Electronic commerce (e-commerce), like the Internet itself, has grown by leaps and bounds in recent years. E-commerce has until recently been almost exclusively a self-regulated industry with little or no governmental intervention. In recent years, however, government has shown increasing influence in the world of online business.
Employers in the Internet age are impacted by increased governmental presence, if not by the Internet itself. Most employees now have access to a relatively unregulated digital domain on their computers where they can access content inappropriate for the work environment or distracts them from their jobs. The ease and seeming sterility of electronic mail can lead to harassment claims. Communications by email have replaced memos, letters, telephone conversations and even in-person conversations for many communications. Blogs and social networking sites may disclose internal company business or confidential matters. Internet access presents the risk of copyright and trademark infringement litigation. With these issues in mind, this chapter will address some of the most serious and pressing aspects of operating a company in the Internet age.
As the integration of technology in the workplace continues to change the landscape of communication and privacy, the need for employers to protect themselves through legal monitoring, too, is increasing. Surveillance of employees raises a host of privacy concerns and potential liability for employers.
State law prohibits the intentional interception of any wire oral or electronic communication as well as the disclosure or use of any data obtained through unlawful wiretapping or surveillance. However, where the interceptor is a party to the actual oral, electronic or wire communication, the prohibition does not apply. Likewise, if at least one party to the communication consents to its interception, such interception is lawful.
Employees who bring wiretapping actions against employers also commonly assert claims for invasion of privacy.
Many employers feel that surveillance of employees can not only be an effective tool to combat such things as employee espionage and theft, but also can improve employee productivity and efficiency. Opponents, however, maintain that computer and electronic monitoring wrongfully intrudes into employee privacy. There is no question that electronic surveillance is more intrusive than human monitoring because employees can be watched at all times, sometimes in complete secrecy.
This chapter will first address how employers monitor employees via computer and electronics and the legal issues that arise out of such monitoring.
Given the advances in technology, employers now have the ability to monitor display terminals. Technology is now available that allows employers to monitor when an employee turns the monitor on or off, the number and sequence of keystrokes and so on. Many employers also review Internet “histories” of employees to determine whether sites visited are in the best interest of the company and are work-related.
Computers can, for instance, be used to track the number of sales made by employees. Some trucking companies use computers to monitor the drivers’ speed and duration of stops. Building access security cards now enable employers to determine when employees arrive and leave work.
Listening to employees’ business-related telephone calls made to and from the company is one of the most common forms of workplace monitoring. Companies dependent on telephone work often listen in on employees to evaluate the quality of their interaction with the public.
Employers use video equipment and audio equipment to monitor employee activity on the shop floor, in break rooms, etc. Video and audio surveillance is used by employers not only for the purpose of investigating thefts, but also to prevent sabotage to equipment and unlawful harassment. In addition, some surveillance of employees is conducted simply to monitor work performance.
The federal Omnibus Crime Control and Safe Streets Act (Wiretap Act) protects wire, electronic and oral communications of individuals. It establishes a civil cause of action for the unlawful interception of wire, electronic and oral communication. The statute forbids “interception of wire or oral or electronic communication through the use of an electronic, mechanical or other device.” “Interception” is defined as “the aural or other acquisition of the contents of any wire, electronic or oral communication through the use of any electronic, mechanical or other device.” The federal Wiretap Act does not apply to video surveillance, but does apply to oral communication intercepted in conjunction with such surveillance.
An “oral communication” is defined as “any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation.” If an individual has a reasonable expectation that his or her oral communication will not be intercepted, the interception of the conversation by an electronic device, such as a hidden microphone, may give rise to a cause of action.
The Electronic Communications Privacy Act (ECPA) expanded the federal Wiretap Act’s coverage to “electronic communications,” by prohibiting the intentional interception, accession, disclosure or use of an electronic communication. The ECPA’s definition of electronic communication includes email and text messages, among other things.
“Any transfer of signs, signals, writings, images, sound, data or intelligence of any nature transmitted in whole or in part of a wire, radio, electromagnetic, photoelectronic or photo optical system that affects interstate or foreign commerce.”
