employees’ privacy rights in the digital age
DESCRIPTION
Article by Wendi Lazar and Lauren Schwartreich published in the New York Law Journal in April 2010.TRANSCRIPT
Employees’ Privacy Rights in the Digital AgeWendi S. Lazar and Lauren E. Schwartzreich
Ten years ago employees wondered if their employers could look through their purses merely be-cause they brought them to work. Today employees ask whether their employers own all electronic data created, viewed or stored on their work computers and BlackBerrys.
In New York, private sector employees may have a reasonable expectation of privacy in their work computers, cellular phones and other electronic devices. In 2001 the U.S. Court of Appeals for the Second Circuit confirmed in Levanthal v. Knapek1 that an employee may have a reasonable expec-tation of privacy in the content of her work computer, especially where her employer maintains an unclear technology usage policy. Since Leventhal, employers in the Second Circuit have crafted broad and detailed technology policies aimed at draining reasonable expectations of privacy out of employees’ work-related technology.
These policies aim to bind employees to notices stating, more or less, that (1) all electronic data created, stored, received or sent from the employer’s electronic device or system (e.g., computer server or third-party wireless service provider), regardless of the purpose for which it is created, is the employer’s property; (2) the employee cannot expect such data to remain private; and (3) the employer may monitor and obtain such data at its discretion and without further notice to the employee.
Although employers expect that these policies will permit unfettered access to employees’ personal electronic data, courts are increasingly scrutinizing their enforceability. In Pure Power Boot Camp Inc. v. Warrior Fitness Boot Camp, LLC,2 the court was incredulous of the employer’s reliance upon its policy to defend its accessing of an employee’s personal Hotmail e-mail account. The court explained, “[i]f [an employee] had left a key to his house on the front desk at [his workplace] one could not reasonably argue that he was giving consent to whoever found the key, to use it to enter his house and rum-mage through his belongings.”3 It now appears in the Second Circuit that employees do not check their privacy at the door to their workplace.
Discriminatory Practices
Inconsistent monitoring or enforcement of technology policies against employees may be unlawful. An employer may not selectively enforce a technology policy against an employee who exercises workplace rights, such as engaging in union organizing activities.4
Monitoring Internet or telephone usage may be unlawful where it is done in response to a complaint of discrimination. For example, in Zakrzewska v. The New School,5 the court found that an employer’s covert monitoring of an employee’s personal Internet usage after she complained of discrimination could constitute an unlawful retaliatory adverse employ-ment action. Similarly, in Dotson v. City of Syracuse,6 the court found that an employer’s monitoring of an employee’s telephone conversations after she had complained of discrimination was “intrusive” and might also constitute unlawful retaliation.
New York Law Journal article April, 2010
NEW YORK3 Park Avenue
New York, NY 10016212-245-1000
CONNECTICUTFour Landmark Square
Stamford, Ct 06901203-363-7888
www.outtengolden.com
Wendi S. Lazar
Lauren E. Schwartzreich
Unauthorized Accessing
Technology policies do not confer access to employees’ personal electronic information stored by cellular providers or on employees’ personal online e-mail accounts, restricted-access social networking site profiles or password-protected blogs. Federal statutes, such as the Electronic Communications Privacy Act, and its subsections the Wiretap Act7 and the Stored Communications Act (SCA),8 provide criminal and civil penalties against employers who gain unauthorized access to employees’ personal electronic communications and data. Employers may pay heavily for assuming that their technology policies shield them from these laws.9
Under the Wiretap Act,10 employers may not intercept employees’ personal electronic communications (that are in trans-mission). While employers may be liable under this act for monitoring employees’ telephone calls11 claims of unlawful interception of e-mails are less likely to succeed under the act due to courts’ narrow construction of the “in transmission” provision of the law.12
Employers may violate the SCA if they access employees’ personal e-mail accounts without permission. In Pure Power Boot Camp, discussed above, the employer maintained a broad computer use policy stating that employees had no right of personal privacy in any matter stored in or created on the company’s system, inclusive of personal e-mail accounts accessed on the company’s system, and that computer usage was subject to monitoring without additional notice. The employer accessed the employee’s personal Hotmail account by using the password he had saved on his computer.13 The court found that by these actions the employer violated the SCA.
