We are living in an era of big data, where cyber threats pose new risks to individuals, companies and governments. In the process, our very notions of privacy have changed. Key cards, private email accounts, audio and video surveillance and password-protected computer workstations make the workplace more efficient and safe. However, they have also changed the landscape of employee privacy dramatically within a generation. Monitoring technology allows employers to guard against a range of employee misconduct, from unproductive uses of the Internet to fraud and other sources of significant liability for both the employee and the employer. Management is no longer limited to direct observation governed by human limitations: as technological advancements have allowed companies to “supervise” their employees on a much wider scale. Employers can now use technology to monitor employees and make sure that productivity stays high, while employee fraud, theft and other misconduct stays low. Surveys show that over 90% of all employers conduct some form of electronic monitoring of their workplaces. Therefore, employers must also be mindful of applicable local, state and federal laws that are designed to protect employees.
As employers increase their ability to monitor and record their employees’ workplace conduct, the risk that employees will complain also increases. Some employees have even sued their employers, claiming violations of their “right to privacy.” Federal and Illinois laws recognize that employees do not lose their privacy entirely upon arriving at work. Therefore, an employer must consider employee privacy interests when it monitors employee conduct.
Employers should be aware of all applicable Illinois and federal laws – and understand that the law of privacy is constantly changing – when formulating policies to monitor employee conduct. For example, the law is rapidly changing in a number of states regarding the ability of an employer to request access from applicants or employees to their personal email or social networking accounts.
An employer should also be mindful of the effect that monitoring policies have on employee morale. A monitoring policy that is legal but that employees view as unfair and unnecessary may ultimately hurt productivity. An employee who thinks that an employer has unfairly invaded privacy interests is more likely to seek a lawyer, pursue litigation or campaign for union representation.
Congress passed the Electronic Communications Privacy Act (ECPA) in reaction to increasing concern of threats to civil liberties were being made possible by emerging technology.
The ECPA is the controlling federal law dealing with surveillance and monitoring through telephone and other electronic means. The ECPA updated the federal Wiretap Act, which addressed the interception of conversations using “hard” telephone lines, but did not apply to interception of computer and other digital and electronic communications. To address this, the ECPA added a new section, the Stored Communications Act (SCA), which forbids unauthorized “access” to an “electronic communication while it is in electronic storage.”
The ECPA amendments are not very clear and courts have been critical of the ECPA’s statutory language. Courts have grappled with the language of and interaction between the various provisions of the ECPA, as well as the respective legal boundaries of each Act within the ECPA.
The Wiretap Act forbids the unauthorized “interception, use and disclosure” of any “oral, wire or electronic communication.” A private right of action under the Wiretap Act allows recovery of actual and punitive damages, plus attorneys’ fees and costs. The Wiretap Act also provides for statutory damages, which usually are awarded in daily increments, computed at $100 a day and capped at $10,000. Damages are awarded on a daily basis even though many different types of violations may happen within the course of the same day.
Additionally, the Wiretap Act makes it unlawful for any person to intercept, use, disclose or procure any other person to intercept or endeavor to intercept, any wire oral or electronic communication.
An oral communication is anything “uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation.” Conversations among employees, even in a public work space, can sometimes be protected “oral communications” if spoken in private beyond the hearing range of others.
This category includes communications transmitted on any system that can function in interstate or foreign commerce, which covers telephone communication and possibly fax communication.
Electronic communications include many of the communications that are widely used in today’s workplace, such as email, voice mail, electronic chat messages and other messages transmitted over the Internet.
Intercept under the Wiretap Act is the “acquisition of the content of any wire, electronic or oral communication through the use of any electronic, mechanical or other device.” Courts have interpreted interception in a variety of ways. One court held that a defendant intercepted a communication when she retrieved and forwarded to her own personal mailbox a voicemail message from the recipient’s mailbox before it had been received by the recipient. In another case, a court held that viewing an email message on the plaintiff’s computer screen did not constitute “interception.”
The Wiretap Act’s general prohibition on interception has three major exceptions:
Courts are less inclined to allow interception of employee communications when employers are attempting to monitor the content of personal phone calls. In monitoring communications, an employer should stop the interception as soon as it realizes the communication is of a personal nature.
Note: This does not limit an employer’s right to discipline an employee for excessive personal phone calls while at work.
At least one federal court case has addressed blanket monitoring and recording of all calls by an employer and determined that such blanket monitoring and recording, absent notice to the employees and with no determination and cessation with regard to personal calls, would be a violation of an employee’s privacy rights. The blanket recordings could not be considered to be in the ordinary course of business, where all personal calls (as well as business calls) were monitored and recorded.
