Eyeing your employees' online activities is risky. A privacy and usage policy is your best legal shield
Four female employees sue their company for sexual harassment, based in part on off-color jokes transmitted via e-mail. The result: a $2.2 million settlement. A window washer sees child pornography on an office computer screen. Shortly thereafter, the FBI seizes the company's computers, stopping business in its tracks.
Real-life horror stories like these have companies rushing to implement technology to monitor employees' Internet use, e-mail and stored files. About 17% of Fortune 1,000 companies, along with a half-dozen federal agencies, now use monitoring software, according to IDC, a research firm in Framingham, Mass. The figure is expected to jump to 80% by next year and to grow at a compounded annual rate of 75% through 2003.
But companies that act decisively to control Internet access and e-mail can get tripped up, too, as one police department discovered after it fired an employee because his computer showed that he had visited www.whitehouse.com, a pornographic Web site. The employee countered with a wrongful termination suit, claiming that he meant to visit the actual White House Web site, www.whitehouse.gov - an explanation that, true or false, resulted in a $100,000 settlement.
Because many disputes involving e-mail and Internet use are settled confidentially or are slowly working their way through the judicial system, it's impossible to know the extent to which these anecdotes indicate a representative sample. What's clear, though, is that employers are attempting to respond to these perceived threats of liability. What's also clear is that employees fired for inappropriate use of the Internet or e-mail will likely consider suing their employers for a panoply of perceived wrongs.
Although the law provides companies with significant freedom to monitor their workplaces, no magic "safe harbor" exists. As a result, companies must very carefully implement appropriate usage programs that explicitly cover issues of privacy to avoid - or at least minimize - their potential legal liability. Crafting a carefully designed privacy policy is the critical first step. Here's how.
Know The Legal Landscape
Although laws vary among states - and a slew of workplace privacy bills have been proposed in state legislatures and in Congress - workers are generally unprotected from companies monitoring their computer use. But companies' rights aren't totally unrestricted.
At the federal level, the Electronic Communications Privacy Act of 1986 (ECPA) prohibits the "interception" or unauthorized access of stored communications, but its practical impact on well-managed companies is to punish electronic snooping by outsiders. This is because the courts have so far ruled that "interception" applies only to messages in transit and not to messages that have actually reached company computers.
But the ECPA also works to help companies avoid liability. For example, consent, whether express or implied, is an absolute bar to liability. Consequently, companies are protected if they disseminate privacy policies and have systems in place to make sure that workers read and consent to them.
State privacy laws, when they exist, also tend to favor employers over employees. To sue for invasion of privacy, an employee must have had a "reasonable expectation of privacy." So far, courts have been unsympathetic to privacy claims by employees using company equipment. Certainly, the easiest way for a company to defeat a privacy claim is to show that an employee had been given explicit notice that e-mail, Internet use and files on company computers aren't private and might be checked - exactly the type of notice in a privacy policy.
But beware. Even this protection isn't bulletproof because it doesn't explicitly cover the case of employees who use their own computers at work, which is common at high-tech firms.
The trickiest and most uncertain area of liability involves employment-related claims, particularly when electronic communications are used to support allegations of harassment or discrimination. Many executives think that a single offensive e-mail is enough for a company to be held liable for creating a hostile work environment. But that isn't the case.
Even before Internet use became popular, courts held that a single offensive incident doesn't create a hostile work environment. Instead, the offensive conduct must be so severe and pervasive that it changes the work environment. This doesn't mean that individual e-mails can't lead to court cases. But this is precisely where a written policy that clearly spells out appropriate usage and eliminates any expectation of privacy can go a long way toward establishing a company's defense.
A privacy/appropriate usage policy helps in two ways. First, it helps meet an employer's obligation to make "reasonable efforts" to prevent harassment by telling employees what type of conduct is appropriate and letting them know that the company can track their activity. Second, it lets a company respond swiftly to violations because the policy provides a legitimate, nondiscriminatory reason for its disciplinary actions.
Even if an employee can establish the existence of a hostile work environment, having both a privacy policy and an appropriate usage policy will help an employer defend itself. Two recent Supreme Court cases now make it clear that if nothing "tangible" has happened to an employee, such as being passed over for a promotion, and the company has a complaint process in place that the alleged victim knew about but chose not to use, then the employer has a strong defense to a lawsuit.
