Court Finds Airport Cannot Fly Under the Radar on Employee’s Email Privacy Claims

A federal district court in Virginia recently grounded an airport’s attempt to escape liability for accessing an employee’s email account. (Hoofnagle v. Smyth-Wythe Airport Commission.) The decision, which delivered a mixed result for the airport, provides important guidance for both public and private sector employers.

The employee was the airport’s operations manager and was responsible for its day-to-day operations, including responding to email from the public. To this end, the manager created a Yahoo! email account, which he used for both airport and personal business. Although the account became the airport’s official email contact, the airport did not have an email policy or any other technology policy that governed how the account was to be used.

Events came to a head when the manager, an NRA member, used the account to send a strongly worded email to U.S. Senator Tim Kaine regarding gun control. The manager signed the email using his official airport title. After learning of the email, the airport terminated the manager based not on the email’s content, but on the manager’s decision to sign it in his official capacity. The airport then used a password provided by the airport’s secretary to gain access to the account to search for business records. The manager sued and claimed that the airport’s access of the email account without his authorization violated the Fourth Amendment’s protection against unreasonable governmental searches, as well as the Stored Communications Act.

Dealing with the Fourth Amendment claim first, the court applied a two-part test used by the U.S. Supreme Court in another case involving the scope of employee privacy in electronic communications. That test looks first at the “operational realities” of a workplace to determine whether a reasonable expectation of privacy exists, and then examines whether the search was reasonable under all the circumstances.

In this case, the court found that the manager did have a reasonable expectation of privacy in the email account – primarily because the account was not clearly owned by the airport, and because the airport did not have an electronic communications policy that would have limited the manager’s expectation of privacy. Nonetheless, because the airport’s search of the account related to a non-investigatory work-related purpose, and because it was limited in scope, the search was reasonable and therefore did not violate the Fourth Amendment.

Turning to the Stored Communications Act, however, the court found that the airport could not escape liability. The SCA is a federal law that prohibits the unauthorized access to stored email and other electronic communications. But the SCA exempts “providers” of electronic communications services and end “users” of those services – and it was under these two exemptions that the airport sought refuge, arguing that the exemptions applied because the airport had provided the computer through which the manager had used the Yahoo! account. The court found neither exemption applied, though, because it was Yahoo! that provided the electronic communications service where the emails were stored, and it was the manager, who had created the account, that was the “user” of the service.

So – what guidance does this case provide for employers? First, it demonstrates that employers must be careful when using, or allowing employees to use, a third-party email provider (e.g., Yahoo!, Gmail, etc.) for company business. In those situations, employers must be sure to have clear policies in place that address the scope of employee privacy in electronic communications and the monitoring of email on workplace computers, and the policies should also clarify who it is – employer or employee – that owns the account and is authorized to access it. Had the airport in this case maintained such a policy, it would have been in a far better position. Second, this case demonstrates that an employee’s use of a work computer does not entitle an employer to access virtually any account used by the employee on the computer – even if the account is used for work purposes. Finally, the case serves as an important reminder for employers to keep abreast of changes in technology and how that technology is used in the workplace.

Employer's Electronic Communication Policy Negates Expectation of Privacy in Employee's Work Computer

Adding its voice to the growing body of cases illustrating the importance of electronic communications policies, a federal court in Virginia ruled earlier this year that an employee had no reasonable expectation of privacy in personal files stored on his work computer where his employer maintained a policy that clearly informed him that he should have no such expectation.  Walsh v. Logothetis  (E.D. Va. Jan. 21, 2014).

The plaintiff in the case, Thomas Walsh, began working at Virginia Commonwealth University (VCU) in 2008 as a Chief Administrative Officer in the School of Medicine.  In the spring of 2011, Walsh’s supervisor, who was an Associate Dean in the School of Medicine, raised concerns about the financial management of Walsh’s department.  VCU conducted an audit as a result of the supervisor’s concerns.  In connection with the audit, VCU searched Walsh’s work computer and found copies of his personal 2007 and 2008 tax returns, which Walsh had stored on the computer.  The tax returns showed that Walsh had falsified his employment application to VCU by overstating the salary he had earned at his previous job.  The audit also showed that Walsh had failed to follow other financial procedures implemented by VCU.  Based on the results of the audit, VCU terminated Walsh’s employment.

Walsh later sued in federal court alleging a variety of constitutional and statutory violations.  Among his many claims, Walsh alleged that the search of his work computer was unlawful under the Fourth Amendment.  Specifically, Walsh alleged that several VCU policies permitted employees to store personal files on their work computers and that he therefore had a reasonable expectation of privacy with respect to the personal tax returns he had stored on his work computer.

The court acknowledged that public employees, such as Walsh, generally have a reasonable expectation of privacy in their workplace.  However, the court concluded that employees cannot have a legitimate expectation of privacy in electronic communications where a policy puts them on notice that their communications may be monitored.  VCU had such a policy, which provided:

No user shall have any expectation of privacy in any message, file, image or data created, sent, retrieved, received, or posted in the use of the Commonwealth’s equipment and/or access.  Agencies have a right to monitor any and all aspects of electronic communications and social media usage.  Such monitoring may occur at any time, without notice, and without the user’s permission.

Consequently, even though Walsh may have been permitted by VCU to store personal information on his work computer, he did not have any reasonable expectation that this information would remain private.

The result in Walsh v. Logothetis is relevant for private employers, even though the case involved a public employee and a claim under the Fourth Amendment.  This is because common law claims for invasion of privacy, like privacy claims under the Fourth Amendment, generally require a plaintiff to show that he or she had a reasonable expectation of privacy.  A clear policy stating that such an expectation does not exist in electronic communications stored or accessed on a work computer is therefore equally important for employers in both the public and private sectors.