Although the law in this area is not yet well developed, this article summarizes some of the information presently available on the subject of e-mail privacy rights in the workplace.

Both federal and state statutes regulate the use of communication equipment. Where state law regulates interception of e-mail and other forms of surveillance, it may provide broader protection of employee privacy than federal law. In addition, common law rights of privacy may be relied upon by employees in challenging employer action.

Federal law: ECPA. The Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2510-20; 2701-2711), is the only federal statute relevant to claims of workplace invasions of privacy by electronic means. The ECPA prohibits (1) unauthorized and intentional "interception" of wire, oral, and electronic communications during the transmission phase, and (2) unauthorized "accessing" of electronically stored wire or electronic communications.

For purposes of interpreting the Act, it is important to note that an e-mail is an "electronic communication" as that phrase is defined in § 2510. In the specific context of e-mails, it is also important to determine whether an employer "intercepted" the e-mail while it was being transmitted, or whether he/she "accessed" it minutes, days, or weeks after it was stored in an employee’s computer. This distinction is important because different penalties apply:

• Section 2701 prohibits the unauthorized access of an e-mail that is stored in a computer. A violation of § 2701 subjects the violator to a fine of up to $10,000 and/or a sentence of up to one year in prison.

• Section 2511, on the other hand, prohibits the interception of an e-mail while the e-mail is being transmitted, and subjects the violator to penalties of up to a $10,000 fine and/or up to five years in prison.

The ECPA contains two exceptions that are pertinent to e-mail communications. First, under the system provider exception, the prohibitions on the interception, disclosure, or use of electronic communications do not apply to conduct by an officer, employee, or agent of a provider of electronic communication services if the interception occurs during an activity necessary to the rendition of the service or to the protection of the rights or property of the provider.

Whether an employer who provides an internal office e-mail system is completely exempted from the ECPA as a "service provider" is a hotly debated question, and the ramifications are important. Some commentators assert that "service providers" should include only entities such as America Online (AOL), Prodigy, etc. Others believe that employers who furnish their own e-mail systems are rightfully considered service providers and thus, fall within the service provider exception. Another theory states that even if an employer utilizes AOL or another common carrier to provide employee e-mail services, the employer is then considered an agent of the service provider and is thus, subject to the exemption.

If employers are exempted under this provision, then presumably they may monitor electronic communications in order to promote quality control, prevent loss of trade secrets, investigate employees suspected of wrongdoing, deter personal use of company property, etc. To date, at least one court has held that an employer was in fact a service provider. (See Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996)). However, in the absence of clear judicial guidelines—or clear congressional intent, for that matter, as disclosed by a not-very-definitive legislative history—employers should not rely on this exception to protect their e-mail monitoring. Rather, they should look to the following exception, which provides clearer guidance to employers and employees regarding the bounds of privacy that employees can expect.

Under the consent exception, an employer may intercept electronic communications if the prior consent of one of the parties to the communication has been obtained. (18 U.S.C. § 2511(2)(d) (1994)). To come within this exception, an employer need only acquire the implied or express consent of one employee in an employee-customer or employee-employee communication. It is important to remember that the ECPA does not preempt stricter statutes in states, such as Maryland, which require the consent of all parties.

An employee will likely be deemed to have given consent if, having knowledge of the employer’s policy, he or she continues to use the e-mail system. To this end, a written policy is preferred because all parties will have expressly consented to its terms. Even when the policy is written, the employer would be ill-advised to monitor e-mails to a degree that exceeds the scope of the policy. For example, in the context of telephone calls, the courts agree that an employer is not privileged to continue listening to conversations of a purely personal nature. Further, a policy that merely suggests that monitoring may be done may not be sufficient to create implied consent.

State law claims. Employees have two avenues for bringing state law claims. First, they may raise a claim based on any existing state legislation that might offer them protection from employer e-mail monitoring. Second, they may allege a violation of their privacy rights under state common law principles. Since 1990, employees have brought a handful of suits under state law, several of which have raised both common law and statutory theories of recovery. However, in no case has an employer been found to have violated an employee’s right of privacy by reading the employee’s e-mail messages.

