Workplace Investigations and Privacy of Electronic Communications

The situation is common enough: an employee is alleged to have engaged in misconduct and, as part of its investigation, the employer decides to search the employee’s company-issued computer for any relevant documents and communications.   One might expect that because the company owns the computer, anything discovered on the computer would be fair game.  That expectation, however, can sometimes lead employers astray – and straight into a claim under electronic privacy and anti-hacking statutes like the Stored Communications Act (SCA) and Computer Fraud and Abuse Act (CFAA).

Federal Statutes

The SCA and CFAA are federal statutes that protect against the unauthorized access of electronic communications and information. Under those statutes, employers have considerable room to monitor and access communications on their own networks and equipment.  The SCA, for example, generally exempts communications that are transmitted or stored on an employer’s proprietary electronic communications system.  That exemption does not apply, however, to communications that are stored outside of the company’s system, such as emails stored in an employee’s Gmail or Yahoo! account. Consequently, an employer that accesses an employee’s private email account risks violating the law – regardless of whether a company-issued computer allowed the employer to do so (for example, because the password for the employee’s private email account was stored in the computer’s internet browser).

Cases to Discuss

As a case in point, in Lazette v. Kulmatycki (N.D. Ohio 2013), a supervisor used a former employee’s smartphone to access the employee’s personal email account after her employment ended. The employee had been issued a smartphone during her employment and had been told that she could use it for personal matters.  When the employee left, she returned the smartphone and believed that she had deleted her Gmail account from the phone.  In fact, the Gmail account was still accessible on the phone and the supervisor, rather than deleting the account, used it to read the employee’s opened and unopened email—a total of 48,000 emails over an eighteen-month period.  After becoming aware of the supervisor’s actions, the employee changed her Gmail password and then sued claiming violations of the SCA, among other things.  The employer sought to dismiss the complaint, but was unsuccessful. The court found that the mere fact that the supervisor had used a company-owned device to access the employee’s email account did not grant him the authority to do so.  It also found that the employee’s inadvertent failure to delete the account from the phone did not mean she had given implied consent to access the account, particularly where she believed she had deleted the account and was unaware of the possibility that others might be able to access it. On the issue of consent, the court also noted that even if she had been aware that her emails might be monitored, that implied consent would not have been unlimited, given that “random monitoring is one thing; reading everything is another.”

More recently, in Owen v. Cigna (N.D. Ill. 2016), a court held that an employee had a viable claim under the SCA where her employer allegedly used her work computer to access emails from her personal email account. The employee had left her job and had filed a charge of discrimination for sexual harassment.  In responding to the charge, the employer attached emails that it had obtained from the employee’s personal email account, but which the employee claimed had been obtained without her consent. The employer argued that it was authorized to access the emails, but the court dispensed with this argument quickly and found that although the employer had the undeniable authority to access the employee’s work computer after she stopped working, it was not authorized to access the employee’s personal email account.

Both of these cases serve as important reminders for employers to consider the potential privacy of electronic communications when performing workplace investigations. Although there are certainly steps that employers can take to reduce any expectation of privacy that employees may have in their electronic communications at work, employers must also recognize that mere ownership of a computer, tablet, smartphone, or other electronic device does not provide carte blanche access any account an employee accessed on the device.

Consent is Key for BYOD

With Black Friday behind us and holiday shopping still heating up, ‘tis the season when many of us will acquire new gadgets and technology to power our digitally-enhanced lives.  For businesses, this time of year also means thinking about how best to accommodate employees who want to use their personal smartphones, tablets, or other electronic devices to connect to company networks.

BYOD (“bring your own device”) programs offer benefits to both employers and employees.  Employers, for example, benefit from reduced IT costs associated with providing expensive technology to employees, while employees benefit from the freedom to choose their own devices for work and play.   Yet the ability to access both work and personal content on a single employee-owned device presents some challenges, particularly with respect to data security and privacy.  On occasion, an employer may need to access an employee’s personal device to protect company information, such as when the employee departs or the device is lost or stolen.  However, if the employer does not have explicit authorization from the employee to access the device, it may end up having not only a disgruntled employee, but potential liability as well.

As a case in point, last month a federal district court in Texas ruled on claims asserted by an employee that his former employer violated the federal Computer Fraud and Abuse Act (“CFAA”) and other federal and state laws when it remotely accessed his personal smartphone and deleted all data on the phone, including personal and professional data, without his consent.  The employee in the case, Rajaee v. Design Tech Homes, Ltd., claimed damages to the tune of $105,100 attributable to his lost passwords, contacts, and photographs.  In this case, the court found these damages were not compensable under the CFAA on the grounds that the act covers only losses associated with investigating or responding to a violation of the act.  Because Rajaee did not produce evidence of any costs incurred to investigate or respond to the deletion of his data, the court concluded he had no losses under the CFAA, and therefore no claim.  Of course, had Rajaee established that he did incur such costs, the result in this case may very well have been different.

So, what does this mean for employers implementing BYOD programs?  At a minimum, it means that employers providing BYOD access should have policies in place describing the circumstances under which it may be necessary to access personal content on an employee’s personal device.  To allay legitimate privacy concerns, the policy should provide specific examples of when such access may be necessary, including situations involving lost or stolen devices, or technical support.  With an effective BYOD policy in place, employers should then require employees to provide written consent to the policy.