|
Matthies Law Firm, P.C. |
 |
Serving
as Employment Law Advisors for over 25 years |
| |
|
|
Privacy Rights in the High-Tech Era
|
| a. | The person had no reasonable expectation that the conversation would be private (which lack of privacy is presumed if the conversation could be heard on an extension phone, with certain limits discussed below); or |
| b. | The consent of one of the parties to the conversation was obtained to listen to or record the conversation. |
Under these laws, it is not just illegal to intercept conversations where these conditions are not met. It also is illegal to attempt to eavesdrop; to try to get someone else to illegally eavesdrop; to use the fruits of the illegal eavesdropping; or to disclose or try to use as evidence any information which was obtained by illegal eavesdropping. What kind of activities are covered? Virtually any activity where a conversation will be captured or enhanced by a mechanical or electronic device (including a microphone, recorder, video camera, or similar equipment). Presumably, even a glass pressed against the wall might qualify as a mechanical device under this statute.
In the ordinary course of business, your company probably uses voicemail or answering machines. Its offices may be equipped with microphones installed in computer monitors/headsets or contained in speakerphones and intercom systems. Surveillance cameras may be posted at entrances, in break areas, or various other areas (even restrooms). Telephone systems may be designed to allow multiple parties to listen in on phone conversations, and the system even may have specific features which allow supervisors to monitor calls to assess performance or customer service.
Obviously, all of these devices may result in the interception of private employee conversations. The use of any of these devices potentially could subject your company to a civil lawsuit under either of these statutes. Even worse, violation of these laws is considered to be illegal wiretapping, which is a felony punishable by fine and imprisonment. And, if this was not bad enough, individuals or supervisors who engage in violations of these laws may be personally liable to the employee and any other parties to the conversation. The real "coup de grace", however, is that perfectly innocent lawyers may end up getting sued for trying to use evidence which was obtained in violation of these laws. Why? Because these Acts provide that anyone who attempts to use the ill-gotten data is subject to suit if they had any reason to know that the data was obtained in violation of the Act.
This is not just a theoretical risk. In Williams v. Poulos, 11 F.3d 271 (1st Cir. 1993), the Court found that both the plaintiff and his counsel violated the wiretap laws by making certain recordings in connection with a business dispute with the defendants. The lawyer had not participated in the recording. He merely tried to use the data in the lawsuit, and ended up becoming a defendant when the other side sued - and won.
In order to avoid this terrible result, there are several simple rules which must be followed.
First, if you are a party to the conversation, then you normally can record the conversation without the knowledge of the other person on the call - at least as long as your intentions are pure (i.e., you are not planning to blackmail someone or use the information for some illegal purpose). If the conversation is lawfully recorded, then you can disclose the information to others - at least as long as the information does not unduly invade the personal privacy of the individual. We will discuss tort suits for invasion of privacy later.
If you are NOT a party to the conversation, then you CANNOT monitor the conversation by the employee by use of electronic or mechanical devices unless you obtain their express consent to such monitoring or you get their implied consent.
Express consent is obtained by getting a signed consent form (or obtaining clear verbal consent - preferably in front of witnesses). Implied consent is obtained by providing clear notice to your employees of your intent to monitor their calls ; the employees have actual knowledge that monitoring is taking place; any recording is done by a device attached to an extension phone; and the monitoring is carefully limited so that only business calls are recorded, with NO attempt is made to record or otherwise intercept personal calls. This last item is critically important.
This is true because, to be entitled to the implied consent rules which govern the standard business practice of using of extension phones for monitoring, any interception of calls to which the monitoring person is not a party must have a clear business purpose. The Courts are unanimous that the indiscriminate interception of purely private conversations does not serve any legitimate business purpose. See, e.g., U.S. v. Harpel, 493 F.2d 346 (10th Cir. 1974). This does not mean that employees cannot be disciplined for excessive personal calls. It merely means that, once it has been determined that the call is personal, the supervisor hangs up and does not record the call.