(1) State legislation: Many states have adopted laws similar to federal legislation that protect an individual’s right to privacy in electronic communications. Some states, such as Maryland and Florida, require the consent of both parties to a communication before an employer may monitor e-mails. Legislation in Virginia, Georgia, and West Virginia makes it illegal to use a computer or network to examine personal information without proper authority. An individual is without authority if he or she has no right or permission from the owner or has exceeded the scope of that right or permission. (Va. Code § 18.2-152; Ga. Code Ann. § 16-9-90; W. Va. Code § 61-3C-1.) These statutes do not define whether an employer is considered the owner of the network; if so interpreted, an employer would presumably be able to search the system that employees use for work-related activities.

Other states offer limited protection to employees regarding electronic communications. For example, in Nebraska, an employer is permitted "on his, her, or its business premises . . . to intercept, disclose, or use [an electronic] communication in the normal course of his, her, or its employment." (Neb. Rev. Stat. § 86-702(2)(a)). The statute does not give an employer unfettered discretion to monitor employee e-mails; rather, it authorizes monitoring "for mechanical, service quality, or performance control checks as long as reasonable notice of the policy of random monitoring is provided to their employees." (Neb. Rev. Stat. § 86-702(2)(a)).

(2) Common law: tortious invasion of privacy: In the absence of legislation that explicitly protects employees, actions against employers for tortious invasion of privacy for e-mail monitoring may be considered. However, these suits will fail if no objectively reasonable "expectation of privacy" is found in employee e-mails or, even if found, such privacy interest is outweighed by the countervailing legitimate business interests of the employer.

In Bourke v. Nissan Motor Co. (YC 003979 Cal. Super. Ct., L.A. County 1991, affirmed by the Court of Appeals in 1993), two individuals hired to set up an e-mail system between Nissan and its Infiniti dealers were fired for using that system to send personal messages containing inappropriate sexual humor. In dismissing the employees’ subsequent suit for invasion of privacy, the court found that the employees had no reasonable expectation of privacy. When hired, they had signed a waiver stating "it is company policy that employees and contractors restrict their use of company-owned computer hardware and software to company business." Also, the two had been aware for months that their e-mail was being read by supervisors. That the employees were given passwords to access the system and told to safeguard them did not move the court to find their privacy expectations reasonable. (See also Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996), which held that the employer’s interest in preventing inappropriate communications over its e-mail system outweighed any privacy interest by those employees who transmitted such communications).

Although the current weight of authority finds no objectively reasonable expectation of privacy in e-mail, at least two courts have rejected that conclusion. For example, in Restuccia v. Burk Tech. (LW No. 12-384-96 (Mass. Sup. Ct. 1996)), the employer discharged employees after reading e-mail files that contained derogatory references to the company’s president. Employees sued the employer for invading their privacy by reading e-mails without advance warning. The court concluded that "[t]here remain genuine issues of material fact on the issue of whether plaintiffs had a reasonable expectation of privacy in their e-mail messages and whether [the employer’s] reading of their e-mail messages constituted an unreasonable, substantial, or serious interference with plaintiff’s privacy." The court noted further that the ability to create passwords and delete e-mails supported expectations that employees’ messages would remain private. In Dunlap v. County of Inyo (1997 WL 414380 (9th Cir. July 23, 1997)), the court noted in dictum, that "cellular telephones and electronic mail are both technologies of questionable privacy, but we nonetheless reasonably expect privacy in our cell phone calls and e-mail messages."

The critical issues in determining employer tort liability for e-mail interception are whether employees have an objectively reasonable expectation of privacy in such communications, and whether employers have legitimate business reasons for the intrusions.

The commentators agree—without exception—that issuance of a clear policy, or use of on-screen reminders, signed waivers, or anything else that puts employees on notice of monitoring, is the easiest and least costly way to render employee expectations of privacy in e-mail unreasonable. Because the law is not well developed, however, it is not certain that even appropriate notice will be an absolute defense in such a lawsuit.

