Legal Issues Involved in Monitoring Employees' Internet and E-mail
By Douglas M. Towns
The Scope and Need for Workplace Monitoring
Technological advances such as e-mail and the Internet are designed
to make the workplace more efficient. Of course, these tools also
expose employers to new types of employment law claims, including
e-harassment. Some employers may decide to monitor the use of e-mail
and the Internet to limit their exposure to discrimination and/or
harassment claims. In addition, employers also are concerned about
employees sharing, intentionally or inadvertently, the company's
trade secrets and other proprietary or confidential information
with competitors. Employers may also seek to limit personal use
of e-mail and the Internet because of the added strain on limited
resources (e.g., server and hard drive storage space) and the potential
loss of employee productivity.
Unfortunately, without a full understanding of the risks, employers
may open themselves up to potential lawsuits. In addition, such
techniques may result in low morale among employees who resent being
told that they cannot use e-mail for personal messages and feel
that their every move is being monitored.
Regardless of the risks, many employers have determined that there
is a need to monitor employees' computer usage. According to a 2003
survey by the American Management Association (AMA), more than half
of U.S. companies engage in some form of e-mail monitoring. Often,
this is in addition to monitoring of other work-related communications
and activities—including reviewing Internet usage, videotaping
the work site, or recording employee telephone calls. And while
most of this monitoring is done on a spot-check rather than on a
continual basis, the fact remains that more and more employers are
engaging in some form of monitoring.
Interestingly, the 2003 AMA survey concluded that approximately
40 percent of U.S. employers used software to control employees'
written e-mail content. Indeed, employee surveillance software sales
are estimated at U.S. $140 million a year. New technological advances
also provide employers with a number of options in monitoring devices.
- SpectorSoft Corp., a Florida-based software company, released
a monitoring program that takes surreptitious "screen shots"
of employees' computers at selected intervals for employers to
view at a later date.
- Content Technologies launched software called Pornsweeper that
examines images attached to e-mails and searches picture files
for anything that appears to be human flesh.
- There are also computer programs that monitor an employee's
keystrokes and can determine what the employee has typed on his
computer, even if the employee did not save the document.
Today, employees' privacy lawsuits often involve employer monitoring
of e-mail and the Internet. According to a 2002 survey by Computer
Business Review, 98 percent of employers now have e-mail at work
and use it regularly. Employees have sued employers who have monitored
their communications under either common-law state claims or federal
and state statutory claims. Fortunately for employers, most cases
have allowed employers to monitor employees' use of company e-mail
and the Internet. However, the risk of litigation is always present.
Invasion of Privacy Claims
Most employees who have sued their employers for monitoring have
done so under state invasion of privacy actions. In general, the
employee must show that he or she had a reasonable expectation of
privacy in the communication at issue. Because invasion of privacy
is a state-law claim, the standards vary among jurisdictions.
In one case, Smyth v. Pillsbury Co., an employee was terminated
for sending inappropriate and unprofessional messages over the company's
e-mail system. The company had repeatedly assured its employees
that e-mail was confidential, that it would not be intercepted and
that it would not be used as a basis for discipline or discharge.
From his home computer, Michael Smyth retrieved e-mail sent from
his supervisor over Pillsbury's e-mail system. Smyth allegedly responded
with several comments concerning the sales management staff, including
a threat to "kill the backstabbing bastards" and a reference
to an upcoming holiday party as "the Jim Jones Kool-aid affair."
Pillsbury intercepted the e-mail and terminated Smyth, who then
sued the company for wrongful discharge and invasion of privacy.
The court dismissed the case in 1996, finding that Smyth did not
have a reasonable expectation of privacy in the contents of his
e-mail messages, despite Pillsbury's assurances, because the messages
had been voluntarily communicated over the company's computer system
to a second person. The court went on to find that even if some
reasonable expectation of privacy existed, that expectation was
outweighed by Pillsbury's legitimate interest in preventing inappropriate
or unprofessional communications over its e-mail system.
Some employees have attempted to argue that their expectation of
privacy was reasonable because their e-mail was protected by a personal
password. However, of the courts that have addressed this issue,
this argument has been unsuccessful. For example, in Bourke
v. Nissan Motor Corp., while training new employees on the
e-mail system, a message sent by Bonita Bourke was randomly selected
and reviewed by the company. The message turned out to be a personal
e-mail of a sexual nature. Once Bourke's e-mail was discovered,
the company decided to review the e-mails of the rest of Bourke's
workgroup. As a result of this investigation, several other personal
e-mails were discovered. Nissan gave the employees who had sent
the personal messages written warnings for violating the company's
The disciplined employees sued Nissan for invasion of privacy.