The ECPA allows employers to retrieve electronically stored information. Not much litigation has arisen under this section because the employer’s legal right to retrieve information is fairly broad and clear. Some plaintiffs, however, have tried to be creative. For instance, a plaintiff claimed an “interception” occurred where messages were retrieved from storage before they were sent. The court rejected the argument. Similarly, another court held that an employer’s search of email messages was not illegal. The court found that no “interception” had occurred and that the applicable statutes were Title II (electronic storage) rather than Title I (interception).
Telephone calls are wire communications.
Liability under these laws only attaches when the communicator reasonably expected to communicate free from interception. Determining whether someone reasonably can expect to make communications free from interception is analogous to determining whether someone has a reasonable expectation that the communication is private. While employees may expect that conversations in a normal tone of voice will be overheard by those standing nearby, it is unlikely that employees would expect conversations to be electronically intercepted and monitored from another part of the building or another location absent specific notification from the employer about monitoring.
No violation of the statute occurs where one of the parties to the communication has given prior consent. The consent should be in writing, signed by the employee. Courts have rejected employers’ arguments that employee consent should be implied.
The prohibition discussed previously does not apply to monitoring of telephone calls in the “ordinary course of business.” Employers may continue to monitor an employee’s call only as long as the employer has determined that it is in fact a business call. After determining that it is a personal call, the monitoring is no longer “in the ordinary course of business.” It is eavesdropping and against the law.
Employers, generally, may monitor employee activities to analyze performance or investigate misconduct, as illustrated by the following examples of conduct courts have found to be legal: checking the license plates of the cars parked on a public street by visitors to the home of a security guard who was under investigation; taking photographs of production employees for an efficiency study; photographing an employee returning stolen property; recording the errors the employees made on computers to measure the performance of the equipment. Such monitoring need not be restricted to the workplace. It should, however, be confined to public areas. For instance, monitoring an employee doing yard work while on workers’ compensation leave is allowable, but entering their home is not.
Courts have held that even if an employer had repeatedly told its employees that its email system would remain confidential; an employee does not have a reasonable expectation of privacy in sending a threatening email to a supervisor over the company email system. The company’s interest in preventing inappropriate and unprofessional comments or even illegal activity over its email system outweighs any privacy interests.
Employers may film an employee in public areas as part of an investigation of the employee’s claim for worker’s compensation. Courts have rejected employees’ claims that filming activities at home constitute an invasion of privacy because employees should expect claims of injury to be investigated and surveillance conducted in a reasonable and unobtrusive manner will not give rise to liability for invasion of privacy. The same activities could be observed by a neighbor or passersby and filming in such situations is neither unreasonable nor highly offensive to a reasonable person.
Employees do have reasonable expectations of privacy in rooms such as bathrooms, locker rooms and changing areas and employers may unlawfully invade employees’ privacy rights by installing videotape cameras in those areas.
The technological advances of today’s workplace have given employees access to many types of communication devices, including computers, computer networks, emails, pagers, Internet and phone systems with voicemail messaging capabilities. It is imperative that an employer’s computer and communication policy state that the purpose of such communication devices is to facilitate company business.
An employer may elect to state that the company’s communication systems are not to be used for any business but the company’s business. The company may want to provide that incidental and limited non-business use of communications systems is acceptable, but that this privilege should not be abused. Third parties, however, should always be prohibited from using a company’s communication systems.
The policy should address acceptable and appropriate uploading and downloading of information onto a computer and/or network to prevent virus infiltration. The policy should also address the use of passwords and any restrictions associated with passwords.
The policy should address employees’ use of email. The policy could address what steps an employee should take if an email message is inadvertently sent to a third party. A discussion of the appropriate tone and content used in emails is advisable. A strong statement should be included against the use of email or any other form of communication for purposes of sending, accessing or storing any material of an insensitive, discriminatory, obscene or harassing nature. The policy can include a prohibition against chain letters or emails with illegal purposes.
Another area of law that the policy should address is copyright laws. The policy could include a statement that employees should not transmit copies of documents in violation of copyright laws or copy or use any software in violation of copyright laws.
