Pretty Bad Privacy: Email in the Workplace

Many years ago (1997, I think), I wrote an article about email privacy in the workplace. Given the recent debate following City of Ontario v. Quon (see my prior post, So, Can Your Employees Sext At Work?), I thought it worth posting my earlier article (with an added nod to, as it is as relevant today as back then.  So, here it is (and, warning, it’s long)…

An employee, e-mailing another, wrote, “That little sex kitten has been driving me wild. She’s moaning and begging for it every minute. Last night I was afraid someone would hear, and we’d be thrown out of the building. But don’t worry – all is arranged. Wednesday she gets the knife.” The message was intercepted by the writer’s supervisor, who immediately notified the authorities. Following a night of interrogation by the police, the writer was released in the morning in just enough time to take his female cat to the vet for spaying. Understandably unhappy about his night in jail, the employee sued his employer for invasion of privacy. According to the various accounts of this story, the employee prevailed.

Okay, so the story is almost certainly a joke (see, but it does illustrate one of the myriad ways in which the skyrocketing use of e-mail in the workplace has dramatically increased companies’ potential exposure to liability for the actions of their employees. Specifically, because of its ease of use and the widely-held mistaken belief that once deleted there is no enduring record of the e- mail, most people treat e-mails with as little (or less) care than they would a casual conversation with a co-worker. As a consequence, e-mails have given rise to a spate of recent lawsuits involving issues ranging from companies “snooping” through their employees’ e-mails, to trade secrets being stolen through the e-mail system, to claims of discrimination arising from “inappropriate” e-mails. Moreover, as e-mail usage continues to proliferate, these types of lawsuits are likely to arise with increasing frequency.

As the story recounted above illustrates, one such typical scenario involves a company that, acting on a suspicion of employee misconduct, surreptitiously investigates the e-mails of one or more of its employees, discovers proof of wrongdoing, and terminates the employee as a result. Inevitably, the employee sues, claiming that his or her privacy rights were violated.

In such cases, the first issue to be determined is whether the employee in fact had a reasonable expectation that the contents of his or her e-mails were private, which is a precondition to the existence of a right to privacy. The reasonableness of the employee’s expectation of privacy varies, however, depending upon the totality of the circumstances. The following factors, although by no means exhaustive, will likely be considered:

  • Does the company have a formal policy regarding use of its e-mail system?
  • Did the employee sign a waiver of any e-mail privacy rights or provide some other form of consent – written or oral, express or implied – concerning the employer’s review of his or her e-mails?
  • Was the employee made aware that e-mails are automatically saved on (and accessible from) the computer’s back-up system despite having been deleted by the author?
  • Are e-mail accounts individually password protected and, if so, how are the passwords determined and protected?

Although each of these factors will militate in favor of – or against – the reasonableness of the employee’s expectation of privacy, they are not the end of the inquiry.

If a reasonable expectation of privacy is found to exist, courts then balance the employee’s privacy right against the employer’s need to read the e-mails. Among the successfully tested business reasons for such invasions of privacy are the company’s need to prevent the theft or disclosure of its trade secrets and other confidential business information (including, for example, inside information about a pending transaction); to ensure the safety of its employees; and to prevent the creation of a “hostile work environment,” which might give rise to a claim of discrimination. Indeed, this latter issue has recently arisen in at least two cases, and raises the specter that, under certain circumstances, a company could have an affirmative duty to screen e-mails for their appropriateness under the discrimination laws.

Nevertheless, the existence of a company’s legitimate business reasons for monitoring an employee’s e-mails will not give rise to a wholesale right to monitor its employees’ e-mails. Rather, courts, as part of their balancing of the company’s and employees’ competing interests, tend to consider the nature, extent and scope of the employer’s conduct in reviewing the particular employee’s e-mails. The more circumscribed and narrowly-tailored to meet the company’s legitimate business purposes, the more likely that the review will be found to be permissible.

The leading case on a company’s right to review its employees’ e-mails involved a business that had purportedly assured its employees that their e-mails were considered private, would not be read by the company, and could not be used by the company as a basis for reprimand. Based on those assurances, an employee engaged in an exchange of e-mails with his supervisor, the contents of which triggered concerns within management causing the company to investigate other e-mails authored by the particular employee. As a consequence of learning the contents of these other e-mails, the employee was terminated for making “inappropriate and unprofessional comments” including threatening to “kill” certain managers whom the employee identified as “backstabbing bastards.” Relying on the company’s stated policy concerning the privacy of its employees’ e-mails, the employee sued.

