E-Mail Privacy Rights In Business E-Mail Privacy Rights In Business E-Mail Privacy Rights in Business I. Abstract How far we have come in such a small time. When you think that the personal computer was invented in the early 1980’s and by the end of the millennium, several households have two PC’s, it is an astonishing growth rate. And, when you consider business, I can look around the office and see that a lot of the cubicles contain more than one PC. It is astonishing to me that such an item has taken control over the information technology arena like personal computers.

Consider, however, the items that go along with personal computers: printers; modems; telephone lines for your modem; scanners; the software; online access; and lets not forget, e-mail addresses. E-mail, or electronic messaging, has taken over the communications world as the preferred method of exchanging information. From the simple, let’s do lunch messages, to the ability to send a business associate anywhere in the world an e-mail with an attached document that contains 150 megabytes of information, e-mail is quickly replacing the telephone, the U.S. post-office, and even overnight delivery services as primary method of exchanging important data. With the ability to create and send this instant information, the technology has far outpaced the education of how to use this phenomena, the affects of this technology on society, and how to prevent this method of communication from growing itself out of existence. Consider the following numbers: There were about 23 million e-mail users in 1994 There will be approximately 74 millions e-mail users in the year 2000 Employees sent approximately 263 billion e-mail messages in 1994 Employees will send approximately 4 trillion e-mail message in the year 2000 A 1993 study by MacWorld magazine found that 22% of employers have engaged in searches of employer computer files, voice mail, electronic mail, or other network communications The number of people subject to electronic surveillance at work has increased from approximately 8 million in 1990 to more than 20 million in 1996. Nearly 60% of companies that monitor e-mail or other employee communications conceal doing so.

Less than 20% of companies have a written policy on electronic monitoring. One of the major areas affected by this new technology is corporate America. Not only is it struggling with how to keep pace with the growing need for fast and efficient e-mail, but also the dangers associated with it. Among these dangers is privacy, in particular, what legal rights corporations and employees have in keeping their communications private. This paper will introduce the current legislation in this area, the expectation of privacy an employee should have, any court decisions that provide additional ruling, and what a corporation can do to prevent litigation in these matters.

II. Employees Expectation of Privacy in e-mail As an e-mail systems manager, I was under the impression that since the company owns the electronic messaging system, the company could view the contents of any employees e-mail account at any time. I was only partially right. The explanation of the current law will describe this in detail, but, the employee does have a certain right to privacy where e-mail is concerned. Arguably, a company’s most valuable asset is it’s data.

In the age of technological marvels, it is easier to create more valuable data and, on the other hand, that data is more easily retrievable, especially by persons not authorized to obtain the data. Employees of companies can expect a certain right of privacy granted by three main sources: (1) The United States Constitution; (2) Federal Statutes (The Electronic Communications Privacy Act of 1986); and (3) State Statutes (many of which have not addressed the issue). The United States Constitution provides a limited group of employees with privacy safeguards. The safeguards are based on guarantees in the United States Constitution’s Fourth amendment and similar state constitutions. Courts have upheld that the Fourth Amendment’s protection against unreasonable search and seizures applies to workplace invasions of privacy. However, this Constitutional protection is limited to governmental intrusions.

Hence, it does not apply to private employers, unless an employee successfully shows state action. In Schowengerdt v. General Dynamics Corporation [823 F.2d 1328, 1332 n.3 (9th Cir. 1987).] Schowengerdt held that the employee had a reasonable expectation to privacy in work areas of exclusive use to the employee, such as the employee’s office, unless the employer had previously notified the employee that the employee’s office was subject to a work-related search on a regular basis. The court concluded that despite the employee’s reasonable expectation to privacy in his office that a warrantless search of the office was permissible when it was work-related and reasonable under the circumstances.

As the wording of the 4th amendment suggests. it does not protect against all searches, only unreasonable searches. Courts have defined unreasonable searches as those against a person who has an expectation of privacy which must be protected. This can be shown in United States v. Perkins. [383 F.

Supp. 922, 927 (N.D. Ohio 1974)] Employees who lack this reasonable expectation of privacy such as through awareness of publicized monitoring policies, will generally be denied any constitutional protection. The policy, to be effective, should warn employees that e-mail messages may be audited despite certain system features that give the appearance of privacy, such as personal passwords and the employee’s ability to delete messages. III. Current Law Pertaining to E-mail Communication The technology revolution of the e-mail address enabled businesses and private individuals to communicate in ways never before imagined. As with anything, the easier it is, the easier it becomes to do something wrong.

With e-mail, this is very evident. In order to prevent wrongdoing and to protect the e-mail user, Congress enacted the Electronic Communications Privacy Act of 1986 (EPCA). [Pub. L. No.

99-508, 100 Stat. 1848 (1986)(codified at 18 U.S.C. 2510-2521, 2701-2710, 3117, 3121-3126 (1988)).] The ECPA amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968, [18 U.S.C. 2510-2520 (1994).]. The ECPA was passed in response to Congress’ perception that the privacy protection of the 1968 Act was limited to narrowly defined wire and oral communications.

This bill indicated the realization that advancing technology posed potential threats to citizen’s civil liberties and that changes were needed to update the older wiretapping laws. The amendment expanded the scope of Title III to include the interception of electronic communication and unauthorized access of stored electronic communications. [18 U.S.C. 2510(1), (4), (12), (17) (1994).] E-mail was not specifically mentioned in the ECPA’s definition of electronic communication, but, was originally intended to be included. Electronic communication is defined as in the ECPA as the transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.