Employers may violate the SCA by accessing employees’ otherwise restricted Web sites, such as password-protected social networking sites and chat groups. In a case out of New Jersey, Pietrylo v. Hillstone Restaurant Group,14 a district court re-cently upheld a jury verdict finding that an employer violated the SCA where it accessed a group of employees’ password-protected and invite-only chat forum located on the social networking site, MySpace.
Employers may also violate the SCA by accessing employees’ personal text messages via a cellular wireless provider—even if the employer owns the phone, pays the bills and maintains the contract with the provider.
In Quon v. Arch Wireless Operating Co.,15 a decision out of the U.S. Court of Appeals for the Ninth Circuit, a wireless provider violated the SCA by providing the employer-city with transcripts of text messages sent to and from the plaintiff-employee’s work pager. The employer maintained a technology policy that, it argued, (1) permitted the employer to moni-tor electronic communications, including pagers, and (2) put the employee on notice that electronic communications via pagers were not confidential and that pagers were not for personal use.
However, the employee’s supervisor maintained an informal policy permitting personal use of pagers and also agreed not to monitor the communications if the employee paid all service plan overage fees. After the employee exceeded the service plan on several occasions, and even though the employee paid the overage, the employer asked the wireless provider for transcripts of the employee’s text message communications. The wireless provider complied. Subsequently, the employer terminated the employee citing the content of those text messages, and the employee successfully sued both his employer (for violating his Fourth Amendment rights) and the wireless provider (for violating the SCA).
In December 2009, the U.S. Supreme Court denied cert. to the wireless provider who had appealed the Ninth Circuit’s decision in Quon, thus confirming that entities like cellular service providers, Web-based e-mail providers and social net-working sites risk violating the SCA if they disclose the contents of employees’ stored communications to their employer.
However, the implications of Quon are still unsettled. On Dec. 14, 2009, the Supreme Court granted certiorari to the city-employer (arguments were heard April 19, 2010). In doing so, the Court may have set the stage for a potential shift in employee privacy rights. The Court’s opinion may venture beyond the unique public sector issues raised in the cert petition and touch upon private sector employees’ privacy rights. Further, the Court’s ruling (or dicta) concerning employee privacy may influence lower courts’ analyses of privacy rights in the private sector.
At this juncture, wireless providers will undoubtedly avoid disclosure of text messages to employers without direct authori-zation from the actual user, recipient or intended addressee, as required under the SCA.16 Thus, employers are less likely to obtain the content of employees’ personal text messages through a wireless provider.17
New York Law Journal article April, 2010
Employees’ Privacy Rights in the Digital Age (Cont*)
Similarly, online e-mail providers and social networking sites are unlikely to disclose employees’ personal user content to employers due to similar liability. Even where an employer compels an employee to sign a waiver, entities subject to the SCA will likely not disclose protected content. As a result of others’ liability under the SCA, employees indirectly receive some protection against disclosure of their stored private electronic communications.
Privileged Communications
In addition to being protected from unauthorized accessing or selective monitoring of private electronic communications by their employers, as described above, New York employees’ communications with counsel may also receive protection from inadvertent disclosure.
While circuits are split over whether employees waive their attorney-client privilege by communicating with counsel or maintaining privileged content on a work computer,18 the Second Circuit would likely find no waiver where communica-tions are via online personal e-mail accounts.19
In United States v. Hatfield,20 the court found no waiver of privilege concerning electronic communications and docu-ments an employee maintained on his work computer. The court noted the absence of direct guidance on this issue from the Second Circuit or the New York Court of Appeals and applied a four-factor test well-established within the district courts21 and added its own fifth factor: (1) whether the employer maintained a policy banning personal computer use; (2) whether the employer monitored employees’ use of computers or e-mails; (3) whether third parties had a right to access employees’ computers or e-mails; (4) whether the employee was on notice of the use and monitoring policies and (5) whether disclosure of the privileged information would be consistent with the employer’s interpretation of its own policy.
