Employers frequently access and review data created or stored by employees on company-owned electronic devices, such as computers, laptops, tablets (iPad), and cellphones (iPhone, Droid and Blackberry).  Well-crafted technology and social media policies specifically authorize employers to do so.  But, if not careful, employers can step over the line between permissible conduct and conduct that violates the federal Stored Communications Act (SCA).  The line between permitted and unlawful conduct is not always apparent, so employers need to be aware of the SCA and seek counsel before accessing or reviewing an employee’s electronic communications.

Company-owned electronic devices are treasure troves of evidence of employee misconduct, particularly where employees use the devices to access personal email (Gmail, Yahoo!, etc.) or social media (Facebook, Google+, Twitter, Flickr, etc.).  Employers feel justifiably entitled to access and review data created and stored on such devices, particularly where employees are instructed that the company owns the devices and has the right to monitor the data, and that employees have no right to privacy.  As a general rule, the law supports employers here.

But the SCA imposes some limits on employers.  And, as few recent cases demonstrate, it is all too easy for employers to step over the line and violate the federal law.

In Deborah Ehling v. Monmouth-Ocean Hospital Service Corp., the employer terminated the employee based (in part) on posts she made on Facebook.  The court underwent a rigorous analysis to determine that the SCA protects Facebook posts, as long as the posts are limited to friends and not on the person’s public Facebook pages.  As the court explained,

“when it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information on their Facebook walls” and the “privacy protection provided by the SCA does not depend on the number of Facebook friend that a user has.”

Although the employee’s Facebook posts were protected, the employer did not violated the SCA because it received the posts through a person authorized to access them: one of the employee’s co-workers, who was her Facebook friend, gave them to the employer.  However, as this court and others have recognized, an employer violates the SCA if it obtains an employee’s private Facebook posts by other means, such as (1) using a password retrieved from the hard drive of the employee’s company-owned electronic device or from a keystroke logger installed on the device, (2) accessing the account by using the employee’s company-owned device where the password populates automatically, (3) creating a fictitious person on Facebook to friend the employee, and (4) pressuring co-workers to divulge the employee’s Facebook posts.  In those circumstances, access to the Facebook posts would not be authorized under the SCA.

In another case, Sandi Lazette v. Verizon Wireless, the employee returned her company-owned Blackberry to her employer, but did not properly disconnect her Gmail account from it before doing so.  Over the next 18 months, her supervisor read 48,000 emails sent to that account, some of which were quite personal.  The court in that case (like many other courts) found that email stored in webmail accounts (like Gmail) is protected by the SCA, at least while the email resides unread on the servers of the service provider.

The employer made several unsuccessful arguments to avoid liability.  For example, the court rejected the argument that the supervisor was accessing only the company-owned Blackberry, recognizing that he was actually using that device to access an account on the Gmail servers.  However, an employer does not violate the SCA if it recovers an employee’s personal emails that are stored on a company-owned device, such as when the data is in a backup file or recovered from the “residual” space of a hard drive.  The court also rejected the employer’s argument that the employee had impliedly consented to the employer’s review of her Gmail by not properly disconnecting the account.  While consent need not be explicit, the court recognized that,

“Negligence is … not the same as approval, much less authorization.  There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone will be stopping by.”

Technology presents legitimate opportunities for employers to monitor their employees.  It also presents potential pitfalls, some of which are not apparent.  Employers should continue to harvest valuable information from company-owned electronic devices, but also need to become aware of the SCA and seek counsel before accessing or reviewing employee electronic communications.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Cameron Shilling

Cameron is a director in the Litigation Department, and chair of our Cybersecurity and Privacy Group.  In his 20 plus years as a lawyer, Cameron has managed, litigated and resolved numerous commercial matters involving data security, technology, business, and employment issues in New…

Cameron is a director in the Litigation Department, and chair of our Cybersecurity and Privacy Group.  In his 20 plus years as a lawyer, Cameron has managed, litigated and resolved numerous commercial matters involving data security, technology, business, and employment issues in New Hampshire, Massachusetts, New England, and around the country.  His education and depth of legal experience, as well as his professional interests and passions, are strengths that Cameron leverages to provide the highest quality counseling and litigation services to clients.

Combining his business, technology and employment interests, Cameron has developed a depth and breadth of experience in privacy and data security.  His résumé includes managing numerous data security audits, preparing and implementing written security policies, training executives, managers, and employees in data security, auditing, preparing and implementing data security agreements with vendors and business associates, addressing a wide variety of day-to-day security issues, and investigating and remediating many security breaches.  Cameron has dealt with these issues under a range of state and federal laws, including the Gramm-Leach-Bliley Act (GLB), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), Securities and Exchange Commission (SEC) regulations, Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act (FACTA), the Massachusetts and California data security regulations, and a number of other state data security and breach notification laws.

Data privacy is another focus of Cameron’s practice, including creating and implementing privacy policies, terms of use agreements, information use and social media policies, advising clients about workplace privacy, social media, and consumer privacy, and handling data privacy claims asserted against companies.  He has dealt with these issues under numerous applicable laws, including the Child Online Privacy Protection Act (COPPA), United States and Canadian CAN-SPAM and anti-spam laws, Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), Federal Trade Commission Act (FTC Act), Massachusetts privacy act, California Online Privacy Protection Art (CalOPPA), state wiretap laws, and a variety of other state and federal privacy laws.

Cam can be reached at cameron.shilling@mclane.com. His direct dial is 603-628-1351, and his cell phone is 603-289-6806.