Who Owns All the Data in the Workplace?
Wendi S. Lazar and Lauren E. Schwartzreich
New York Law Journal
April 30, 2010
Ten years ago employees wondered if their employers could look through their purses merely because they brought them to work. Today employees ask whether their employers own all electronic data created, viewed, or stored on their work computers and BlackBerrys.
In New York, private sector employees may have a reasonable expectation of privacy in their work computers, cellular phones, and other electronic devices. In 2001 the 2nd U.S. Circuit Court of Appeals confirmed in Levanthal v. Knapek [FOOTNOTE 1] that an employee may have a reasonable expectation of privacy in the content of her work computer, especially where her employer maintains an unclear technology usage policy. Since Leventhal, employers in the 2nd Circuit have crafted broad and detailed technology policies aimed at draining reasonable expectations of privacy out of employees' work-related technology.
These policies aim to bind employees to notices stating, more or less, that (1) all electronic data created, stored, received, or sent from the employer's electronic device or system (e.g., computer server or third-party wireless service provider), regardless of the purpose for which it is created, is the employer's property; (2) the employee cannot expect such data to remain private; and (3) the employer may monitor and obtain such data at its discretion and without further notice to the employee.
Although employers expect that these policies will permit unfettered access to employees' personal electronic data, courts are increasingly scrutinizing their enforceability. In Pure Power Boot Camp Inc. v. Warrior Fitness Boot Camp, LLC, [FOOTNOTE 2] the court was incredulous of the employer's reliance upon its policy to defend its accessing of an employee's personal Hotmail e-mail account. The court explained, "[i]f [an employee] had left a key to his house on the front desk at [his workplace] one could not reasonably argue that he was giving consent to whoever found the key, to use it to enter his house and rummage through his belongings." [FOOTNOTE 3] It now appears in the 2nd Circuit that employees do not check their privacy at the door to their workplace.
Inconsistent monitoring or enforcement of technology policies against employees may be unlawful. An employer may not selectively enforce a technology policy against an employee who exercises workplace rights, such as engaging in union organizing activities. [FOOTNOTE 4]
Monitoring internet or telephone usage may be unlawful where it is done in response to a complaint of discrimination. For example, in Zakrzewska v. The New School,[FOOTNOTE 5] the court found that an employer's covert monitoring of an employee's personal internet usage after she complained of discrimination could constitute an unlawful retaliatory adverse employment action. Similarly, in Dotson v. City of Syracuse, [FOOTNOTE 6] the court found that an employer's monitoring of an employee's telephone conversations after she had complained of discrimination was "intrusive" and might also constitute unlawful retaliation.
Technology policies do not confer access to employees' personal electronic information stored by cellular providers or on employees' personal online e-mail accounts, restricted-access social networking site profiles, or password-protected blogs. Federal statutes, such as the Electronic Communications Privacy Act, and its subsections the Wiretap Act [FOOTNOTE 7] and the Stored Communications Act, [FOOTNOTE 8] provide criminal and civil penalties against employers who gain unauthorized access to employees' personal electronic communications and data. Employers may pay heavily for assuming that their technology policies shield them from these laws. [FOOTNOTE 9]
Under the Wiretap Act, [FOOTNOTE 10] employers may not intercept employees' personal electronic communications (that are in transmission). While employers may be liable under this act for monitoring employees' telephone calls [FOOTNOTE 11] claims of unlawful interception of e-mails are less likely to succeed under the act due to courts' narrow construction of the "in transmission" provision of the law. [FOOTNOTE 12]
Employers may violate the SCA if they access employees' personal e-mail accounts without permission. In Pure Power Boot Camp, discussed above, the employer maintained a broad computer use policy stating that employees had no right of personal privacy in any matter stored in or created on the company's system, inclusive of personal e-mail accounts accessed on the company's system, and that computer usage was subject to monitoring without additional notice. The employer accessed the employee's personal Hotmail account by using the password he had saved on his computer. [FOOTNOTE 13] The court found that by these actions the employer violated the SCA.
