Email Privacy: What Every Employer Should Know, with Steven Abraham

Dr. Steven E. Abraham, J.D., Ph.D.

Session Moderator: I'm excited about welcoming Steven Abraham as our workshop leader.

Dr. Steven E. Abraham holds a B.S. from Cornell University (1980), a J.D. degree from New York University School of Law (1983) and Ph.D. degree in Industrial Relations from the University of Wisconsin-Madison (1992). He is a member of the New York State Bar as well as the bars of the Eastern and Southern District of New York. Between obtaining his J.D. and Ph.D. degrees, Dr. Abraham practiced labor/employment law in New York City in two law firms and one corporation (for a total of five years). He has also provided legal advice to law firms on a number of occasions.

Dr. Abraham's primary research interest is the interrelationship between law and employment and he has investigated this relationship both empirically and conceptually. He has more than fifteen academic publications in refereed journals and has presented a number of papers at conferences as well. He has also written a number of articles dealing with more practical day-to-day issues facing business.

Welcome Steve!

Steven Abraham: Hi Everybody!! Thanks for joining me!! In the next hour, I hope I can provide you with some useful information and answer any questions you have as well. Before I start, are there any questions I can answer about my topic in general?

John Grace: I have been reading about possible privacy violations against the employer for reading employee e-mail. Any thoughts on this?

Steven Abraham: Thanks John. That question does not call for a quick answer. I'll try to explain the law in the area in general.

Actually, there are two broad ways a person could go if (s)he wanted to sue an employer for reading his/her email.

One: Employees whose email has been read by their employer may attempt to sue the employer alleging that the email interception violated the employees' "right of privacy."

Two: On the federal level, there is a law called the "Electronic Communications Privacy Act of 1986" that is directly applicable to email at the workplace. In general, the ECPA makes it a federal crime for an individual "to intentionally or willfully intercept, access, disclose or use another's wire, oral or electronic communication." Although email is not mentioned specifically in the Act, the legislative history of the law makes it clear that it was intended to apply to email. Thus intercepting employees' email would implicate the ECPA.

Those two, briefly, are the areas of law involved. If you'd like, I'll talk about each. Shall I proceed?

John Grace: Yes, please.

Steven Abraham: In the "right of privacy area," most states will allow one person to sue another and recover damages for an invasion if privacy if the person suing can prove that the defendant committed an "unreasonable intrusion upon the seclusion of another." In cases involving an employer reading an employee's email the claim would be that by reading the employee's personal email, the employer intruded upon the employee's seclusion.

In order to prevail in an invasion of privacy case, the employee must show that (s)he had a subjective expectation of privacy and that the expectation was objectively reasonable. In other words, it is not sufficient that the plaintiff assumed her email would be confidential. This expectation would have to have been reasonable and legitimate according to the objective observer.

In the majority of cases I have seen so far, employees who have attempted to sue their employers for invasion of privacy based on the employer having read their email have been unsuccessful. The courts have denied the majority of plaintiffs' claims, because the courts found that the employees did not have a reasonable expectation of privacy.

A case from Massachusetts reveals the potential risks of employers reading employees' email, however. In that case, the employees sued the employer for invading their privacy by reading e-mail without advance warning and the employer sought to have the case dismissed because the employees did not have a reasonable expectation of privacy. The court denied the employer's motion and allowed the case to proceed to trial, stating: "There remain genuine issues of material fact on the issue of whether plaintiffs had a reasonable expectation of privacy in their email messages and whether [the employer's] reading of their e-mail messages constituted an unreasonable, substantial or serious interference with plaintiff's privacy."

Thus, if an employer creates an expectation that employees' email will be confidential and then reads employees' email, the employer may be liable for invasion of privacy.

That's all I have to say on the state law right of privacy claims. Are there any questions on that?

Steven Abraham: Since there are many questions on email policies, let me talk about that now.

The adoption and dissemination of such a policy will go a long way toward preventing employers from being liable for reading employees' email (and, by the way, there are other ways employers can be liable besides state law privacy claims you should know about).

Generally, email policies should include the following elements:

  • There should be a clear statement that the e-mail system is company property and that all messages are company records.
  • Use of e-mail should be limited to company purposes only and it should be clear that domain names may be used for only company purposes.
  • State that the company deserves the right to monitor and disclose all messages without notice.
  • Indicate that there are no personal privacy rights in the e-mail system.
  • Prohibit unauthorized access to or disclosure of e-mail by coworkers.
  • State that the company's equal employment opportunity and anti-harassment policies apply to electronic communications and that discriminatory or harassing communications are prohibited (I do want to explain why and will shortly).
  • Include warnings and guidelines regarding prohibited disclosure of company materials, potential copyright infringement issues and prohibited downloading or use of unauthorized materials.
  • Also, I'd recommend that you put the policy in writing and (if practicable) consider having employees acknowledge receipt of the policy in writing.

    Session Moderator: Steve, do you mean they should sign it?

    Steven Abraham: Yes. Prepare a form (on the policy itself even) stating, "I have read this policy and understand its terms. I understand that abuse of the e-mail system may subject me to discipline

    Let me point out that, as "mean" as it may seem, there are IMPORTANT REASONS for employers to limit employee email use.

    In a number of recent cases, employees who brought sexual harassment lawsuits against their employers used email messages that had been sent over the company's email system as evidence of sexual harassment. For example, Chevron Corporation recently was required to pay four plaintiffs a total of $ 2.2 million after their attorneys found email evidence of sexual harassment. The attorneys had located, on Chevron's own email server, an email message that had been sent to a number of people within the company containing a list of jokes about "why beer is better than women."

