Feeds

Email privacy in the workplace

Situation murky

Security for virtualized datacentres

Comment Even with a well-heeled corporate privacy policy stating that all employee communications may be monitored in the workplace, the legality of email monitoring is not as clear cut as one might think.

Let's suppose you are an employer. You have a well-written and well distributed policy on privacy in the workplace. You expressly state that employees have NO expectation of privacy in ANYTHING they do. You own the hardware, you own the software, you own the network. You reserve the right to monitor every keystroke, every website, every email, every IM session, every chat discussion, and even monitor the lyrics to any song they happen to be listening to on their iPods (sounds like a fun place to work, doesn't it?). You have your employees acknowledge that you have the right to do such monitoring, and they even swear that they consent to such monitoring.

Your lawyers examine the case law and find that, in every single case where an employer has attempted to monitor the electronic communications of employees (where there was a stated policy that this would occur) the courts have held that the employee has no reasonable expectation of privacy in the contents of their corporate email. As former CIA director George Tenet would say, that's a "slam dunk." Right? Well, my magic 8-ball tells me, "situation murky, try again later."

Different states, different laws

The legal issues around email monitoring all began with the telecommunications giant WorldCom – remember them? Kelly Kearney and Mark Levy lived in California and worked for a company that was acquired by WorldCom. Their valuable WorldCom stock options were handled by the Atlanta branch of Salomon Smith Barney (SSB). When their options went underwater, they sued SSB, and learned that their phone calls from California to Atlanta had been routinely tape recorded in Atlanta.

That's where the trouble started. You see, Kearney and Levy didn't know they were being recorded. Under California law, you can't record someone's conversation without telling them. Of course, no such law exists in Georgia where the recordings were actually made. You see, Georgia law only requires that one of the parties to the conversation consent to the recording to make it legal.

Thus, you can record your own conversations, or, if your boss has obtained your consent (they say it's "my way or the highway"), your boss may record your conversation with others.

California, on the other hand, requires that everyone on the call consent to the monitoring. When Kearney and Levy learned they were recorded in Atlanta, they went to court in California and sued under California law. On July 17, the California court ruled that California's interest in promoting privacy outweighed Georgia's interest in not having its residents spend time in California jails.

The case, Kearny v Salomon Smith Barney, really focused on the concept of "conflict of laws" – or what to do when one state permits conduct that another state prohibits. Essentially, you balance the competing interests, and in this case, California's court said California's interests prevailed. Recognising that it was a close case, the court did not apply its finding retroactively, and did not fine SSB for its actions.

Who can consent to monitoring?

A number of US states require that, before you can record the contents of an "oral" or telephonic communication (or before you can "intercept" such a communication) you must have the consent of all parties to the conversation.

Such is the law in Massachusetts (Mass. Ann. Laws ch. 272), Michigan (§99 Michigan, Mich. Comp. Laws §750.539c), Nevada (Nev. Rev. Stat. Ann. §200.620 - by court decision, and N. H. Rev. Stat. Ann. §570-A:2) South Carolina (S.C. Code Ann. §16-17-470), and Washington State (Wash. Rev. Code § 9.73.030).

Some states expressly extend this "all party consent" philosophy to "electronic" communications. This includes California (Conn. Gen. Stat. §52-570d:), Delaware (Del. Code Ann. tit. 11, §2402(c)(4)), Florida, (Fla. Stat. ch. 934.03), Hawaii, (Haw. Rev. Stat. §803-42), Illinois (720 ILCS 5/), Louisiana (La. Rev. Stat. §15:1303), Maryland (Md. Code Ann., Courts and Judicial Proceedings §10-402), Montana ( Mont. Code Ann. §45-8-213) and Pennsylvania (18 Pa. Cons. Stat. §5703).

It has frequently been in dispute, however, about whose law applies when the party doing the intercepting and the party being intercepted are in different states.

As the Kearney court noted, in 1988 a Florida court found that the recording of a call between Georgia and Florida implicated the Florida all party consent law. In Massachusetts, courts found controlling where the recording took place – if in the Bay State, for example, Massachusetts law applied, if not, the other law controlled.

In New York at least one court held that a person who lived in New York (which is a one party consent state) who was recorded in another state that required all parties to consent could not sue for a violation of the other state's law.

In another New York case, a California resident surreptitiously recorded conversations with a New York plastic surgeon with whom she was collaborating on a book. Even though this clearly violated California law, the New York court provided no remedy in April of 2006, because the plastic surgeon had no expectation of privacy in the call – as a New York resident.

In 1982, when a Texas resident recorded telephone conversations with other company employees in California, Texas' one party consent controlled over California's all party consent.

It was into this fray that the California Supreme Court jumped, and essentially said that privacy interests trump other interests. What does this mean for the employer in single party consent states?

E-mail monitoring

In many states, the same law that prohibits the interception or recording of telephone calls also prohibits the interception or recording of electronic communications without the consent of all parties. So if I send an email from California to you in Georgia, and your boss reads it in accordance with your company's policy (but without my consent) is it legal? It must be legal because we all do it, right? How could it be illegal? How could you expect any privacy in an email to a Georgia company?

Choosing a cloud hosting partner with confidence

More from The Register

next story
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
'Cowardly, venomous trolls' threatened with TWO-YEAR sentences for menacing posts
UK government: 'Taking a stand against a baying cyber-mob'
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.