Click here to skip to main content.
scenic picture from Washington state
SUBJECTSIS › Elements of a Successful E-Mail Policy, Part II by Gerard Panaro
Elements of a Successful E-Mail Policy, Part II

Elements of a Successful E-Mail Policy, Part II

by Gerard Panaro

This is the second in a three-part series on implementing an e-mail policy. The first installment took a look at the basic legal standards, this one will examine applicable laws, and the third will offer the components of a legally sufficient, defensible workplace policy on e-mail.

Applicable laws. There are four sources of law the employer has to take into account: federal, state, the common law (such as actions for defamation, invasion of privacy, breach of contract), and constitutional law. On the federal level, there are three laws: the Omnibus Crime Control and Safe Streets Act of 1968, which regulates the interception of telephone calls; the Electronic Communications Privacy Act of 1986, which regulates interception of and access to e-mail and other forms of electronic communication; and the Computer Fraud and Abuse Act of 1986. As noted above, all of these federal statutes are very detailed, complicated and confusing and it will serve no good purpose to go into them in any detail.

Briefly, however, with respect to the Electronic Communications Privacy Act of 1986, the following should be noted: while the ECPA generally prohibits the interception or accessing of electronic communications, it contains three exceptions which permit employers to monitor employee e-mail:

  1. there is an exception allowing for interception of e-mail if one of the parties consents;
  2. an exception to allow the providers of the service to monitor the lines to maintain service; and
  3. an exception allowing for interception in the ordinary course of business, to protect the employer's rights and property.

Thus, far from barring an employer from adopting and enforcing a policy that regulates employees' private and personal use of office e-mail, the ECPA actually permits such policies.

On the state level, most if not all of the states have their own legislation dealing with the interception of telephone and electronic communications; a few states also have computer crime statutes making it a crime to tamper with computer data in certain ways. Some state statutes may provide different or greater protection than the federal statutes. In a given case, the employer must always be certain not to overlook state law in its calculations and decisions.

Example: Virginia's law on accessing material. A good example of state regulation of employees' use of computers, which could serve as a model for others, is Virginia's law restricting state employees from accessing sexually explicit material on computers that are owned or leased by the state, unless given permission to do so.1 The statute was the subject of litigation in Urofsky v. Gilmore, 14 IER Cases (BNA) 1386 (4th Cir. 1999), in which a group of university professors argued that the law infringed on their First Amendment rights of free speech. The court disagreed. The court quoted elements of the statute, which, although applying only to state employees, could serve as a model for a similar policy in the private sector, at least insofar as an employer seeks to prevent employees from transmitting, receiving or downloading sexually explicit material. In essence, the act provided:

Except to the extent required in conjunction with a bona fide, agency-approved research project or other agency-approved undertaking, no agency employee shall utilize agency-owned or agency-leased computer equipment to access, download, print or store any information infrastructure files or services having sexually explicit content. Such agency approvals shall be given in writing by agency heads, and any such approvals shall be available to the public under the provisions of the Virginia Freedom of Information Act.
The statute defined "information infrastructure" as telecommunications, cable, and computer networks and as including the internet, the world wide web, usenet, bulletin board systems, online systems and telephone networks. The law also gave definitions of "sexually explicit content" and related terms. They are quoted here for guidance purposes:
"Sexually explicit content" means (i) any description of or (ii) any picture, photograph, drawing, motion picture film, digital image or similar visual representation depicting sexual bestiality, a lewd exhibition of nudity, as nudity is defined in §18.2-390, sexual excitement, sexual conduct or sadomasochistic abuse, as also defined in §18.2-390, coprophilia, urophilia, or fetishism.

"Nudity" means a state of undress so as to expose the human male or female genitals, pubic area or buttocks with less than a full opaque covering, or the showing of the female breast with less than a fully opaque covering of any portion thereof below the top of the nipple, or the depiction of covered or uncovered male genitals in a discernibly turgid state. "Sexual conduct" means actual or explicitly simulated acts of masturbation, homosexuality, sexual intercourse, or physical contact in an act of apparent sexual stimulation or gratification with a person's clothed or unclothed genitals, pubic area, buttocs or, if such be female, breast.

"Sexual excitement" means the condition of human male or female genitals when in a state of sexual stimulation or arousal.

"Sadomasochistic abuse" means actual or explicitly simulated flagellation or torture by or upon a person who is nude or clad in undergarments, a mask or bizarre costume, or the condition of being fettered, bound or otherwise physically restrained on the part of one so clothed.

Common law. The third source of law is the common law. For example, an employer who discovers personal information about an employee through monitoring the employee's e-mail and who disseminates that information for no legitimate business purpose, or to persons with no legitimate interest in it, may be liable to that employee for defamation or invasion of privacy, even if the employer didn't violate any federal or state law pertaining to interception of electronic communications.

Constitutional law. Finally, and briefly, in some cases, constitutional provisions may come into play. For example, government employees have Fourth Amendment protections against unreasonable searches and seizures; a few state constitutions have provisions applying to the private sector protecting citizens' privacy. The U.S. Constitution's Fourth Amendment prohibition of searches and seizures, however, does not apply to private sector employers.

Employees do not have any automatic, absolute right to privacy in the workplace. The key legal rule to keep in mind is this: employees have no automatic or absolute right to privacy in the workplace. Only government employees enjoy Constitutional protections against unlawful search and seizure, and even in those cases, the protection is not absolute: the courts apply a balancing or weighing test, comparing the employee's expectation of privacy and right to be free from unreasonable search with the government's legitimate rights to know and the public interest. The safest assumption that employees can make, and their best "working hypothesis" is that they do not have a right to privacy in their e-mail, especially if the company has advised the workforce in a written policy that e-mail (and other forms of office communication) is subject to monitoring.