The policy should inform employees that the company has a right to inspect, review and monitor use of its computers and communication systems. The company should state that information contained in computers, email or voicemail that is incidental or of a personal nature is not treated differently from other information. Therefore, employees should not expect that the company’s computer network or telephone system is private.
Since 2000, the Electronic Signatures in Global and National Commerce Act (E-Sign) has allowed online documents signed using digital signatures to carry the same legal weight as written documents. E-Sign allowed the expansion of fully electronic e-commerce, unhindered by any requirement for a signed written documents. This allows, for instance, fully online real estate purchases carried out by parties across the world, without these parties having to attend closings or even to fax documents back and forth.
The key to E-Sign is authenticity and identity. This technology has been in place for several years and is already used in the transfer of certain files from online providers.
The technology allows a signature to be permanently affixed to the online document, much like an ink signature and transferred with the document wherever it is sent. E-Sign does not set out the technological requirements of a digital signature, but the American Bar Association (ABA) has developed a guideline manual explaining some requirements of digital signatures to ensure their enforceability. The guidelines may be ordered from the ABA at:
Whether beginning a business’ online commerce or simply ensuring its continued success, a check of business method patents is required to avoid infringement issues. Business method patents are patents covering unique online business practices. These patents differ from the traditional “nuts and bolts” patents of the physical world and pull the U.S. Patent and Trademark Office into the digital realm. For instance, use of a “shopping cart” for online transactions was unique enough to be patented.
It is important for employers to protect business method patents and to avoid infringement of others’ patents. Because this issue is new and technologically driven, it is wise to consult with a competent patent attorney about these issues.
Employers may encounter a situation in which an employee invents a process that is patented, which may entitle the employer to free use of this invention. This non-exclusive use is known as a “shop right” to the invention and continues even after the employee has left the company’s employ.
Generally, the inventions of an employee belong to that employee. However, an employer can gain entitlement to all or part of these inventions through agreement or contract with the employee. Even absent an agreement, though, an employer may be entitled to free, non-exclusive “shop rights” for use of the invention if it was conceived using employer time and resources or the employee was hired to invent. The resources utilized by the employee must be substantial and not “trivial.”
These “shop rights” are based on equity. An employer spends money to assist in the invention and it is equitable and fair to allow it to reap the rewards of this expenditure. However, the employer has a non-exclusive license, so the employee can also benefit from his or her work. In a situation where the employer has not contributed, it would be contrary to equity to allow the employer to benefit from the outside work of the employee simply because the employee worked for the company at the time of the invention.
Domain names are alphanumeric strings that correspond with the purely numeric IP addresses on host computers. In English, this means that domain names are letter-based masks that allow navigation within the numeric backbone of the Internet. While a computer reads numbers, people need alphanumeric (letter) signals to guide them through the maze of the tens of millions of webpages on the Internet. For instance, most people would have trouble remembering an IP address of http:// followed by 12 numbers, but people can remember a corresponding domain name, such as:
The Internet Assigned Numbers Authority (IANA) is the organization responsible for the administration of all domain names. Underneath IANA are two branches: country-specific domain names and generic domain names. The country-specific top-level domains (ccTLDs) are administered by country managers. In the United States, the country manager administers the .gov, .us and .mil domain names. Other countries have their own ccTLDs, for instance, .uk for England and .jp for Japan.
The other branch below IANA is administered by The Internet Corporation for Assigned Names and Numbers (ICANN). ICANN administers the five current generic top level domains (gTLDs):
Since the first domain name registration in 1985, more than eight million commercial website domain names have been registered under the .com, .org. or .net domain name system.
In November 2000 the ICANN selected seven TLDs to be added to the gTLDs already in existence. The new TLDs are:
The .pro registry agreement was signed in May 2002. Information on all of the gTLDs can be obtained from the ICANN at:
The domain name(s) chosen to represent a business on the Internet must be carefully thought out for marketing and other business reasons. Domain name decisions should also include ways to protect the company from infringing upon the intellectual property of another through a domain name and for ensuring that the company can protect its domain name from similar uses by others.
