Aug 21 2008

The Law's on Your Side

You can monitor employees, but there must be consent on both sides.

David Ries, Partner, Thorp Reed & Armstrong

It is now common business practice in this country to monitor employees’ computer usage. E-mail, Internet use and access to company data are all fair game for monitoring, which may be done by snapping screenshots or recording keystrokes. Software is readily available for these tasks.

There are legitimate business and legal reasons for employers to monitor their workers. Having invested a substantial amount in computers and networks, companies have a right to make sure that their equipment is properly used for business purposes. Improper use can compromise networks and confidential company information. Excessive personal use, particularly with the Internet, can be a tremendous drain on productivity. Employee use of computers can also lead to employer liability in such areas as race or sex discrimination, harassment, defamation and violation of intellectual property rights.

A recent survey by the American Management Association and the ePolicy Institute shows that 76 percent of employers monitor
workers’ Internet connections; 65 percent use software to block connections to inappropriate websites; 43 percent monitor e-mail; and 45 percent track content, keystrokes and time spent on the keyboard. Twenty-eight percent of those surveyed have fired employees for e-mail misuse and 30 percent fired workers for Internet misuse.

Although the law is not conclusively established, monitoring is generally considered to be legal when there is notice and consent.

In Pennsylvania and Maryland, the law requires the consent of all parties to a communication to permit monitoring. Under these statutes, consent by an employee alone may be insufficient to make monitoring of communications with third parties legal because there is not consent of all parties. Connecticut and Delaware, for example, require employers to notify employees when they monitor electronic communications. A tort claim for invasion of privacy is another potential employer liability, but it’s unlikely it would succeeed when there is notice and consent.

Employers Hold the Cards

Court cases have almost universally upheld employers’ rights to monitor employee computer use. One early case held that an employee did not have a reasonable expectation of privacy in e-mails sent, received or stored at work, despite the employer’s repeated assurances that it would not monitor employee e-mails.

Employers who want to monitor employees should have an acceptable-use policy that clearly defines the permitted and prohibited uses of company technology. Companies should then decide what monitoring they may do to measure compliance with the acceptable-use policy. This monitoring should be covered in a monitoring policy, which may be separate or part of the use policy. The policies should give employees clear notice that the technology is company property, that it is to be used for business purposes and that employees shall have no expectation of privacy when using the company’s technology.

Employees should be given notice of the policies initially and periodically thereafter. Employee agreement to the policies, including consent to monitoring, should be recorded through a written signature or electronic consent. Training concerning the policies should be provided and policies should be enforced.

Before a company engages in monitoring employees, it should understand and comply with the current law of all involved jurisdictions. Laws vary from state to state, and many foreign countries have substantially stronger legal protection for worker privacy.

Employees should understand that they will generally have very limited or no privacy when using their employer’s technology. Employees have generally been unsuccessful in challenging employers’ monitoring of the use of company technology, unless the company violates a law or its policies and practices.

David Ries is a partner at the law firm Thorp Reed & Armstrong, in Pittsburgh.