Employers frequently access and review data created or stored by employees on company-owned electronic devices, such as computers, laptops, tablets (iPad), and cellphones (iPhone, Droid and Blackberry).  Well-crafted technology and social media policies specifically authorize employers to do so.  But, if not careful, employers can step over the line between permissible conduct and conduct that violates the federal Stored Communications Act (SCA).  The line between permitted and unlawful conduct is not always apparent, so employers need to be aware of the SCA and seek counsel before accessing or reviewing an employee’s electronic communications.

Company-owned electronic devices are treasure troves of evidence of employee misconduct, particularly where employees use the devices to access personal email (Gmail, Yahoo!, etc.) or social media (Facebook, Google+, Twitter, Flickr, etc.).  Employers feel justifiably entitled to access and review data created and stored on such devices, particularly where employees are instructed that the company owns the devices and has the right to monitor the data, and that employees have no right to privacy.  As a general rule, the law supports employers here.

But the SCA imposes some limits on employers.  And, as few recent cases demonstrate, it is all too easy for employers to step over the line and violate the federal law.

In Deborah Ehling v. Monmouth-Ocean Hospital Service Corp., the employer terminated the employee based (in part) on posts she made on Facebook.  The court underwent a rigorous analysis to determine that the SCA protects Facebook posts, as long as the posts are limited to friends and not on the person’s public Facebook pages.  As the court explained,

“when it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information on their Facebook walls” and the “privacy protection provided by the SCA does not depend on the number of Facebook friend that a user has.”

Although the employee’s Facebook posts were protected, the employer did not violated the SCA because it received the posts through a person authorized to access them: one of the employee’s co-workers, who was her Facebook friend, gave them to the employer.  However, as this court and others have recognized, an employer violates the SCA if it obtains an employee’s private Facebook posts by other means, such as (1) using a password retrieved from the hard drive of the employee’s company-owned electronic device or from a keystroke logger installed on the device, (2) accessing the account by using the employee’s company-owned device where the password populates automatically, (3) creating a fictitious person on Facebook to friend the employee, and (4) pressuring co-workers to divulge the employee’s Facebook posts.  In those circumstances, access to the Facebook posts would not be authorized under the SCA.

In another case, Sandi Lazette v. Verizon Wireless, the employee returned her company-owned Blackberry to her employer, but did not properly disconnect her Gmail account from it before doing so.  Over the next 18 months, her supervisor read 48,000 emails sent to that account, some of which were quite personal.  The court in that case (like many other courts) found that email stored in webmail accounts (like Gmail) is protected by the SCA, at least while the email resides unread on the servers of the service provider.

The employer made several unsuccessful arguments to avoid liability.  For example, the court rejected the argument that the supervisor was accessing only the company-owned Blackberry, recognizing that he was actually using that device to access an account on the Gmail servers.  However, an employer does not violate the SCA if it recovers an employee’s personal emails that are stored on a company-owned device, such as when the data is in a backup file or recovered from the “residual” space of a hard drive.  The court also rejected the employer’s argument that the employee had impliedly consented to the employer’s review of her Gmail by not properly disconnecting the account.  While consent need not be explicit, the court recognized that,

“Negligence is … not the same as approval, much less authorization.  There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone will be stopping by.”

Technology presents legitimate opportunities for employers to monitor their employees.  It also presents potential pitfalls, some of which are not apparent.  Employers should continue to harvest valuable information from company-owned electronic devices, but also need to become aware of the SCA and seek counsel before accessing or reviewing employee electronic communications.

Print:
EmailTweetLikeLinkedIn
Photo of Cameron Shilling Cameron Shilling

Cameron is a Director at McLane, Graf, Raulerson & Middleton. He has an active practice in New Hampshire, Massachusetts, and throughout New England. Cam leads McLane���s Privacy and Data Security Group. He comes from a background of handling technology, business litigation, and employment…

Cameron is a Director at McLane, Graf, Raulerson & Middleton. He has an active practice in New Hampshire, Massachusetts, and throughout New England. Cam leads McLane���s Privacy and Data Security Group. He comes from a background of handling technology, business litigation, and employment matters.

Cam���s expertise in data security includes managing security audits, preparing and implementing written data security policies, addressing day-to-day security issues, and investigating and remediating data security breaches. He has dealt with these issues under a range of state and federal laws, including the Gramm-Leach-Blilely Act, Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Genetic Information Non-Discrimination Act (GINA), Children���s Online Privacy Protection Act (COPPA), Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act (FACTA), a number of state data security laws.

Cam���s expertise in data privacy matters includes creating and implementing information security policies, advising employers with respect to workplace privacy, advising clients with respect to social media, advising companies with respect to customer and consumer privacy, and handling claims against companies for invasion of data privacy. He has dealt with these issues under a number of state and federal laws, including the Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), Fair Trade Commissions Act (FTC Act), Massachusetts��� Privacy Act, state Wiretap Laws, and a variety of other state laws.

Cam can be reached at cameron.shilling@mclane.com. His direct dial is 603-628-1351, and his cell phone is 603-289-6806.