The Stored Communications Act (SCA) prohibits unauthorized access, interception and disclosure of information stored in electronic form. Stored communications can take many forms, but they most commonly include computer files and email messages that have been archived.
One important exception to the SCA is when a provider of wire or electronic communications service is given access to an employer’s stored electronic communications, which would presumably enable the employer to monitor email that is archived on its communication system. What constitutes storage, however, is not well defined. Some courts have distinguished different types of storage, such as “intermediate storage,” “back-up protection storage,” and “post-transmission storage.”
Another exception to the SCA allows access to stored electronic communications that have been made by or sent to a user if the user consents.
The SCA also includes an exception that allows an employer to access stored communications on a system for the purpose of safeguarding the employer’s business interests. The boundaries of this exception will likely depend on the minimum level of access necessary to safeguard the employer’s interest.
Note: Exclusively internal email systems provided by employers might be outside the scope of the SCA, because such a service would not technically be provided to the public.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act may influence workplace privacy significantly. This statute, which is primarily designed to combat terrorism, gives agencies of the government more extensive search powers, allowing them to conduct surveillance both traditionally and electronically to track and apprehend suspected terrorists.
Certain provisions of the act – the so-called “sneak and peek” portions – allow the government to conduct surveillance without getting a court order or warrant. As long as the government can demonstrate reasonable cause for investigating without giving notification (basically, that notifying the target would negatively impact the investigation), the act allows the government to delay notification. The government can monitor someone’s office, computer or email without notifying the individual until after the monitoring has been done. Employers now face the reality that their communications systems are completely open to the government and therefore have a critical interest in making sure that no illegal communication or information is being transmitted or stored on their information systems.
Employers should also monitor new regulations that impact federal privacy rights, such as the Health Insurance Portability and Accountability Act (HIPAA), as amended, which restricts access to protected health information. See Health insurance portability and privacy.
In the case of large multi-national companies, other countries may have restrictions on access to personal information that can further complicate privacy compliance. For example, the European Union’s data privacy directive requires companies to abide by its protocols for the protection of its member state citizens’ and residents’ personal information. The United States negotiated a Safe Harbor arrangement to establish a streamlined process for American companies to comply with the EU Directive, provided they adhere to the seven principles outlined in the Directive. These principles must provide:
While the United States endorsed these principles, they have not been incorporated into U.S. law. Companies also must recertify every 12 months. They can either perform a self-assessment to verify they comply with these principles or hire a third party to perform the assessment. There are also requirements for ensuring that appropriate employee training and an effective dispute mechanism is in place. This program is subject to oversight by the Federal Trade Commission (FTC).
The General Data Protection regulation has replaced the Data Protection Directive. It extends the scope of the European Union (EU) data protection law to all foreign companies processing data of EU residents under a single set of rules. Each member state will establish an independent Supervisory Authority (SA) to investigate complaints and impose sanctions. If a business has establishments in more than one nation in the EU, it will be subject to the SA in the country where its main data processing activities take place as its lead authority. By harmonizing the data protection regulations throughout the EU, the new law should make it easier for American companies to comply. A failure to comply can be costly because financial penalties may range up to 4% of a company’s worldwide revenue.
Under the General Data Protection regulation, companies will be required to obtain explicit consent for the data collected and the purposes for which it is used. Companies will be required to appoint data protection officers who can serve as mini-regulators with their own independent support team when there is regular and systematic monitoring of the data subjects.
In the event of any breach, any company that collects information on EU residents will be under an obligation to notify the SA within 72 hours and the affected individuals must be notified if any adverse impact is determined.
It is anticipated that implementation of the EU General Data Protection regulation will require comprehensive changes to business practices for non-European companies handling EU personal data that have not implemented a comparable level of privacy protection.
Finally, while not a protection of the right to privacy itself, the Sarbanes-Oxley Act imposes criminal penalties on employers who retaliate against employees who provide to a law enforcement officer truthful information about a federal offense committed by the employer. Therefore, if an employer violates the Wiretap Act or the SCA and an employee tells a law enforcement officer of the violation, the employer cannot lawfully retaliate against that employee. Criminal penalties under this anti-retaliation provision include fines and up to 10 years imprisonment.
The Illinois Biometric Privacy Act requires that businesses must receive written consent from employees, prospective employees or other individuals before collecting biometric information such as, fingerprints, retina scan and facial geometry scans (which could include photographic identification). In addition, businesses are required to disclose their policies for usage and retention. Companies that collect such information should be well versed in this law as two recent rulings have found that an individual does not have to prove that he or she suffered any adverse actions based upon a company's handling of biometric information, but merely needs to show that the company did not follow the requirements of the law. Specifically, the law requires:
Employee manuals, collective bargaining agreements and employment agreements can also be the source of privacy rights; employers should make clear that such agreements are not intended to create rights. The inclusion of simple express language in such manuals and agreements can be used to make it clear that it is not the employer’s intention to create such rights or expectations of privacy.