[18 U.S.C. 2510(12)(1994). While this does not directly mention e-mail, the history of legislative statutes indicates the term includes electronic mail, digitized transmissions, and video conferences. [S. Rep. No.

99-541, at 14 (1986)]. The ECPA also outlaws the interception of electronic communications. [18 U.S.C. 2511(1)(a), 2520 (1994).] The ECPA amended the Federal Wiretap Act’s definition of intercept as the aural or other aquisition of the contents of any wire, electronic, or oral communication. [18 U.S.C. 2510(4) (1994).] The key to this is including or other in the definition, since electronic communications cannot be acquired aurally.

Even though electronic communications are now included within the ECPA’s interception clause, the range of protection afforded by the prohibition against interception has been narrowly interpreted by one of the few courts to address the issue. An example of this lies in the decision of the 5th Circuit Court in the case of Steve Jackson Games, Inc. v. United States Secret Service, [36 F.3d 457 (5th Cir. 1994).] In this case, the court decided whether or not the Secret Service’s seizure of a computer that was used to operate an electronic bulletin board system, constituted an intercept of the stored but unread e-mail contained on the system. Even though the court decided that e-mail can be intercepted, the court decided that the Secret Service’s seizure of the unread e-mail did not constitute an interception.

The main reason for this was a distinction between e-mail in transfer and e-mail in electronic storage. The use of the word transfer in the definition of electronic communication, and its omission in that definition of the phrase any electronic storage of such communication says that Congress did not intend for intercept to apply to electronic communications when those communications are in electronic storage. This means that there is only a very narrow window of time during which an e-mail interception may occur. This would be the time between the time an e-mail message is sent and the time it is saved to any location designated as storage. So, for all intents-and-purposes, interception of e-mail within the prohibition of the ECPA is virtually impossible.

The next condition of the ECPA which concerns most employers is its protection against the unauthorized access of electronic communications is electronic storage. [18 U.S.C. 2701 (1994).] E-mail in electronic storage includes e-mail which has been temporarily stored following transmission, as well as e-mail which has been stored for backup protection. [18 U.S.C. 2510(17) (1994).] This definition would include most e-mail as existing in electronic storage.

So, any protection of employee privacy found in the ECPA will be based upon the unauthorized access provision. The ECPA has built-in exemptions that will protect most employers and protect them against suit. These exemptions are: prior consent, business use, and system provider. 1. Prior Consent The best protection against liability under the ECPA is when prior consent has been given for any interception or access of e-mail in electronic storage.

Interception of electronic communication is expressly allowed by the ECPA when one of the parties to the communication has given prior consent. [18 U.S.C. 2511(2)(d) (1994).] Also, access to stored electronic communication is allowed without liability when authorization has been given by a user of that service with respect to a communication of or intended for that user. [18 U.S.C. 2701(c)(2) (1994).] An easy case to understand here is American Computer Trust Leasing v.

Jack Farrell Implement Co. [763 F. Supp. 1473, 1495 (D. Minn. 1991)].

Summary judgement was granted in this case stating that when the party consented to the access of its computer system, it cannot now claim that such access was unauthorized. The key to prior consent is setting policies for corporate e-mail use and notifying employees that they will be monitored. This policy should be corporate-wide and employees that use the system will be judged as giving implied consent upon reviewing the policies and agreeing to the fact that they have read and reviewed the policies. Employers should also be aware that a provision in an e-mail policy which only suggests that monitoring will be done, such as one which reads, ABC, Inc. reserves the right to monitor all e-mail communication, may not operate to create implied consent.

2. Business Use Exemption Employers may use the business use exemption for interceptions made within the ordinary course of business. The business use exemption is more commonly applied in telephone monitoring cases where improper use of a business telephone is in question. Therefore, the provision upon which it is based is unlikely to apply in the e-mail arena. The definition of intercept in the ECPA excludes interceptions captured by telephone or telegraph instrument, equipment, or facility, or any component thereof, (i) furnished to the subscriber or user by a provider of wire or electronic communication services..being used by the subscriber or user in the ordinary course of business.

[18 U.S.C. 2510(5)(a)(i) (1994).] Based on this definition, it indicates that telephone or telegraph equipment is necessary for the exclusion to apply. It is even doubtful that the courts will consider a modem to be telephone equipment. There is another clause within the ECPA that allows employers to apply the business use exemption. Section 2511(2)(a)(i) states: It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire of electronic communication service, whose facilities are used in the transmission of a wire of electronic communication, to intercept, disclose, or use that communication in the normal course of employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service. [18 U.S.C.

2511(2)(a)(i) (1994).] For this exemption to apply, the employer would have to be classified as a system provider or an agent of a system provider. Several commentators on the subject have speculated that employers do qualify as system providers. The term provider would likely include public email networks, such as Prodigy and Compuserve, and the term agent may or may not be defined to include employers who subscribe to or use their e-mail service. Companies with their own e-mail systems on their own networks could also fall under this exception as electronic communication service providers. Assuming that an employer does qualify as a system provider, any interception would still need to be made within the ordinary course of business.

[18 U.S.C. 2511(2)(a)(i) (1994).] Previous case law in telephone call monitoring provides some stare decisis for monitoring of employee e-mail in the ordinary course of business. In both Watkins v. L.M. Berry & Co. [704 F.2d 577 (11th Cir.

1983).] and Briggs v. American F …