Employers may violate the SCA by accessing employees' otherwise restricted websites, such as password-protected social networking sites, and chat groups. In a case out of New Jersey, Pietrylo v. Hillstone Restaurant Group, [FOOTNOTE 14] a district court recently upheld a jury verdict finding that an employer violated the SCA where it accessed a group of employees' password-protected and invite-only chat forum located on the social networking site, MySpace.
Employers may also violate the SCA by accessing employees' personal text messages via a cellular wireless provider -- even if the employer owns the phone, pays the bills, and maintains the contract with the provider.
In Quon v. Arch Wireless Operating Co., [FOOTNOTE 15] a decision out of the 9th U.S. Circuit Court of Appeals, a wireless provider violated the SCA by providing the employer-city with transcripts of text messages sent to and from the plaintiff-employee's work pager. The employer maintained a technology policy that, it argued, (1) permitted the employer to monitor electronic communications, including pagers, and (2) put the employee on notice that electronic communications via pagers were not confidential and that pagers were not for personal use.
However, the employee's supervisor maintained an informal policy permitting personal use of pagers and also agreed not to monitor the communications if the employee paid all service plan overage fees. After the employee exceeded the service plan on several occasions, and even though the employee paid the overage, the employer asked the wireless provider for transcripts of the employee's text message communications. The wireless provider complied. Subsequently, the employer terminated the employee citing the content of those text messages, and the employee successfully sued both his employer (for violating his Fourth Amendment rights) and the wireless provider (for violating the SCA).
In December 2009, the U.S. Supreme Court denied certiorari to the wireless provider who had appealed the 9th Circuit's decision in Quon, thus confirming that entities like cellular service providers, web-based e-mail providers and social networking sites risk violating the SCA if they disclose the contents of employees' stored communications to their employer.
However, the implications of Quon are still unsettled. On Dec. 14, 2009, the Supreme Court granted certiorari to the city-employer (arguments were heard April 19, 2010). In doing so, the Court may have set the stage for a potential shift in employee privacy rights. The Court's opinion may venture beyond the unique public sector issues raised in the cert petition and touch upon private sector employees' privacy rights. Further, the Court's ruling (or dicta) concerning employee privacy may influence lower courts' analyses of privacy rights in the private sector.
At this juncture, wireless providers will undoubtedly avoid disclosure of text messages to employers without direct authorization from the actual user, recipient, or intended addressee, as required under the SCA. [FOOTNOTE 16] Thus, employers are less likely to obtain the content of employees' personal text messages through a wireless provider. [FOOTNOTE 17]
Similarly, online e-mail providers and social networking sites are unlikely to disclose employees' personal user content to employers due to similar liability. Even where an employer compels an employee to sign a waiver, entities subject to the SCA will likely not disclose protected content. As a result of others' liability under the SCA, employees indirectly receive some protection against disclosure of their stored private electronic communications.
In addition to being protected from unauthorized accessing or selective monitoring of private electronic communications by their employers, as described above, New York employees' communications with counsel may also receive protection from inadvertent disclosure.
While circuits are split over whether employees waive their attorney-client privilege by communicating with counsel or maintaining privileged content on a work computer, [FOOTNOTE 18] the 2nd Circuit would likely find no waiver where communications are via online personal e-mail accounts. [FOOTNOTE 19]
In United States v. Hatfield, [FOOTNOTE 20] the court found no waiver of privilege concerning electronic communications and documents an employee maintained on his work computer. The court noted the absence of direct guidance on this issue from the 2nd Circuit or the New York Court of Appeals and applied a four-factor test well-established within the district courts [FOOTNOTE 21] and added its own fifth factor: (1) whether the employer maintained a policy banning personal computer use; (2) whether the employer monitored employees' use of computers or e-mails; (3) whether third parties had a right to access employees' computers or e-mails; (4) whether the employee was on notice of the use and monitoring policies; and (5) whether disclosure of the privileged information would be consistent with the employer's interpretation of its own policy.