    In another case, part of the evidence in a plaintiff's sexual harassment case against her employer was an email sent to the plaintiff identifying her as "Brown Sugar."

    In another area of law, plaintiffs have attempted to hold employers liable for defamation because defamatory remarks were sent out on the employer's email system or posted on the employer's electronic bulletin board.

    These are risky for employers!!

    There is a federal law called the "Electronic Communications Privacy Act of 1986"that is directly applicable to email at the workplace. In general, the ECPA makes it a federal crime for an individual "to intentionally or willfully intercept, access, disclose or use another's wire, oral or electronic communication." Although email is not mentioned specifically in the Act, the legislative history of the law makes it clear that it was intended to apply to email. Thus intercepting employees' email would implicate the ECPA.

    Although the ECPA would appear to prevent an employer from reading employees' email, there are three statutory exceptions that may permit interception of employees' email by employers: (a) the provider exception, (b) the ordinary course of business exception and (c) the consent exception.

    Perhaps the safest way for employers to read employees' email without violating the ECPA is the consent exception. Section 2511(d) of the Act states:

    It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortuous act in violation of the Constitution or laws of the United States or of any State.

    (That last paragraph was a quote from the LAW)

    What that paragraph means in English is that if an employer gets its employees consent to read their email, the employer is free to read any employee messages, personal or otherwise.

    For the "consent" exception to apply, however, you (the employer) must notify the employees clearly that all email messages, personal and business, will be read. The courts will not find implied consent when employees are aware that they may be monitored as opposed to being aware that they are being monitored.

    Steven Abraham: Was I clear? I'd be happy to answer (if I can) any questions

    Karen Bergh: I once worked in a company that required (or at least that's what was implied) their employees to sign such a consent upon accepting employment. Is there a way that employees could refuse to sign such a consent?

    Steven Abraham: Whether we like it or not, it is a company's right to do that (make you sign the form). Even at the governmental level, where we all have much greater "privacy rights," those consents are perfectly legal!!

    Karen Bergh: Thanks for clarifying that!

    Celeste Renta: Is it enough to say you reserve the right to monitor? We're not set up to actually monitor although we do say we have the right.

    Steven Abraham: Going to Celeste's question, I'd do more than just say "we have the right to monitor. I'd include some of the elements I mentioned earlier

    Session Moderator: Steve - here's another question - I'm looking very briefly for more guidance with regard to wasted time and expense of private use of e-mails and legislation that may prevent me from filtering messages. My understanding is that Senators Hatch & Shumer have legislation pending, but again, that legislation merely requires you to inform employees of what you MAY (not Will or Must) do.

    Steven Abraham: I know of NO legislation preventing you from filtering/monitoring anything you want to monitor. Even in governmental employment, all you need do is inform employees and get the appropriate consent.

    Faye Moore: Why do we have more privacy rights at the governmental level?

    Steven Abraham: If I can answer Faye's question, the 4th Amendment to the constitution prohibits "unreasonable searches & seizures." The 4th Amendment (the Const. in general) only applies to and restricts the government, not private employers.

    Karen Bergh: It seems to me that the implementation of a policy may in some ways discourage the use of email for private use while at work? Does anyone agree?

    Celeste Renta: I don't think it'll discourage anyone unless they know they're being monitored. Hate to be a cynic but....

    Session Moderator: I think so Karen. I have a friend that is terrified of sending a personal email because several employees were fired for doing the same.

    Steven Abraham: Back to Celeste's point. I agree that if employers know you're bluffing, they'll do what they want anyway. If they think monitoring is even a possibility, would they want to risk it?

    Karen Bergh: So enforcement is key, not just the threat implied by a policy...

    Steven Abraham: Let me say again, that I'd really recommend drafting an email policy. The policies will vary (depending on whether you want to limit time spent on email, etc.)

    Session Moderator: Steve, thanks again for helping us navigate through the maze of litigation as it relates to email privacy. This is a complex issue and you've boiled it down to no-nonsense, straightforward tactics.

    Steven Abraham: My pleasure!! Anyone can feel free to contact me if they have questions (I think my email address is on the website someplace, isn't it?)

    Session Moderator: Yes, I believe you are in the consultants' directory, right?

    Steven Abraham: I am, I'd love to hear from any of you
    Session Moderator: I want to thank all of you for attending our workshop today. If you have a topic that you would like to see an expert talk about, please let us know!

    Thanks again all! Have a successful and productive week!

    Session Moderator: Thanks again Steve!

    Steven Abraham: Thank you!

    You may like these other stories...

    By Deanna C. WhiteThis year, minority accounting students who aspire to become CPAs will have three opportunities to explore the possibilities the career can offer when the American Institute of CPAs (AICPA) holds its...
    On May 2, 2012, the Center for Audit Quality (CAQ) has released a report summarizing its recent workshop on the evolving role of the public company auditor. More than thirty workshop participants gathered in New York on...
    Session SummaryThe leadership of the National Conference of CPA Practitioners (NCCPAP) announced their concerns regarding the fallout from the events surrounding Enron. The leadership of the organization believes that this...

    Already a member? log in here.

    Upcoming CPE Webinars

    Sep 9
    In this session we'll discuss the types of technologies and their uses in a small accounting firm office.
    Sep 10
    Transfer your knowledge and experience to prepare your team for the challenges and opportunities of an accounting career.
    Sep 11
    This webcast will include discussions of commonly-applicable Clarified Auditing Standards for audits of non-public, non-governmental entities.
    Sep 24
    In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.