From the employer's perspective, when confronted with the question of whether an intrusion into employee's workplace e-mail will be legally defensible and justifiable, the key questions are these: Did the employee have an expectation of privacy; Was that expectation reasonable? What was the employer's purpose in accessing the employee's e-mail; and, How far did the intrusion go? The employer can create its own answer to the first question by advising employees in no uncertain terms that they do not have any expectation of privacy in the workplace, or only a very limited expectation. That policy will answer the second question: Was the expectation reasonable? No, because the employer already told employees they had no privacy. The answer to the third question should be: to monitor for compliance with policy; to investigate wrongdoing (e.g., sexual harassment, disclosure of confidential business information). The answer to the fourth question should be: Only far enough to fulfill the company's legitimate business interests.

Employers don't have an absolute right to inquire, either. If employees do not have an automatic, absolute right to privacy in the workplace, neither do employers have an automatic, absolute right to observe, monitor, record, and publicize employees' every move and action, even in the face of a policy warning employees not to assume any right or expectation of privacy.

E-mail raises legal issues other than privacy rights. Although much of the emphasis and focus on workplace e-mail policies is in protecting the privacy rights of employees, the fact of the matter is that there is far more at stake for the employer than employee privacy rights. While the employer creates some risk of legal liability to employees as a result of an e-mail monitoring policy, perhaps a more important consideration is that if the employer fails to monitor e-mail usage, it may be creating far greater liability for itself. A fundamental source of this potential liability is that the law holds employers responsible for what their employees do, oftentimes even if the employer had no knowledge of what the employees were doing and if the employees were actually acting against the company's own interest.

The Microsoft antitrust case is one illustration: e-mails written by engineers for Netscape and other Microsoft competitors, disparaging and criticizing their own companies' products and business strategies, are being used by Microsoft in its own defense. The Raytheon Corporation case is another: the company is suing employees for divulging what it alleges are trade secrets. An employee who uses e-mail to sexually harass another employee may be creating strict liability for the company. An employee who incurs substantial expenses charged to the company for his or her private and unrelated use of e-mail or the internet is engaged in a form of theft; using the company's e-mail for illegal purposes, such as gambling or pornography, can result in a criminal investigation of the company. It is imperative, therefore, that companies allow themselves the right to see how their employees are using the e-mail system, and advise employees of this prerogative, for their own self-protection. And this is the fundamental interest the EPCA recognizes and seeks to protect in its exception allowing for interception of electronic communications in the ordinary couse of business.

Protection for trade secrets. The Raytheon case raises the issue of corporate trade secrets. Perhaps 40 or more states have enacted the Uniform Trade Secrets Act (UTSA), which provides various remedies for the misappropriation of trade secrets, including injunctive relief, damages, royalties, punitive damages and attorneys' fees. The UTSA also defines a "trade secret" as follows:

"Trade secret" means information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (1) Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (2) Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

Even in the absence of a trade secrets statute, an employee's common law duty of loyalty to his or her employer would supply a basis for going after an employee who breached corporate confidentiality. Another tool, which can be used standing alone or in conjunction with a state trade secrets law, is a confidentiality agreement.

An illustrative case is Robert L. Cloud Associates, Inc. v. Mikesell, 14 IER Cases (BNA) 1407 (Cal. Ct. App. 1999). Robert L. Cloud & Associates, Inc. was an engineering firm specializing in pressure vessel consulting. It required its employee, the defendant in the lawsuit, to sign a confidentiality agreement which required him not to disclose confidential information. "Confidential Information" was defined in the agreement as follows:

any and all information concerning teaching techniques, processes, formulas, trade secrets, innovations, inventions, discoveries, improvements, research or development and test results, specifications, data, know-how, formats, marketing plans, business plans, strategies, forecasts, unpublished financial information, budgets, projections, and customer and supplier identities, characteristics, and agreements.

The defendant quit his job and set up a competing business, going after the same clients he had recruited for Robert L. Cloud & Associates. He also took training materials, omitted course materials from computer diskettes, took code books, and deleted course materials from the compuer files. As a result, Robert L. Cloud & Associates was unable to service several of its clients and either had to contract with the defendant's new firm to do so, or lost the business. The company successfully sued under the UTSA for its losses.2

Importance of written policy. The importance of having a written corporate policy establishing the company's right to access e-mail cannot be overemphasized. Clearly advising employees that e-mail is for business use and that the company reserves the right to monitor and access e-mail for all lawful reasons will negate any argument about privacy expectations, will establish prior consent, and will provide evidence of legitimate business use allowed by the law. Current law favors the employer's rights of monitoring and access over employees' privacy claims. In ruling on any claims of unlawful employer conduct, courts will look at four factors:

  • Whether there was notice and consent
  • Scope of the intrusion into the employee's private matters
  • Number of others to whom disclosure was made
  • Employer's justification for accessing the employee's private messages

1 Va. Code. Ann §2.1-804 to -806. 2 The jury awarded the company $232,300, and the judge gave it $115,250 in punitive damages, plus almost $51,000 in attorneys' fees.

Gerard P. Panaro, Artabane & Belden, P.C., 2021 L Street, NW, Washington, DC 20036. Tele (main): 202-861-0070; tele (direct; voice mail): 202-861-1314; fax: 202-861-2939; e-mail (firm (preferred:)) gpanaro@artabane-belden.com; (personal:) gpanaro@mindspring.com

First published on bankinfo.com on 5/12/99