Feeds

Email privacy in the workplace

Situation murky

The Power of One eBook: Top reasons to choose HP BladeSystem

Comment Even with a well-heeled corporate privacy policy stating that all employee communications may be monitored in the workplace, the legality of email monitoring is not as clear cut as one might think.

Let's suppose you are an employer. You have a well-written and well distributed policy on privacy in the workplace. You expressly state that employees have NO expectation of privacy in ANYTHING they do. You own the hardware, you own the software, you own the network. You reserve the right to monitor every keystroke, every website, every email, every IM session, every chat discussion, and even monitor the lyrics to any song they happen to be listening to on their iPods (sounds like a fun place to work, doesn't it?). You have your employees acknowledge that you have the right to do such monitoring, and they even swear that they consent to such monitoring.

Your lawyers examine the case law and find that, in every single case where an employer has attempted to monitor the electronic communications of employees (where there was a stated policy that this would occur) the courts have held that the employee has no reasonable expectation of privacy in the contents of their corporate email. As former CIA director George Tenet would say, that's a "slam dunk." Right? Well, my magic 8-ball tells me, "situation murky, try again later."

Different states, different laws

The legal issues around email monitoring all began with the telecommunications giant WorldCom – remember them? Kelly Kearney and Mark Levy lived in California and worked for a company that was acquired by WorldCom. Their valuable WorldCom stock options were handled by the Atlanta branch of Salomon Smith Barney (SSB). When their options went underwater, they sued SSB, and learned that their phone calls from California to Atlanta had been routinely tape recorded in Atlanta.

That's where the trouble started. You see, Kearney and Levy didn't know they were being recorded. Under California law, you can't record someone's conversation without telling them. Of course, no such law exists in Georgia where the recordings were actually made. You see, Georgia law only requires that one of the parties to the conversation consent to the recording to make it legal.

Thus, you can record your own conversations, or, if your boss has obtained your consent (they say it's "my way or the highway"), your boss may record your conversation with others.

California, on the other hand, requires that everyone on the call consent to the monitoring. When Kearney and Levy learned they were recorded in Atlanta, they went to court in California and sued under California law. On July 17, the California court ruled that California's interest in promoting privacy outweighed Georgia's interest in not having its residents spend time in California jails.

The case, Kearny v Salomon Smith Barney, really focused on the concept of "conflict of laws" – or what to do when one state permits conduct that another state prohibits. Essentially, you balance the competing interests, and in this case, California's court said California's interests prevailed. Recognising that it was a close case, the court did not apply its finding retroactively, and did not fine SSB for its actions.

Who can consent to monitoring?

A number of US states require that, before you can record the contents of an "oral" or telephonic communication (or before you can "intercept" such a communication) you must have the consent of all parties to the conversation.

Such is the law in Massachusetts (Mass. Ann. Laws ch. 272), Michigan (§99 Michigan, Mich. Comp. Laws §750.539c), Nevada (Nev. Rev. Stat. Ann. §200.620 - by court decision, and N. H. Rev. Stat. Ann. §570-A:2) South Carolina (S.C. Code Ann. §16-17-470), and Washington State (Wash. Rev. Code § 9.73.030).

Some states expressly extend this "all party consent" philosophy to "electronic" communications. This includes California (Conn. Gen. Stat. §52-570d:), Delaware (Del. Code Ann. tit. 11, §2402(c)(4)), Florida, (Fla. Stat. ch. 934.03), Hawaii, (Haw. Rev. Stat. §803-42), Illinois (720 ILCS 5/), Louisiana (La. Rev. Stat. §15:1303), Maryland (Md. Code Ann., Courts and Judicial Proceedings §10-402), Montana ( Mont. Code Ann. §45-8-213) and Pennsylvania (18 Pa. Cons. Stat. §5703).

It has frequently been in dispute, however, about whose law applies when the party doing the intercepting and the party being intercepted are in different states.

As the Kearney court noted, in 1988 a Florida court found that the recording of a call between Georgia and Florida implicated the Florida all party consent law. In Massachusetts, courts found controlling where the recording took place – if in the Bay State, for example, Massachusetts law applied, if not, the other law controlled.

In New York at least one court held that a person who lived in New York (which is a one party consent state) who was recorded in another state that required all parties to consent could not sue for a violation of the other state's law.

In another New York case, a California resident surreptitiously recorded conversations with a New York plastic surgeon with whom she was collaborating on a book. Even though this clearly violated California law, the New York court provided no remedy in April of 2006, because the plastic surgeon had no expectation of privacy in the call – as a New York resident.

In 1982, when a Texas resident recorded telephone conversations with other company employees in California, Texas' one party consent controlled over California's all party consent.

It was into this fray that the California Supreme Court jumped, and essentially said that privacy interests trump other interests. What does this mean for the employer in single party consent states?

E-mail monitoring

In many states, the same law that prohibits the interception or recording of telephone calls also prohibits the interception or recording of electronic communications without the consent of all parties. So if I send an email from California to you in Georgia, and your boss reads it in accordance with your company's policy (but without my consent) is it legal? It must be legal because we all do it, right? How could it be illegal? How could you expect any privacy in an email to a Georgia company?

Top three mobile application threats

More from The Register

next story
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.