Companies have gotten into serious trouble where they decide to simply record all calls, and then listen to the tapes later (fast-forwarding over the personal calls). Several courts have held that a violation of the ECPA occurs by the simple act of recording a private conversation, as this is an unauthorized "interception" of the call. See, e.g., Sanders v. Robert Bosch Corp., 38 F.3d 736 (4th Cir. 1994); Ali v. Douglas Cable Communications, 929 F.Supp. 1362 (D. Kan. 1996). Thus, a felony may be committed - even if you never listen to the tape - if you did not have express consent for these recordings!
Many companies mistakenly believe that they can get implied consent to broad monitoring of any workplace behavior, simply by issuing blanket policies which advise employees that their phone calls may be intercepted; their mail may be read; their desks and computer files may be searched; and so forth. However, several courts have taken the position that an employee does not "consent" to interception of private conversations merely because a company sends such policies around for them to review. For example, in Ali v. Douglas Communications, supra, the Court did not find any consent to monitoring or recording of personal phone calls by Customer Service Reps where there had been no open practice of monitoring; employees had no idea that the employer actually had started to monitor or record calls; and there was only a threat of possible monitoring. See also Deal v. Spears, 980 F.2d 1153 (8th Cir. 1992) (no business reason to record some twenty-two hours of calls by employee).
The Court in Ali talked about the factors which led it to find a lack of consent by some Customer Service Reps to the recording of their calls, stating:
The monitoring and recording were done without beep tones or other signals indicating their use. There were no labels on the CSRs' phone or other written policies distributed to the CSRs that warned them of monitoring or recording of telephone calls and that cautioned them against making personal phone calls at their desks [no separate private phones were provided]. DCC made no effort to obtain the written consent of the CSRs prior to monitoring and recording their telephone calls.
The best evidence that the employee actually knew that the Company might listen to his calls or intercept other forms of wire messages which might be private is to get a signed statement which expressly consents to this monitoring. If the employee opts not to give consent, then the Company normally will have the legal right to tell the employee to find another job (although this issue is not completely free from doubt, as a waiver which was far too broad might be found void as against public policy, which then might turn the termination into a wrongful discharge). Hence, as discussed later, it is a good idea to make reasonable attempts to tailor the waiver so as to limit intrusions on privacy to instances where there are legitimate business needs for the intrusion.
In addition to telephone conversations, the ECPA also may cover monitoring of e-mail messages (stored either on a PC or a server); review of internet files or computer records which detail internet logons; the interception of voice-mail messages; and search of other files/records located either on a PC or a server (if they were received as a result of a wire transmission). The ECPA broadly defines an electronic communication as virtually any transmission of data through an electronic communications system (composed of wire, cable, lasers or any other medium). Although the law appears to be designed to refer to transmission of data through the auspices of a public provider of telephone or telegraph services, the actual text of the Act does not appear to contain such limits. Thus, purely internal e-mail or other files sent through the Company's own LAN or server likely is covered by the ECPA, in addition to files received from outside the Company's location.
It is important to note that, if your company does business across state lines, you should check the laws of any states which may be connected to your network. Some states (such as Florida) have enacted requirements which allow interception of messages and conversations only where BOTH parties consent to the interception. While it is possible that the ECPA may preempt such local laws, there are only few cases on the issue (See, e.g., Muskovich v. Crowell & MCI Telecommunications, 12 IER Cases 648 (S.D. Iowa 1996)). As a result, caution is advised - because there appears to be some growing sentiment that state law may control if it provides greater protection.
In addition to the ECPA (and companion state law), there is another federal statute which also may come into play. Under the anti-hacker statute, it is unlawful to enter into a system and obtain information which violates any authorization to access the data or the facility (18 U.S.C. {2701). Arguably, if an employer allows an employee to keep personal files on his computer at work, and to access personal e-mail accounts or internet services, it could violate the anti-hacker laws for the employer to rummage through those files without the consent of the employee. Furthermore, if the computer and/or e-mail accounts are password-protected (so that the employee has a reasonable expectation of privacy in the contents of such information), an argument could be made that it violated the anti-hacker statute or the ECPA to review any data stored in any password-protected areas of the computer if this data got on the computer as a result of any link with another computer or network - even if the data was stored in a "corporate" area of the computer.