The use of video cameras to monitor employees at work – which is on the rise in many workplaces due to terrorism threats and increased levels of security – can trigger employee privacy rights. Video monitoring may violate privacy rights in at least three circumstances:
Unquestionably, employers have a significant interest in monitoring the workplace to minimize employee theft, drug abuse and other wrongdoing. Employers also have an important interest in ensuring workplace safety. Employee searches are one way that employers can prevent wrongdoing and maintain a safe work environment, but employers must recognize that there are limits on intrusive, unwarranted workplace searches.
Searches at work may take a number of forms. Sometimes the employer needs to search company property, such as offices, desks, drawers or lockers that have been provided for employee use. The employer may also want to search the property of an employee, such as a purse, gym bag or briefcase. Finally, an employer might also search an employee’s person, as with a pat-down search. These searches, some of which are more intrusive than others, can expose an employer to potential liability.
The risk of liability can be reduced if an employer provides advance notice to employees of the circumstances under which such searches may be conducted. Employers who promulgate such policies should strictly adhere to them.
Many employers have policies that provide that they retain the right to monitor employee email traffic over the employer’s electronic communication network. As described previously, federal law does not prohibit this in most circumstances. but the law in this area is developing. Therefore, employers who monitor email may want to exercise caution when they come across communications that are obviously intended to be private, such as between employees and their doctors or lawyers.
The Fourth Amendment to the U.S. Constitution protects individuals from unreasonable searches and seizures by federal, state and local government officials. Public sector employees can invoke this right in the workplace if, under the circumstances, they have a reasonable expectation of privacy. This question is always addressed on a case-by-case basis and may turn on factors such as whether the workplace is so open to the public or other employees that no expectation of privacy is reasonable. An employee’s privacy rights may be outweighed by the reasons that the government wishes to conduct the search.
The U.S. Supreme Court has twice analyzed this issue. In 1987, the Court upheld the search of an employee’s desk and file cabinet, noting “government searches to retrieve work-related materials or to investigate violations of work-place rules – searches of a sort that are regarded as reasonable and normal in the private employer context – do not violate the Fourth Amendment” in the public agency environment. In 2010, the Court ruled that a municipality did not violate an employee’s Fourth Amendment privacy rights when it reviewed personal text messages that the employee sent on a pager that was owned and paid for by the employer. In the context of a somewhat ambiguous policy on electronic communications that the municipality had adopted, the Court deliberately bypassed the issue of whether the employee had a reasonable expectation of privacy in his electronic communications. Instead, the Court resolved the case by holding that the search was reasonable because it was motivated by a non-investigatory, work-related purpose, because the city sought to determine whether the employee had been provided with an adequate limit on his text messaging.
Although these cases arose in the public sector, the decisions have implications for all employers. To safeguard against privacy claims, employers should ensure that they have appropriate policies in place to avoid creating unintended expectations of privacy. When a search is warranted, it should be supported by adequate business reasons and extend no further than reasonably necessary given the business purpose behind it.
Whether a search is justified depends on both the need for the search and the privacy interests of the employee. Non-investigatory searches, such as entering an employee’s office or opening a desk drawer to locate necessary business items, generally are allowed if the employer has a legitimate business reason and the search is limited to what is necessary. In the interest of good employee relations, an employer should contact the employee before conducting this type of search.
Investigatory searches, such as a search for illegal drugs or illegally concealed weapons, should generally be limited to situations when the employer has a specific reason to believe an employee is engaged in wrongdoing. The more intrusive the search, the more likely it may violate an employee’s rights. For example, a search of an open bag left in an employee’s cubicle is less intrusive (and therefore less likely to violate privacy rights) than a search of a locker sealed with an employee-provided lock or key.
An employer can limit an employee’s reasonable expectation of privacy by maintaining appropriate policies. Employers should notify employees, either in an employee handbook or by posting a policy, if lockers, desks and offices are subject to being searched. Employers should also be discreet and, when possible, avoid contact with the employee’s person and avoid using force. Solutions that do not involve searches – such as inventory control systems and systems for tracking Internet use – can eliminate the need for many searches.
Another way employers may monitor employees is by:
There are many legal issues implicated in employer investigations, which are covered in Workplace investigations.