In the context of e-mail, the range of important business reasons justifying routine monitoring seems broad indeed—preventing online sex harassment, loss of trade secrets, copyright infringement, excessive use of company property for personal reasons—and the balancing test between employee and employer has weighed in favor of the employer far more often than not. Courts have historically held that business interests can justify even extremely invasive conduct. Where the employer’s interest is sufficiently strong or the invasive action is a customary business practice, privacy interests may be overridden. For example, in May v. Teleservice Resources, Inc. (WL 222906 (N.D. Tex. 1997)) the employer TRI sent an e-mail to its managers about TRI’s initiative to promote cultural diversity in hiring. In response, May (a manager) jokingly e-mailed to another manager a message suggesting that members of a fictitious culturally diverse hiring committee could include O.J. Simpson, Susan Smith, Howard Stern, Timothy McVeigh, Marge Schott, and Louis Farrakhan. The e-mail was removed from the computer system and brought to the attention of the president of TRI. Subsequently, May was demoted from manager to an entry-level position because of her lack of support for the company’s cultural diversity program. It is notable that no privacy violations were claimed by May with regard to the e-mail, and the court did not raise the issue on its own.

Federal law claims. To date, no reported privacy-based suits have been brought against a private-sector employer under the ECPA (or any other federal law) for reading employee e-mails. However, in a claim against a municipality (Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996)), police officers claimed that the department’s retrieval of certain stored messages generated by their electronic pagers was a violation of the ECPA. The court held that the officers had no reasonable expectation of privacy when the police department warned pager users that their messages would be logged on the network, and when the messages were available to anyone with access to the department’s computer system. The court also held that the city was the provider of the electronic communications service (police department’s terminals, computers, software, and pagers); as such, it fell within the ECPA’s "system provider" exception (18 U.S.C. § 2701(c)(1)) and was permitted to "do as they wish when it comes to accessing communications in electronic storage." Therefore, the court held, neither the city nor its employees were liable under the ECPA. (See also Wesley College v. Pitts, 974 F. Supp. 375 (D. Del. 1997), which dismissed a suit by a college against several current and former employees, alleging that they illegally accessed e-mail stored in the college’s mainframe computer system; the court found no violation of the ECPA).

"Deleted" e-mail is often archived on tape and stored for years (deleting does not really delete). Backup copies may exist on the sender’s or recipient’s personal computers or on the company’s network. If the e-mail was sent through a commercial service or the Internet, it may have passed through several computers. Each computer between the sender and the recipient may have retained a copy. Unlike postal mail, most e-mail is not secure and can be accessed or viewed on intermediate computers between the sender and recipient (unless the message is encrypted). As a result, it is now commonplace for litigants to ask for the production of e-mail messages in discovery, although they may ultimately be deemed inadmissible.

In Star Publishing Co. v. Pima County Attorney’s Office (891 P.2d 899 (Ariz. Ct. App. 1994)), the court upheld a lower court order compelling production of employee e-mail communications. In connection with allegations concerning improprieties in the operation of the County Assessor’s Office, the Star Publishing Company made a formal request for computer backup tapes of the Assessor’s Office containing all documents for 1993, including e-mail communications of employees. The case appears to have turned primarily on the fact that the county, in attempting to defeat production, merely speculated that certain communications might be privileged. The dissenting judge noted that the case raised "new questions concerning the privacy of electronic mail in the workplace" that "this may indeed be a case where technology has once again outpaced the law."

Although e-mail may be deemed discoverable, it is not necessarily admissible. In the case of Monotype Corp. PLC v. International Typeface Corp. (43 F.3d 443 (9th Cir. 1994)), which dealt with an agreement not to compete in the typeface market, the plaintiff attempted to introduce e-mail correspondence from an International Typeface Corporation (ITC) employee to a Microsoft employee. The plaintiff maintained that the e-mail constituted business records and should be admitted in evidence. The court held that the requested e-mail messages were highly derogatory, offensive, and prejudicial and thus, were inadmissible. In distinguishing computer printouts which are admissible as business records, the court stated that "E-mail is far less of a systematic business activity than a monthly inventory printout. E-mail is an ongoing electronic message and retrieval system whereas an electronic inventory recording system is a regular, systematic function of a bookkeeper prepared in the course of business."

Employees who use their employer’s e-mail system—especially for other than work-related purposes—do so at their own risk. At this time, both statutory and common law appear to favor the business interests of employers over the privacy rights of employees. Although an employee might be able to assert a privacy claim against the employer in the absence of a clearly delineated e-mail policy, an employer will undoubtedly rely on federal and/or state statutory language to assert a privilege to monitor employee e-mails. Until the ambiguous language of the various statutes is clarified, or unless nonwork-related use of the computer system is expressly permitted by employers, employees should confine their nonwork-related e-mails to their own home computers.