The employees argued that although they signed a form acknowledging
the company's policy that company-owned hardware and software was
restricted for company business use only, their expectation of privacy
was reasonable because the company gave the plaintiffs passwords
to access the computer system and told them to guard their passwords.
However, a California court in 1993 held that this was not an objectively
reasonable expectation of privacy because the plaintiffs knew that
e-mail messages "were read from time to time by individuals
other than the intended recipient."
Similarly, in McLaren v. Microsoft Corp., the Texas Court
of Appeals in 1999 dismissed an employee's claim that his employer's
review and dissemination of e-mail stored in his personal folder
on his computer constituted an invasion of privacy. The employee
argued that he had a reasonable expectation of privacy because the
e-mail was kept in a personal computer folder protected by a password.
The court found this argument unconvincing because the e-mail was
transmitted over his employer's network.
However, according to a news account of one case, a court held
that an employer's use of a supervisor's password to review an employee's
e-mail may have violated a Massachusetts state statute against interference
with privacy. In that case, Burk Technology allowed employees to
use the company's e-mail system to send personal messages, but prohibited
"excessive chatting." To use the e-mail system, each employee
used a password. The employer never informed employees that their
messages would or could be monitored by supervisors or the company
president. The president of the company reviewed the e-mails of
two employees who had referred to him by various nicknames and discussed
his extra marital affair. The two employees were fired by the company
president, who claimed the terminations were for their excessive
e-mail use and not because of the messages' content. The court denied
the company's attempt to dismiss the suit and allowed the matter
to be set for trial on the merits. The court focused on the fact
that the employees were never informed that their e-mail could be
This case illustrates the importance of informing employees that
their use of company equipment to send e-mail and to surf the Internet
is subject to being monitored to prevent subsequent confusion and
a possible future defense on the part of employees.
Practical Steps Companies Can Take To Protect Themselves
Although there is no way to completely insulate a company from these
suits, employers may consider one or more of the following suggestions:
- Integrate e-mail and other policies. An employer's
e-mail policy can be integrated with the company's harassment
and non-discrimination policies. If so, the policy should make
clear that e-mail communications will be treated as any other
business communication and that use of the e-mail systems to engage
in communications that are in violation of company policy—including
transmitting defamatory, offensive or harassing messages—is
- Limit use of technology to business purposes only.
Electronic communications could be referenced expressly in any
lists of "company property." Employees should be notified
that all technology, including e-mail and access to the Internet,
is provided by the company to assist employees in carrying out
the company's business purposes. Explicitly state that employees
who use company property—including e-mail, telephones and
Internet access—for personal use are in violation of company
policy and are subject to disciplinary action.
- Reserve the right to review and monitor. To
advance the argument that monitoring is appropriate, employees
should be notified that the employer will treat all messages sent,
received or stored in the e-mail system as business messages,
which the company is entitled to review, monitor and disclose.
The company should warn employees that if they make incidental
use of the e-mail system to transmit personal messages, such messages
will be treated no differently from other messages; that is, the
company reserves the right to access, review, monitor or disclose
such messages. The policy should state explicitly that employees
should not use company e-mail to send or to receive any messages
that they wish to remain private. In addition, employers should
notify employees that even though their files may be protected
by passwords, such passwords do not prevent system administrators
and other authorized employees from accessing messages for business
- Include notice and consent language. Include
in the policy language stating that by using the company's electronic
communications systems, the employee is, in effect, aware of and
will be covered by the policy. In addition, by using the e-mail
system, the employee expressly consents to the company's review
and monitoring of e-mail messages as outlined in the policy.
Douglas M. Towns practices labor and employment law as a partner
at Jones, Day, Reavis & Pogue in Atlanta. His experience includes
representation of high-tech and other companies in Title VII, ADA
and other employment matters, and he has written and lectured on
issues relating to technology and the workplace. He is licensed
to practice law in the state of Georgia. He can be reached at firstname.lastname@example.org.
This article originally appeared at Gigalaw.com.
It can be found at http://www.gigalaw.com/articles/2002-all/towns-2002-01-all.html.
Discuss this topic with other IABC members at: www.iabc.com/memberspeak.