There is still another federal criminal law which also comes into play, which is the law against use of "pen registers" or "trap and trace" devices to keep a record of outgoing or incoming calls to a particular phone (18 U.S.C. {3121). Under this statute, it is illegal to use any device which will capture information regarding the calls made from a particular phone location, except where the device is used by a provider of electronic communication service to: (1) protect users from improper use of such service or (2) used as an incident to billing for communication services. A customer may use such devices to track calls from a phone only "for cost accounting and like purposes in the ordinary course of its business." However, unlike the restrictions on records of outgoing calls, a subscriber is permitted to use "Caller ID" technology to identify the originating number of incoming calls to a particular line. This recognizes the emerging technology of many businesses, where the computer may be triggered to pull up records of a customer as soon as the computer recognizes the incoming number of the call.
The problem is, however, that the technology is out-pacing the law in many areas. For instance, it is not uncommon for many phone systems to be able to print out a complete record of all calls to/from a particular phone (in a manner comparable to the ability of fax machines to print out a periodic record of all faxes sent/received). In addition, many computers now have built-in dialers and microphones, which can be configured to keep records of calls made or received. Likewise, it is now possible to make phone calls directly over the Internet, and most computers keep "caches" which reveal a record of contacts with various locations on the. Indeed, unknown to many users, the computer cache often has complete copies of the content of any websites recently visited. Finally, many office computers and/or networks will store voice-mail messages which often can be accessed only by use of a password code.
Thus, the records on the PC of an individual (or the records which he maintains in folders on the central network) may reveal all sorts of compromising information, such as repeated phone calls to a paramour; visits to porno websites; visits to sites which might reveal sexual orientation or possible health problems (e.g. a visit to sites providing information about AIDS exposure latency periods); and so forth. In particular, voicemail messages often will be personal in nature. Arguably, the employer does not need any of these records for "cost accounting purposes" or similar reasons - especially if dealing with an employee who is not paid hourly.
One court has held that, once records become stored on the company's system, the company becomes a provider of electronic services and has the legal right to access those records in order to prevent abuse of its system. Bohach v. City of Reno, 932 F.Supp. 1232 (D.Nev. 1996). However, it seems likely that other courts will not accept the idea that the mini-LAN set up in Frank's Bookkeeping Service in some way turned Frank's into the legal equivalent of the phone company - so it seems likely that many courts are going to require clear notice and consent before allowing an employer to look through computer records where personal and business records are intermixed.
There are three options available to employers. One is to completely bar any personal use of computers, phones, faxes and the like; conduct audits; and make it very obvious to everyone that employees will be disciplined for violating this policy. The problem with this approach is that it is probably not going to be enforced, or will be enforced in an erratic or arbitrary fashion, especially with professional level employees. It also likely will lead to huge morale problems with these people.
The second option is to adopt a policy which allows some personal use of these devices, but to make it clear that personal use will be monitored (even if the Company limits itself to checking the size of files, log-on times, etc. to determined excessive use - in a fashion comparable to quickly hanging up after seeing that a call is personal). However, for this option to work, it is important to follow up with the monitoring of everyone (from executives on down).
The third option is to tailor the policy to the business needs and demands of the group in question (e.g., only calls/email of customer service employees will be regularly monitored - but the rest will be subject to the more limited policy which basically looks at time/resource wasting).
Regardless of which approach is adopted, however, it is important to let employees know that you could end up having to look at their records even if you do not want to do this. Many companies do not realize that, once records get onto a network, those records often tend to have a much longer life than anyone ever expected. Why? Because system administrators tend to backup their systems regularly (larger companies do this at least daily), and the backups may be stored for 1-2 years before being overwritten. As a result, e-mail and voicemail which was thought to be erased remains preserved in these archives; old internet caches can be unearthed; and drafts of documents can be pulled out (even if the draft was never sent).
Smart plaintiffs lawyers are realizing that demands for such computerized records often can yield wonderful rewards. For instance, in Boone v. Federal Express Corp., 59 F.3d 84 (8th Cir. 1995) and in Strauss v. Microsoft Corp., 814 F.Supp. 1186 (SDNY 1993), the courts allowed discovery of incriminating e-mail messages which undercut the defenses being presented by the companies to discrimination claims.