The employer’s broad computer use policy was problematic in several respects: it did not expressly prohibit usage for per-sonal legal matters; it did not state that the employer will monitor computer usage; the employer did not actually monitor computer usage; and the employer understood its policy to protect other employees’ “privileges.”22
Notably, the court found it would be “fundamentally unfair to subject [the employee] to the consequences of waiving privilege based on a strict, theoretical interpretation of [the employer’s] Computer Usage Policy that was never imagined by [the employer] itself and, in fact, contradicted by [the employer’s] own actions….”23
Most recently, in Stengart v. Loving Care Agency Inc.,24 the New Jersey Supreme Court issued an opinion as yet the most important for employee privacy rights in 2010. The court affirmed an appellate court’s ruling that an employer violated its employee’s privacy when it accessed the employee’s e-mails to and from counsel that were sent and received from a work computer. The court confirmed that while an employer has a right to establish policies and to discipline employees who violate them, a policy that allows an employer to read an employee’s attorney-client communication is unenforceable.
State Law Claims
Employees and their counsel may find additional privacy protections from existing state statutory and common law. Unfor-tunately, New York does not recognize invasion of privacy claims.25 However, New York’s labor law does prohibit termina-tion of employees based on recreational activities performed outside the workplace,26 arguably including online activities like blogging or Twittering.
New York employees may also have claims of false light invasion of privacy (e.g., for online misrepresentations about employees, such as statements made by managers on social networking sites like LinkedIn) or tort claims arising out of workplace cyberstalking. It may also be possible to bring a tortious interference of contract claim against an employer who requires an employee to disclose her password to her social networking site profile, as this act may violate her social networking site’ service agreement27 or because the policy violates public policy concerns.
Conclusion
The Supreme Court’s upcoming decision in Quon will certainly give New York lawyers new parameters for understanding and interpreting private and public sector employees’ rights to workplace privacy in the digital age. In the meantime, how-ever, a new set of rules is already re-shaping employees’ expectation of privacy and their understanding of what electronic communications are protected.
New York Law Journal article April, 2010
Employees’ Privacy Rights in the Digital Age (Cont*)
Wendi S. Lazar is a partner at Outten & Golden and co-chair of the firm’s executives and professionals practice group. Lauren E. Schwartzreich is an associate at the firm and co-chair of its Electronic Discovery Committee.
Endnotes:
1. 266 F.3d 64, 74 (2d Cir. 2001).2. 587 F.Supp.2d 548 (SDNY 2008).3. Id. at 561.4. See, Guard Publishing Co. v. NLRB, 571 F.3d 53, 60 (D.C. Cir. July 7, 2009); cf. Gorzynski v. JetBlue Airways Corp., 596 F.3d 93 (2d Cir. Feb. 19, 2010).5. 543 F.Supp.2d 185 (SDNY 2008).6. No. 5:04-CV-1388, 2009 U.S. Dist. LEXIS 62174 (NDNY July 21, 2009).7. 18 U.S.C. §2510, et seq. (prohibiting unauthorized interception of communications while in transmission).8. 