As a basic starting point prior to registering a domain name, companies should check possible domain names against a list of registered trademarks. A good place to start is the U.S. Patent and Trademark Office (PTO). The PTO has a searchable online database called Trademark Electronic Search System (TESS)). TESS is free of charge and can be accessed at:
If there are no conflicts in TESS, try searching the Internet for terms containing the domain name and similar domain names. This will quickly tell if a domain name is already in use by another company. A word of warning is appropriate. TESS does not have any bells that ring or red lights that will flash to indicate if a domain name is confusingly similar to a registered mark. It is highly recommended to consult with an attorney at this point to determine if a thorough search and prosecution of a trademark is to be performed prior to moving forward.
After ensuring that a domain name is free of conflicts, a company will need to submit its domain name and the appropriate fee to one of a number of domain name registration sites. While at the registration site, it should also check to ensure that the domain name is not already registered.
Because domain names are alphanumeric and in the stream of commerce, there is a possibility for legal trademark issues and these issues are not always easy to solve. For instance, in some circumstances, there may be two companies with similar names, but in different industries and there may not be an easy answer as to who gets the company name.com. Each company may have a trademarked name for each company’s respective business field, domain names cannot currently separate Jiffy, Inc. (a cartoon character) from Jiffy Peanut Butter. Currently, domain name registrations do not require a check for possible trademark conflict, so companies take the risk of a trademark violation when registering. It is very important to remember that registration of a domain name does not itself entitle the registrant to any trademark rights and in no way trumps federal trademark law. Thus, a company is not free from legal action by the owner of a trademark simply because it successfully registered a domain name. Therefore, this makes it very important to carefully choose a domain name to avoid litigation from trademark owners of marks similar to the domain name.
The Anticybersquatting Consumer Protection Act (ACPA), became effective on November 29, 1999. The ACPA authorizes civil suit against those who register domain names that include other’s trademarks with a bad faith intent to profit from this registration. The statutory damages are a maximum $100,000 per infringing domain name. The ACPA retroactively affects all domain name registrations; however, only domain names registered after November 29, 1999 are subject to damages. Those registered prior to this date may only be cancelled or transferred. The ACPA explicitly protects the names of celebrities as domain names.
In order to determine a defendant’s bad faith intent to profit, a court may examine, but is not limited to:
Online businesses can protect against cybersquatting. First and foremost, consult an attorney. Second, make sure that the business name and related names are federally registered trademarks. If these names are not currently registered, contact an attorney immediately to begin the registration process. Finally, if a person has usurped a domain name that violates intellectual property rights, document as much as possible. This can include, but is not limited to, any verbal conversations with the cybersquatter, printing out any posted web content on the website in question. An attorney will usually keep copies of any written communication between parties.
Currently, ICANN’s Uniform Domain-Name Dispute Resolution Procedure (UDRP) allows all domain name disputes to pass through arbitration rather than to file court action. While these arbitrators can only transfer the domain names or cancel their registration, this option is relatively low cost compared to regular litigation. While a cybersquatter sitting on a company’s domain for profit may be dealt with in Court for damages, ICANN’s arbitration procedure will quickly resolve most domain disputes at a relatively low cost.
As of September 2002, ICANN took on 7036 UDRP proceeding representing 11,396 domain names. Approximately 70% of the cases ended with the domain name being transferred to the complainant. This means that if someone registers a domain name containing another business’ registered trademark, that business has a very good chance to get the domain name transferred to it. Thus, the UDRP can be a sound alternative to litigation, depending on the remedies desired.
Unlike more traditional forms of trademark infringement, meta-tags hold the opportunity for behind the scenes trademark infringement. Meta-tags are keywords hidden in the source code of webpages. These keywords are usually descriptive words about the company hosting the site or the business they do. An Internet search engine utilizes a site’s meta-tags when performing a search.
Clever individuals have found that placing the names of competitors and other competitor trademarks in meta-tags will often steer the person searching toward these individuals rather than to the website of the competitor. While this may seem harmless to some, courts have ruled that placing another’s trademark in a meta-tag is trademark infringement.
Protecting a business from meta-tag trademark infringement can be a time-consuming process, but it is money well spent. The quickest way to uncover meta-tag trademark infringers is to enter a trademark into an Internet search engine. If the results turn up competitors, there may be an infringement.