Employees often are unguarded in their e-mail or voicemail responses, and do not speak with thoughts of future litigation. Some remarks may be made which are intended to be sarcastic or cute (e.g., "well, he's black, so of course we need to fire him"), and can create endless trouble. As a result, it is very important to advise employees that, even if the Company does not intend to normally monitor their e-mail or voicemail, it may become necessary to go through all of the archives of their messages in some future litigation. It is very important to be sure that employees realize that they do not delete a file or a message simply by hitting "delete", and that their messages could end up being used as evidence, so that they need to exercise care in what they say and how they say it.
Federal and state laws on wiretapping may not be the sole basis upon which employees may file suit over company access to "private" discussions. Most states, including Oklahoma, recognize a tort action for invasion of privacy. The Oklahoma Supreme Court first recognized such an action in Munley v. ISC Financial House, Inc., 584 P.2d 1336 (Okla. 1978).
In order to recover, an individual must show that the defendant unreasonably intruded on the privacy of the plaintiff, or misappropriated the name or likeness of the plaintiff without consent, or unreasonably publicized the private life of the plaintiff, or made statements about the plaintiff which unreasonably portrayed the plaintiff in a false light. In general, to be actionable, the intrusion or publication must be of the type which would be highly offensive to most people and something which the defendant had no legitimate reason to disclose (or do). See, e.g., McCormack v. Oklahoma Publishing Company, 613 P.2d 737 (Okla. 1980).
A claim for invasion of privacy is broader than a claim for defamation. For example, a company may learn that two employees are having an affair. This may be of legitimate interest to the managers of the two individuals, or to their superiors. However, it is not something of general interest to the rest of the workforce. As a result, a blanket e-mail message which announced this liaison likely would give rise to a tort action for invasion of privacy.
But, what if a manager has a grudge against a coworker, and uses company resources to publicize the private life of a coworker? For instance, what if one supervisor had an affair with a subordinate which ended badly, and decides to send an e-mail to everyone in the company which includes a video clip of a bedroom encounter? Could the company be liable for this wholesale breach of the privacy of this other employee?
Unless the Company has adopted a clear policy which forbids use of its e-mail system to annoy, harass or embarrass another individual, some courts likely would hold that the company bore a share of such liability - especially if the individual's status as a supervisor gave him/her broader ability to publish the message.
Of course, lawsuits also may be maintained against an employer for widespread distribution of information which is untrue (or claimed to be untrue), and which is sent to individuals beyond those with a legitimate need to know. For example, in Meloff v. New York Life Insurance Company, 51 F.2d 372 (2nd Cir. 1995), the employer sent out e-mail notices that the plaintiff had been fired for defrauding the company. In most states, an employer has a qualified privilege to discuss its internal decisions with those who need to know (and such limited internal discussions of accusations/claims normally are not considered to give rise to a claim for defamation). However, broader distributions of such information would not be covered by the privilege. Loss of the privilege is important, because the company then has the burden of proving that any damaging statements were true. Mere good faith is not enough to escape liability.
Of course, it should be borne in mind that actions for invasion of privacy are not limited to claims for disclosures of electronic communications - or snooping through electronic records. Thus, where a supervisor sought to obtain ordinary non-electronic medical records on an employee without her consent in order to hassle her for an earlier lawsuit, this led to a successful suit for invasion of privacy. Lankford v. City of Hobart, 27 F.3d 477 (10th Cir. 1994).
Of course, where records are stored on computer which are highly-confidential (such as medical records), the Company likely will have a duty to safeguard this data from unauthorized access. Where the Company was negligent in guarding such information and thereby allowed damaging information to be distributed (perhaps that an employee had AIDS or was homosexual), this might lead to suit against the Company for negligence - especially since several federal laws place a specific requirement on companies to keep such data confidential.
