Feeds

Email privacy in the workplace

Situation murky

Beginner's guide to SSL certificates

Comment Even with a well-heeled corporate privacy policy stating that all employee communications may be monitored in the workplace, the legality of email monitoring is not as clear cut as one might think.

Let's suppose you are an employer. You have a well-written and well distributed policy on privacy in the workplace. You expressly state that employees have NO expectation of privacy in ANYTHING they do. You own the hardware, you own the software, you own the network. You reserve the right to monitor every keystroke, every website, every email, every IM session, every chat discussion, and even monitor the lyrics to any song they happen to be listening to on their iPods (sounds like a fun place to work, doesn't it?). You have your employees acknowledge that you have the right to do such monitoring, and they even swear that they consent to such monitoring.

Your lawyers examine the case law and find that, in every single case where an employer has attempted to monitor the electronic communications of employees (where there was a stated policy that this would occur) the courts have held that the employee has no reasonable expectation of privacy in the contents of their corporate email. As former CIA director George Tenet would say, that's a "slam dunk." Right? Well, my magic 8-ball tells me, "situation murky, try again later."

Different states, different laws

The legal issues around email monitoring all began with the telecommunications giant WorldCom – remember them? Kelly Kearney and Mark Levy lived in California and worked for a company that was acquired by WorldCom. Their valuable WorldCom stock options were handled by the Atlanta branch of Salomon Smith Barney (SSB). When their options went underwater, they sued SSB, and learned that their phone calls from California to Atlanta had been routinely tape recorded in Atlanta.

That's where the trouble started. You see, Kearney and Levy didn't know they were being recorded. Under California law, you can't record someone's conversation without telling them. Of course, no such law exists in Georgia where the recordings were actually made. You see, Georgia law only requires that one of the parties to the conversation consent to the recording to make it legal.

Thus, you can record your own conversations, or, if your boss has obtained your consent (they say it's "my way or the highway"), your boss may record your conversation with others.

California, on the other hand, requires that everyone on the call consent to the monitoring. When Kearney and Levy learned they were recorded in Atlanta, they went to court in California and sued under California law. On July 17, the California court ruled that California's interest in promoting privacy outweighed Georgia's interest in not having its residents spend time in California jails.

The case, Kearny v Salomon Smith Barney, really focused on the concept of "conflict of laws" – or what to do when one state permits conduct that another state prohibits. Essentially, you balance the competing interests, and in this case, California's court said California's interests prevailed. Recognising that it was a close case, the court did not apply its finding retroactively, and did not fine SSB for its actions.

Who can consent to monitoring?

A number of US states require that, before you can record the contents of an "oral" or telephonic communication (or before you can "intercept" such a communication) you must have the consent of all parties to the conversation.

Such is the law in Massachusetts (Mass. Ann. Laws ch. 272), Michigan (§99 Michigan, Mich. Comp. Laws §750.539c), Nevada (Nev. Rev. Stat. Ann. §200.620 - by court decision, and N. H. Rev. Stat. Ann. §570-A:2) South Carolina (S.C. Code Ann. §16-17-470), and Washington State (Wash. Rev. Code § 9.73.030).

Some states expressly extend this "all party consent" philosophy to "electronic" communications. This includes California (Conn. Gen. Stat. §52-570d:), Delaware (Del. Code Ann. tit. 11, §2402(c)(4)), Florida, (Fla. Stat. ch. 934.03), Hawaii, (Haw. Rev. Stat. §803-42), Illinois (720 ILCS 5/), Louisiana (La. Rev. Stat. §15:1303), Maryland (Md. Code Ann., Courts and Judicial Proceedings §10-402), Montana ( Mont. Code Ann. §45-8-213) and Pennsylvania (18 Pa. Cons. Stat. §5703).

It has frequently been in dispute, however, about whose law applies when the party doing the intercepting and the party being intercepted are in different states.

As the Kearney court noted, in 1988 a Florida court found that the recording of a call between Georgia and Florida implicated the Florida all party consent law. In Massachusetts, courts found controlling where the recording took place – if in the Bay State, for example, Massachusetts law applied, if not, the other law controlled.

In New York at least one court held that a person who lived in New York (which is a one party consent state) who was recorded in another state that required all parties to consent could not sue for a violation of the other state's law.

In another New York case, a California resident surreptitiously recorded conversations with a New York plastic surgeon with whom she was collaborating on a book. Even though this clearly violated California law, the New York court provided no remedy in April of 2006, because the plastic surgeon had no expectation of privacy in the call – as a New York resident.

In 1982, when a Texas resident recorded telephone conversations with other company employees in California, Texas' one party consent controlled over California's all party consent.

It was into this fray that the California Supreme Court jumped, and essentially said that privacy interests trump other interests. What does this mean for the employer in single party consent states?

E-mail monitoring

In many states, the same law that prohibits the interception or recording of telephone calls also prohibits the interception or recording of electronic communications without the consent of all parties. So if I send an email from California to you in Georgia, and your boss reads it in accordance with your company's policy (but without my consent) is it legal? It must be legal because we all do it, right? How could it be illegal? How could you expect any privacy in an email to a Georgia company?

Remote control for virtualized desktops

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.