18 U.S.C. §2701, et seq. (prohibiting unauthorized access of stored electronic communications).9. Under the SCA, employees may obtain an award of punitive damages where the violation was intentional, attorneys’ fees and costs, and statutory damages with proof of actual damages. See Van Alstyne v. Electronic Scriptorium Ltd., 560 F.3d 199 (4th Cir. 2009).10. See, 18 U.S.C. §2511(1)(a)-(b).11. See, Hay v. Burns Cascade Co. Inc., No. 5:06-CV-0137, 2009 U.S. Dist. LEXIS 12160 (NDNY Feb. 18, 2009).12. See, Konop v. Hawaiin Airlines Inc., 302 F.3d 868, 878-79 (9th Cir. 2002) (employer intercepted messages that were in storage, not while they were in transmission); Steve Jackson Games Inc. v. U.S. Secret Serv., 36 F.3d 457 (5th Cir. 1994) (unopened e-mails on computer were not in transmis-sion); but see United States v. Councilman, 418 F.3d 67, 85 (1st Cir. 2005) (en banc) (e-mails in “transient electronic storage” are intercepted while “in transmission” as defined under the statute).13. The employer further accessed his Gmail and another e-mail account through information (and the password) it obtained through the Hotmail account.14. No. 06-5754, 2009 U.S. Dist. LEXIS 88702 (D. N.J. Sept. 25, 2009).15. 529 F.3d 892 (9th Cir. 2008). Rehearing, en banc, denied, 554 F.3d 769 (9th Cir. 2009), cert. granted sub nom. City of Ontario v. Quon, 130 S. Ct. 1011 (Dec. 14, 2009) (hereafter, Quon).16. See, 18 U.S.C. §2702(b)(3).17. Employers may still obtain text messages through physical examination of employees’ work cell phones, as the SCA only applies to electronic data stored by a “remote computing service” or “electronic communication service.” 18 U.S.C. §§2701-2711.18. Compare United States v. Ziegler, 474 F.3d 1184, 1190 (9th Cir. 2007) (reasonable expectation of privacy in contents of work computer); with Muick v. Glenayre Electronics, 280 F.3d 741, 743 (7th Cir. 2002) (no expectation of privacy in contents of work computer); United States v. Simmons, 206 F.3d 392, 398 (4th Cir. 2000).19. See, United States v. Hatfield, No. 06-CR-0550, 2009 U.S. Dist. LEXIS 106269 (E.D.N.Y. Nov. 13, 2009) (Second Circuit likely to uphold privilege); Curto v. Medical World Communications Inc. 03-CV-6327, 2006 U.S. Dist. LEXIS 29387 (E.D.N.Y. May 15, 2006); Geer v. Gilman Corp., 06-CV-0889, 2007 U.S. Dist. LEXIS 38852 (D. Conn. Feb. 12 2007), Orbit One Communications Inc. v. Numerex Corp., 255 F.R.D. 98, 107-8 (SDNY 2008); In re Asia Global Crossing, Ltd., 322 M/R/ 247. 259-61 (SDNY Bnkr. 2005); but see, Long v. Marubeni America Corp., No. 05 Civ. 639, 2006 U.S. Dist. LEXIS 76594 (SDNY Oct. 19, 2006); Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436 (N.Y. Supp. Ct., N.Y. Cty. 2007).20. 2009 U.S. Dist. LEXIS 106269, at 30 n12.21. See, Curto, 2006 U.S. Dist. LEXIS 29387 at 2-3 (applying four-factor test and finding that employee did not waive privilege by maintaining docu-ments on employer’s computer); Geer, 2007 U.S. Dist. LEXIS 38852 at 3-4; Orbit One Communications Inc., 255 F.R.D. 98 at 107-8.22. 2009 U.S. Dist. LEXIS 106269, at 33.23. Hatfield, 2009 U.S. Dist. LEXIS 106269 at 34 n14.24. Stengart v. Loving Care Agency Inc., 408 N.J. Super. 54 (App. Div. 2009), aff ’d, —N.J.— (March 30, 2010).25. See, Mack v. United States, 814 F.2d 120, 123 (2d Cir. 1987); but see Brown-Criscuolo v. Wolfe, 601 F.Supp.2d 441 (D. Conn. 2009); Walston v. UPS, No. 2:07-CV-525, 2009 U.S. Dist. LEXIS 10307 (D. Utah, Feb. 11, 2009).26. See, New York Labor Law §201-d.27. Facebook Statement of Rights and Responsibilities (Dec. 21, 2009) (http://www.facebook.com/policy.php#!/terms.php) (last visited March 19, 2010).
New York Law Journal article April, 2010
Employees’ Privacy Rights in the Digital Age (Cont*)