Employee testing is yet another way of monitoring workplace conduct. Testing may be as simple as a drug test or as complicated as a battery of questions for psychological evaluation. What makes testing different from other types of monitoring is that the information is supplied directly by the employee. Certain testing, such as physical examinations, may be prohibited by statutes such as the Americans with Disabilities Act (ADA) (see Disabilities and reasonable accommodations). Testing for illegal drugs is not covered by the ADA, but alcohol testing may be. Employers should seek legal counsel in developing drug testing policies and should comply with the federal Drug-Free Workplace Act, if applicable. Psychological tests may have an adverse impact on minority applicants or employees and therefore raise an inference of discrimination. As a general rule, employers should work with counsel and testing professionals to develop testing policies that comply with all applicable employment laws.
The ability to post videos on YouTube and other websites creates enormous risks for employers. Their trade secrets may be compromised or their reputations maligned by employees who are engaging in prank behavior. Take the case of Domino’s Pizza, which found itself maligned by two employees who posted a video showing one of them preparing sandwiches for delivery while putting cheese up his nose and performing other unhygienic acts. After more than one million views on YouTube, the video was removed, but not before Domino’s suffered major damage to its reputation. Although there is no way to prevent such conduct from occurring, it might in some cases be prevented by adopting and publicizing a policy making clear that such conduct is prohibited. Before adopting such a policy, however, employers need to be mindful that an overbroad rule may result in an unfair labor practice finding by the NLRB. See the discussion of this issue in Social media.
Sometimes employees can create nightmares for their companies by trying to be helpful, such as by endorsing the company’s products on Internet blog sites. This can run afoul of laws prohibiting certain unfair and deceptive practices in commerce. The U.S. Federal Trade Commission (FTC) issued rules pertaining to the use of endorsements and testimonials in advertising that highlight the need to disclose any connection between the seller of the product or service and the person endorsing it.
To limit potential liability, an advertiser should make sure that the advertising service provides guidance and training to its bloggers concerning the need to ensure that statements they make are truthful and substantiated. The advertiser should also monitor bloggers who are being paid to promote its products and take steps necessary to halt the continued publication of deceptive representations when they are discovered.
Employers need to pay attention to what their employees do and say so far as it relates to the products and services that the employer offers to the general public. Companies should develop a policy on whether employees should refrain from communicating with the general public over the Internet about their products and services. At a minimum, such policies should identify the types of statements that are inappropriate to post and the kinds of disclosures that should be made regarding the employee’s relationship with the company.
The FTC’s guides concerning the use of endorsements and testimonials an advertising are available at:
The ease of cyberspace communication makes it possible to transmit offensive material to large groups of people instantaneously. Courts analyze harassing photographs, cartoons, comments and other materials on the Internet under the same standards that they apply to other forms of behavior that create a hostile work environment. See Discrimination. When an employer has notice that such conduct is occurring in the workplace, there is an obligation to investigate and take corrective action.
The ability to forward email communications makes it much more likely that potentially defamatory communications will be published beyond those who are privileged to receive them. In one case that received a great deal of publicity, a life insurance company was sued by a former employee. An email from a corporate vice president reported that she had been terminated for use of her corporate credit card “in a way in which the company was defrauded.” Because the email was forwarded to several managers and non-managers who were not privileged to receive this information, a court held that the employee had proved a prima facie case of defamation.
The courts continue to deal with the difficult tug-of-war between employers’ legitimate business interests and employees’ reasonable expectations of privacy. As technology develops new ways to monitor employees, employers will continue to need legal counsel to advise them of what sorts of monitoring may expose them to liability. What constitutes acceptable monitoring and investigation by employers, as well as what employee expectations are reasonable, continues to evolve. However, there are certain guidelines that employers can follow to avoid liability arising from monitoring their employees:
As a result of the COVID-19 pandemic, many employers have been torn between how to protect employee privacy interests and protecting others in their workforce from the spread of the virus. Information regarding the medical condition of an employee who tests positive for COVID-19 is treated as medical information that the employer must protect against disclosure except in limited circumstances as permitted by the American with Disabilities Act (ADA). See Chapter 13: Disabilities and reasonable accommodations. At the same time, COVID-19 is a nationally notifiable disease, which when diagnosed, must be reported by healthcare providers to government health departments. The health departments are responsible for leading case investigations and contact tracing. In carrying out this role, they will ask the patient questions about work status, work environment and persons they have been in touch with. Employers are encouraged by the Centers for Disease Control (CDC) to permit health department-initiated interviews, site visits and record reviews to identify close contacts who may have been exposed to the virus bearer. It is permissible for employers to provide identifying information to the health department under these circumstances.