a potential problem.
Most recently concerns have increased around social networking sites. These are sites that build online communities of people who share interests and information. The concern is that workers in these social communities begin exchanging information about the company. This information runs the gamut from entirely innocent remarks to negative commentary on the company all the way to divulging company secrets. The question for companies is how much of this activity should be monitored. Many organizations block these sites. This solves the problem of access while on the company network during work hours. The problem becomes more challenging when it comes to monitoring employee activity during off-hours. This problem is complicated by the fact that social networking sites meant for business do exist. The classic example is LinkedIn. Depending on the employee’s role, he or she may have a legitimate reason for visiting LinkedIn; for example, someone working in the human resources or recruiting department may need to access profiles on LinkedIn.
Organizations do routinely monitor for any negative publicity on social networking sites, blog spaces, and the Internet in general. If it’s determined that an individual’s public posting reflects negatively on the organization, then the employee will be asked to remove the posting. Usually that’s as far as things will go for minor infractions. Unless you have a highly sensitive job dealing with national security secrets, most organizations are reluctant to monitor employee activity after hours. Employers do take action against employees who post extremely negative comments about their organization. This is what happened to a web designer who lost her job after posting negative comments about her bosses. She also mentioned her company by name.
Email Use
Email use is typically monitored for viruses and malware. Companies also monitor email for data leakage protection (DLP) and sensitive information. DLP monitoring may look for large files being emailed outside the organization. It can also scan emails for sensitive information such as account numbers and Social Security numbers. Email can also be monitored for abusive or threatening language.
Company email accounts are difficult to permanently delete. It may be illegal to delete some emails and records that are part of a lawsuit. Once a lawsuit is filed, the expectation is that all records related to the case will be preserved. That includes keeping emails. For many organizations, this process of identifying which records to keep or not keep is managed by the legal department. The attorney will identify which materials and individuals are involved, and then direct the technology and security teams to preserve the records in a secure location. This may mean saving an individual’s email messages. Additionally, the court may order the retention of emails. For example, in 2012 in the case of E.E.O.C. v. Original Honeybaked Ham Co., the court ordered broad retention and discovery of text messages and email. The case concerned allegations of sexual harassment, a hostile environment, and retaliation. Again, some of the legal cases mentioned in this chapter may seem outdated, but that is not how the legal system works. Legal precedents can be from several years back.
Every organization should have an email policy. This builds on the AUP and talks specifically about the proper use of emails. The email policy should require disclaimers and warn individuals that their email is subject to monitoring. With these measures in place, the courts have put few limits on organizations that act in good faith, such as in the court case in 2001 of Fraser v. Nationwide Mutual Insurance Company (135 F. Supp. 2d 623 (E.D. Pa. 2001)). In this case, a worker emailed a competitor company with the objective of stealing customers. The court noted that “an employer can do anything with e-mail messages sent and received on company computers.” The court went on to note that “as long as it has notified employees that they have no expectation of privacy,” email can be monitored at any time without notice.
It should be noted that there is an additional motivation for monitoring workplace email: to prevent issues that involve harassment. Is someone in your organization sending inappropriate emails or offensive content? If you do not monitor emails, you may not know the answer to that until either a complaint is lodged or, more egregiously, a harassment lawsuit is filed.
Computer Use
An employee’s computer is generally monitored for viruses and malware. It’s also typically monitored for pirated software and excessive use such as game playing, as well as for unauthorized files that have been removed from secure servers. The extent of the monitoring depends on the concerns of the organization.
With the right policies, companies can protect themselves against these risks. There are a few restrictions on monitoring company equipment on a company network. The basic policies that should be in place to allow monitoring to be enforced are transparency and clarity. The basic steps are to make sure you have informed the workers that such monitoring can take place. Be clear, through an AUP, what the expected behavior is while using the organization’s computers.