Obvious and important aspects of e-commerce are Internet sites. These sites are the forum in which companies and their consumers interact. Many businesses fail to adequately prepare their websites for the volume of sales that the site ultimately processes and they pay a high price. Whether beginning an online business or ensuring its continued success, reviewing the important aspects surrounding a website is essential.
Online businesses need to locate themselves in the digital realm. In order to do this, companies need to enter into a website development agreement, a website hosting agreement or both. As the name implies, a website development agreement is a contract for the production of an Internet site. Because it is just like any other contract, it is subject to common contractual issues. In order to lessen these issues, be sure as many specifics have been covered in the agreement as possible.
A website development agreement has an important intellectual property aspect to touch upon: copyrights to the website. It must be understood prior to the contract for development of the website that party will hold the copyrights to the site. It is highly recommended that the company insist, as the purchasing party, to own the copyrights. This will allow it to easily transfer the company website to another host in the event of a termination of a hosting agreement.
A website hosting agreement is a service contract authorizing a company to “host” another’s website content. The actual files composing the website are stored on the hosting company’s computers. These companies allow large volumes of traffic to access a site. While a hosting agreement is a service agreement, there are several important things to be addressed to minimize future headaches and litigation.
When choosing the companies with whom to enter into a hosting agreement, consider using a Request for Proposals (RFP) format. The criteria for the website hosting will be set out in advance and the company can think through the important issues prior to entering into a contract. This section will address some important issues to include in an RFP. While this list is not exhaustive of all issues that may arise, it touches on the most important areas.
Though employers may discourage employees from participating in social networking sites as they may reveal information that is confidential or engage in activity that reflects poorly on the employer, their use may be protected under the National Labor Relations Act §7, in certain circumstances. The Act states that employers cannot discipline or otherwise retaliate against non-supervisory, non-management employees who engage in “concerted activity” for the purpose of “mutual aid or protection.” “Concerted activity” is generally defined as activity engaged in with the authority of other employees. Employees, therefore, must work together in order for their activity to qualify as concerted. There must also be a nexus between the activity and employees’ interests as employees.
The NLRA has defined “mutual aid or protection” as requiring employees to be attempting to improve the terms and conditions of their employment or their position as employees, through channels outside the immediate employee-employer relationship. This may include things such as discussions about wages, benefits, working hours, the physical environment, dress codes, assignments and responsibilities.
Beyond the NLRA, it is important for the employer to have a clear policy about social networking and blogging sites in the workplace. The policy should also establish applicable conduct after working hours. This policy could help preserve trade secrets and not injure the company name. However, a very broad policy may lower morale, subject the company to bad press and make employees accountable for what they know is online. In drafting any such policy, it is important to remain focused on the goals.
Goals for successful regulation of social networking might include:
Establish clearly what expectations exist for any equipment or device that might carry employer information, regardless of who owns the device.
Use of technology and social media is a developing area of employment law with competing interests and expanding use of technology throughout society. Devices continue to have new capabilities and greater memory capacity and this device capability and capacity are allowing fundamental changes in communication and information sharing. Many lines are now blurred. There are a few cases that provide some guidance to employers regarding regulation and oversight of the use of technology by workers; however, many issues have not been addressed by the courts. Employers should remain aware of the on-going evolution and should not hesitate to consult with an attorney to consider matters involving social media and use of technology.
The digital realm of the Internet has proved a slippery place to pin down for legal jurisdiction. Because the online world is both everywhere and nowhere, jurisdiction for e-commerce companies and consumers has been a difficult riddle to solve. Doing business on the Internet may subject a company to lawsuits in the location of its customers or the other parties to its electronic transactions.
Online businesses face the same risks of theft and corporate espionage that other businesses face, but the method and manner of these acts are tailored to the online world. Where a traditional business spy may intercept packages from a mailroom to gather business plans, an online spy may intercept online transactions to gather credit card numbers and customer lists. With corporate intranets becoming standard practice and widespread employee access to confidential data from the desktop, there is no longer a need for late night raids on file cabinets. An employee can now easily transmit trade secrets to competitors from the comfort of his or her office and a disgruntled former employee can hack into and corrupt a database from home.