Finally, if a company uses video surveillance, special care must be taken to avoid invasions of personal privacy. First, no audio should be used for regular surveillance cameras. Why? Because it violates federal wiretap laws to capture any conversations, unless you have consent of a party to the conversation - or the conversation is being monitored for legitimate reasons and monitoring is stopped if the talk is personal. Remember that it is NOT permissible to just fast-forward over non-business talk. It is illegal to have ever recorded it unless you had actual voluntary consent (and the courts may be loathe to find consent if an intrusion seems particularly unfair or unreasonable).
As a general rule, cameras in restrooms are a bad idea, due to the risk that some individual will be unaware of, or forgetful about, the recorder and adjust underclothing or engage in behavior which could be highly upsetting to have on tape (even if it is nothing more than removing false teeth). If cameras are placed in restrooms for security reasons, they should be aimed so that it is not possible to see into the stalls themselves (and, for males, it also should be aimed away from the urinals). Furthermore, special care must be taken to limit the people who can see these tapes, and to caution them sternly that these tapes are not to be shown to unauthorized persons (or discussed with anyone). Otherwise, you could easily end up with decisions by someone to tease a coworker, or maliciously reveal personal details (such as the hot scoop that Alice has dentures). If this happens, Alice is going to have an excellent suit for invasion of her privacy - no matter what kinds of documents she may have signed.
When cameras are used for regular monitoring of parking lots or entrances/exits, it is advisable to let employees know that the cameras are there - as such a notice will eliminate the claim that they had no idea that they might be observed. Indeed, posting a large notice is a good idea as a constant reminder that the area is not "private".
If your company is considering use of hidden cameras to catch thefts or drug use, it is best to discuss the matter with competent private counsel. Remember that, if information is obtained which violates federal or state wiretap laws, it cannot be used in court - so it is very important to make sure that your company has followed the correct procedures before spending time/money on such investigations.
Federal and state laws provide substantial protection to employees, and place substantial restrictions on electronic snooping and eavesdropping without the knowledge or consent of the employee. These protections can be waived by knowing and voluntary consent from the employee. However, depending on the degree of intrusion, the courts may look closely at whether the consent was truly given. In addition, employers must be mindful that employees may become extremely upset over intrusions which they believe to be unwarranted, and this can lead to lawsuits or union organizing drives or huge turnover problems. As a result, it is important to take a close look at the kinds of intrusions which are necessary for the business, and to design any waivers so that the intrusions upon privacy serve legitimate business reasons.
Our firm would be happy to assist your company in developing its privacy policies, or other employment policies and manuals, and thanks you for visiting our website.
|
©
COPYRIGHT 2004 ALL RIGHTS RESERVED |
These materials include summaries of various laws and count rulings. Please be aware that many of these laws are quite lengthy, and the regulations which interpret them may be even longer. As with all summaries, there may be provisions which have been omitted from these materials which could be vitally important in certain factual contexts. Furthermore, these pages are not updated daily, so changes may have occurred which have not yet been included here. In addition, there may be federal laws, or the laws of other states, which govern the particular problem and which may be significantly different, so the answer to a particular legal problem may vary depending on a number of factors. Thus, these summaries should be used ONLY for general management education about employment laws or as preliminary tools to trigger further research, and not as a substitute for consultation with experienced legal counsel (who typically will review the full text of federal and applicable state law, the full text of all regulations, and the applicable federal and state case law before attempting to advise a client about the law which applies to the particular factual scenario presented).
Please be advised that no attorney-client relationship is established by your access to, or review of, materials on this Website. Please also note that these materials are copyrighted, and may not be reproduced, sold or used by any law firm, personnel consulting group or other persons/entities engaged in the business of providing personnel or employment law counselling to businesses, without the express written consent of Matthies Law Firm, P.C. Any other corporation or business entity (including non-profit group) may reproduce the same for their internal use only, provided that appropriate attribution is given to Matthies Law Firm, P.C. for the creation of these materials. By accessing any materials on this website, you acknowledge and agree to the foregoing limitations on your use of these documents, and further agree that any and all disputes arising out of your access or use of these materials must be brought in the courts within Tulsa County, Oklahoma, regardless of the place where you may have accessed these materials.