This article by Stuart Adams appeared in the Louisville Courier Journal
as part of the Louisville Bar Association Business Q & A Series, on November 20, 1997
Q: I own a small service business, employ a small staff and experience a lot of turnover. Our company deals in sensitive information. Much of our internal communication and that with our suppliers and customers is by e-mail. Can we conduct surveillance of company e-mail to protect ourselves without violating any laws on employee privacy?
A: Your question pushes a hot button for many employers and employees. Surveys indicate that most employees have the perception that many "personal" files they create or download to company computers they regularly use are considered by them to be as private as their own personal mail they receive at home. On the other hand, similar surveys indicate that a high percentage of employers keep company e-mail and workstation files under regular surveillance for a variety of reasons. The conflicting rights of employers and their employees on this subject is giving rise to a large number of emerging lawsuits.
There are a number of laws, including federal and state laws, as well as common law tort theories, which may give rise to legal actions by employees against their employers for invasion of privacy. Since e-mail is quickly becoming the communication method of choice in many companies, employers have just as great a duty to police such communications as they would company memos or telephone calls. Employers should certainly refrain from "bugging" employees, but investigations of theft or inter-employee harassment certainly require an employer who is on reasonable notice of such conduct to take appropriate measures, including surveillance.
Employees may very well invoke several theories of liability for invasion of their privacy. Some of these include: inclusion on their seclusion; intentional infliction of emotional distress; defamation; public disclosure of private facts. Employers seem to be required to learn more and more about their employees, and to retain such information, because of laws such as the Family and Medical Leave Act and the Americans with Disabilities Act. Should information, such as sexual preference, HIV test, or psychological profile, become "public" when given to the employer with a perception of privacy, the employer may very well find itself in court for invasion of the employees privacy.
The employer, however, can do a number of things to protect itself from such threats. First, it can keep watch on the requirements of federal and state laws on the subject, so as not to run afoul of their constantly changing requirements. Second, the employer can adopt procedural safeguards. Third, it can provide employees with written notice of the authority and policy of the employer to conduct periodic surveillance of such computer files and e-mail or voice mail repositories. Fourth, its policy manual or statements should set forth the company justification for the surveillance from the start. Fifth, it should limit the information obtained to only those employees who reasonably need to know for security purposes. Sixth, it should train supervisors, managers and security personnel thoroughly on the extent and methods of acceptable surveillance, and appropriate uses of the information received.
Finally, adopting an e-mail policy which is given to the employees and explaining to the employees the reasoning, should assure both parties that they will always know where they stand.