In order to protect a business from these online headaches, methods of security such as data encryption and firewalls are required. Encryption is a process by which data is scrambled so that only a person holding a key to the encryption can reassemble the data at the destination. The encryption prevents an intercepted message from being read and the information lost. A firewall restricts the flow of online traffic in or out of a certain protected network area. This can be preventing outside hackers from entering the company intranet or preventing employees from sending network database files to locations outside of the intranet.
Free encryption and firewall programs are available to download on the Internet, but a more sophisticated, commercial data security utility that incorporates relevant safety features is highly recommended for a business. Most high-quality commercial security software contains internal and external safety features to protect the integrity of a company’s data and trade secrets.
A data breach is the intentional or unintentional release of secure information into an unsafe or non-trusted environment. Incidents of data breach can arise due to malicious attacks or careless disposals of digital media. Many jurisdictions have passed data breach notification laws. These laws require a company that has been the victim of a data breach to inform its customers of the breach and to take steps to repair potential damages. In some states, companies are required by statute to disclose any breach to any resident whose unencrypted personal information may have reasonably been made available to an unauthorized person. See Chapter 29: Health insurance portability and privacy for more information.
Employers have sometimes been victimized by improper use of the Internet by current or former employees. Some people who are hostile to a company may operate or post unfavorable and disparaging information about the company on various websites or make disparaging comments in Internet chatrooms or blogs. Sometimes the information posted on the Internet may be confidential and proprietary company information that should not be disclosed outside the workplace. The identity of the person who discloses such information, however, may be difficult to determine because Internet users often use an alias or pseudonym when posting comments on Internet sites.
Employers who believe that the information or comments posted on an Internet site violate the employer’s legal rights by disparaging them or revealing proprietary business information can, if they act swiftly, determine who has posted the improper comments or information in order to pursue claims against those persons. In order to learn their identity, it may be possible for the employer to file a lawsuit against an unknown person identified in the lawsuit as “John Doe.” Once the lawsuit is filed, the employer may seek information from the Internet host through a subpoena aimed at identifying the electronic address of the person who posted the offending comments. It may also be possible for the employer to issue a subpoena to the offender’s Internet service provider to learn the identity of the person who posted the data in question.
It is important for employers to act quickly to attempt to trace the origin of an offensive posting or improper email because many of the website hosts and Internet service providers retain the identifying information for a very short period of time, sometimes as short as 30 or 60 days. If the subpoena is not served within that time frame, the information may be lost. Once the employer knows the identity of the person who has posted the improper comments, the employer can determine whether the employee violated an obligation to the employer to protect confidential data, breached a duty of loyalty or made false and disparaging statements about the employer.
Employers should adopt policies in employment handbooks that prohibit employees from hosting or contributing content to Internet blogs or chatrooms if doing so discloses confidential information about the employer or reflects adversely on the employer.
Connection to outside activities through Internet, smartphone, email and other means has become increasingly pervasive in the workplace. Many employers are working to limit personal activities by employees on company time. Employers have long had a tradition of providing break time to employees during which personal business can be conducted. Some employers have accepted that employees will be involved in personal business to some extent during work time. Several studies show that the distractions of smart phones and the variety of communications available on them decrease productivity significantly by taking employees off task. While an occasional short phone call or text message should not be the basis for discipline, an employer can adopt policies that restrict personal activities at work.
In general terms, both an employer and employee owe a duty of good faith and fair dealing to the other. Using that obligation as a basis, employers can require employees to focus on company business. A few courts have dealt with adverse employment actions based on personal activities, including one court that determined that an employee’s conduct in spending approximately fifteen minutes per day on a personal home business amounted to a breach of loyalty to the company and was sufficient grounds for termination.
Employers who look to manage the situation should provide employees with clear expectations of conduct and define employee activities within written job descriptions. But a common-sense approach is warranted since most workplaces have some level of distraction that affects productivity. Of course, if safety is an issue or if job duties require precise action or close attention, then prohibiting any personal business may be essential.
Policies and Forms
Chapter 28: Employment in the Internet age