Set Your Monitoring Objective
The first step in creating or evaluating a privacy policy is to ask two questions that also have legal implications: "What is my company trying to accomplish, and can it implement the program appropriately?"
Take the issue of monitoring employees' Internet use. Companies generally are concerned about both excessive personal use and access to inappropriate sites, particularly because of the potential for hostile work environment claims. If the goal is to prevent unauthorized conduct, a company might focus on blocking access to offensive sites. Yet blocking is likely to miss new sites, and some Web sites use techniques designed to fool blocking software - as seen in the approach taken by www.whitehouse.com. And since laws may vary from state to state, blocking software might have to be customized based on a user's geographic location.
If the goal is instead to catch workers who choose to access inappropriate sites, then a company might focus on analyzing the sites visited by a particular user. This approach is risky because monitoring is more subjective and labor-intensive - involving programmers, human resources personnel and management. Also, what companies consider appropriate and inappropriate may itself be discriminatory. Some gay- or lesbian-oriented Web sites, for example, may contain sexual content, but employees aren't necessarily going to them for sexual material. In states that have laws prohibiting discrimination based on sexual orientation, companies that discipline homosexual employees for visiting such sites could find themselves accused of discrimination, with their own policies used as evidence against them.
Some companies have also found that monitoring programs can result in false accusations, particularly when people are misdirected to inappropriate sites. Some companies might consider it important to know how their employees are using the discretion with which they're entrusted and decide that the risks and costs are worthwhile. These employers have an even greater incentive to create and distribute clear and specific privacy policies if they want to reduce the type of subjective, case-by-case evaluations that create a higher risk of discrimination claims.
Decide Whom and What To Monitor
Different usage policies may suit different categories of personnel, but you must tread carefully. It's true that harassment or inappropriate usage can come from anywhere. At the same time, some companies may have reason to believe that the threats are greater in one department than in another, and they may wish to allocate their monitoring resources accordingly. But companies that handle this issue poorly have a greater risk of being accused of discrimination.
A related issue is also among the most delicate: whether and how to monitor supervisors, managers and other higher-level employees. Because these people have the power to act on behalf of the company (reviewing, promoting and firing personnel), they pose the greatest risk of exposing the company to harassment complaints. On the other hand, because managers handle sensitive information, companies may be reluctant to let lower-level employees review their electronic communications. And it would be burdensome indeed to require that such communications be reviewed only by a more senior person.
Know How Frequently To Monitor
A recent survey by the New York-based American Management Association indicated that most companies that monitor e-mail and stored files run spot checks or review files during special circumstances (such as an investigation), while Internet use is monitored more regularly. Employers must know that treating classes of workers differently creates greater risk for a lawsuit.
Companies probably don't need to include in their privacy/appropriate usage policies the details of how they will monitor workers. As long as an employee knows that it occurs, the company should be protected. But clear internal policies are still necessary to reduce the potential for inconsistent treatment that could come back to haunt the company.
Plan What To Do if Violations Occur
Violations do occur, so your best protections are consistency and disclosure. A company is safest when it can show that it treats all of its workers the same and that they all know what's at stake. For example, a company could get into legal trouble for punishing a male employee more seriously for having pornographic content on his system than it punished female workers with similar material.
With the legal environment still developing, employers should realize that simply drafting and enforcing a policy isn't enough. Dangers still lurk. For example, companies with unionized labor need to heed the National Labor Relations Board, whose general counsel issued advisory opinions that challenged "business use only" e-mail policies as unlawful restrictions on employee solicitation and distribution rights. Companies with global operations must keep an eye on other countries, such as Great Britain, Australia and France, that have pending legal cases and legislative initiatives that merit attention. The bottom line is clear: Laws governing privacy continue to evolve, so to avoid being burned by enforcing outdated usage policies, business leaders must keep this issue on the front burner. roi
Michael H. Steinberg is a litigation partner at Sullivan & Cromwell in Los Angeles, specializing in disputes with a technological nexus. He can be reached at . David E. Azar is a litigation associate at Sullivan & Cromwell and a member of the firm's e-business and technology group. He can be reached at .
Copyright © 2001 IDG Communications, Inc.