Applying the balancing test analysis, the court first rejected the employee’s claim that he had a reasonable expectation of privacy in the contents of his e-mails. Specifically, the court found that no privacy rights existed because the employee “voluntarily communicated the alleged unprofessional comments over the company e-mail system.” However, such a broad statement of the ease with which privacy rights can be “voluntarily” waived is likely to have been unintended by the court, as, under this standard, there can never be an expectation of privacy in e-mails.

In any event, the court found that – even if the employee had had a reasonable expectation of privacy – “the company’s interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy interest the employee may have in those comments.” Again, the court’s language is sweeping in its scope, and can (no doubt unintentionally) be read to suggest that virtually any articulable business interest will take precedence over an employee’s right to expect that his or her e-mails will remain private.

Although not raised in that case, other cases have also involved claims that an employer’s review of the employee’s e-mails violated the federal and/or state “anti-wiretap” (or “anti- eavesdropping”) statutes, which give rise to independent statutory privacy rights in “electronic” communications. However, as a result of various broad exceptions to their applicability (particularly in the employment context) the effect of these statutes is of questionable value to the employee. Indeed, the emerging trend – drawing on analogies to the well-developed case law applying these statutes to telephone eavesdropping – appears to be that a balancing test like that described above will be applied, albeit the balance will likely start in the employer’s favor. Thus, if the relevant statute is in fact applicable, any right that the employee has to privacy will almost certainly yield to a review of the employee’s e-mails – particularly one that is narrowly-tailored to advance the employer’s legitimate business interests without unnecessarily invading the employee’s privacy.

As these cases demonstrate, when the employee’s privacy interests are pitted against the employer’s legitimate business interests, courts will resolve the tension by balancing the reasonableness of the employee’s expectation of privacy against the employer’s business interests sought to be protected and the scope of the employer’s intrusion. Although there are too few reported cases to predict with certainty exactly how the law in this area will unfold, the emerging trend appears to be that as long as the employer has a legitimate business purpose to review the employee’s e-mails, and accomplishes its goals without undue invasion of the employee’s private affairs, the employer will be justified in its review, and will not be liable to the employee.

The foregoing is only half the story, however. Not only does the indiscriminate use of e- mails give rise to the types of disputes outlined above, but because of the prolific use of e-mails and the fact that they frequently remain on back-up tapes indefinitely, e-mails have become a fertile ground for pre-trial discovery, and have in some instances yielded the “key” information in the case.

It is well-established that under modern pre-trial procedures, a party to litigation has an almost absolute right to obtain all relevant documents in the possession, custody or control of the other party. These documents include not only those materials in the company’s filing cabinets, but the mountain of e-mails accumulated on back-up tapes over the years. Indeed, over the past several years, litigation attorneys have increasingly come to realize how much useful information can be gathered through old archived e-mails, particularly given that a veritable warehouse of documentation can now be stored on a single computer. Of course, the sheer magnitude of such stored e-mails increases the odds that important information will invariably be revealed in some old e-mail that no one thought would ever be read again, much less saved for use in future litigation.

Obviously, this vast storehouse of information can be a potential boon for an opposing party. For example, it has been predicted that substantial litigation will arise in connection with the Year 2000 bug. To the extent that old e-mails reveal that management was made aware of the problem, and subsequent facts demonstrate that the problem was ignored, the opposing party will have quite handily satisfied its burden of proving knowledge (and conscious disregard of the same) on the part of the corporation.

None of these issues is new, however; privacy concerns have existed as long as there have been desk drawers; the need to prevent the theft of trade secrets has existed as long as there has been confidential business information; discrimination in the workplace has been a problem as long as there has been diversity in the workplace; and extensive document review has existed as long as pre-trial discovery has been allowed. Nevertheless, because of the proliferation in e- mail usage, its unexpected permanence and the frequent lack of forethought given to the content and selection of recipients of the e-mail, the issues have become more prevalent and therefore more of a concern.

How a company addresses these issues and the balance it reaches between its legitimate business interests and its employees’ competing privacy interests depends on the myriad facts and circumstances unique to every company, including, perhaps most importantly, the company’s corporate culture. No matter how that balance is struck, however, every company should have clear, written policies (as part of their personnel manuals) relating to e-mail usage (as well as to all potential zones of privacy). Moreover, in creating these policies, companies must ensure that the same are consonant with their overall document retention policies.

Finally, regardless of how liberal or restrictive the e-mail policy is, each employee should be alerted to the existence and terms of the policy, and made to understand that e-mails are permanent records which must be treated with great care. Indeed, given that they can be broadcast – perhaps accidentally – to a limitless number of people with a single keystroke, e- mails should be written and distributed with the very greatest of care.