The employer's broad computer use policy was problematic in several respects: it did not expressly prohibit usage for personal legal matters; it did not state that the employer will monitor computer usage; the employer did not actually monitor computer usage; and the employer understood its policy to protect other employees' "privileges." [FOOTNOTE 22]
Notably, the court found it would be "fundamentally unfair to subject [the employee] to the consequences of waiving privilege based on a strict, theoretical interpretation of [the employer's] Computer Usage Policy that was never imagined by [the employer] itself and, in fact, contradicted by [the employer's] own actions ... ." [FOOTNOTE 23]
Most recently, in Stengart v. Loving Care Agency Inc., [FOOTNOTE 24] the New Jersey Supreme Court issued an opinion as yet the most important for employee privacy rights in 2010. The court affirmed an appellate court's ruling that an employer violated its employee's privacy when it accessed the employee's e-mails to and from counsel that were sent and received from a work computer. The court confirmed that while an employer has a right to establish policies and to discipline employees who violate them, a policy that allows an employer to read an employee's attorney-client communication is unenforceable.
STATE LAW CLAIMS
Employees and their counsel may find additional privacy protections from existing state statutory and common law. Unfortunately, New York does not recognize invasion of privacy claims. [FOOTNOTE 25] However, New York's labor law does prohibit termination of employees based on recreational activities performed outside the workplace, [FOOTNOTE 26] arguably including online activities like blogging or Twittering.
New York employees may also have claims of false light invasion of privacy (e.g., for online misrepresentations about employees, such as statements made by managers on social networking sites like LinkedIn) or tort claims arising out of workplace cyber-stalking. It may also be possible to bring a tortious interference of contract claim against an employer who requires an employee to disclose her password to her social networking site profile, as this act may violate her social networking site' service agreement [FOOTNOTE 27] or because the policy violates public policy concerns.
The Supreme Court's upcoming decision in Quon will certainly give New York lawyers new parameters for understanding and interpreting private and public sector employees' rights to workplace privacy in the digital age. In the meantime, however, a new set of rules is already re-shaping employees' expectation of privacy and their understanding of what electronic communications are protected.
Wendi S. Lazar is a partner at Outten & Golden and co-chair of the firm's executives and professionals practice group. Lauren E. Schwartzreich is an associate at the firm and co-chair of its Electronic Discovery Committee.
FN1 266 F.3d 64, 74 (2d Cir. 2001).
FN2 587 F.Supp.2d 548 (SDNY 2008).
FN3 Id. at 561.
FN4 See, Guard Publishing Co. v. NLRB, 571 F.3d 53, 60 (D.C. Cir. July 7, 2009); cf. Gorzynski v. JetBlue Airways Corp., 596 F.3d 93 (2nd Cir. Feb. 19, 2010).
FN5 543 F.Supp.2d 185 (SDNY 2008).
FN6 No. 5:04-CV-1388, 2009 U.S. Dist. LEXIS 62174 (NDNY July 21, 2009).
FN7 18 U.S.C. §2510, et seq. (prohibiting unauthorized interception of communications while in transmission).
FN8 18 U.S.C. §2701, et seq. (prohibiting unauthorized access of stored electronic communications).
FN9 Under the SCA, employees may obtain an award of punitive damages where the violation was intentional, attorneys' fees and costs, and statutory damages with proof of actual damages. See Van Alstyne v. Electronic Scriptorium Ltd., 560 F.3d 199 (4th Cir. 2009).
FN10 See, 18 U.S.C. §2511(1)(a)-(b).
FN11 See, Hay v. Burns Cascade Co. Inc., No. 5:06-CV-0137, 2009 U.S. Dist. LEXIS 12160 (NDNY Feb. 18, 2009).
FN12 See, Konop v. Hawaiin Airlines Inc., 302 F.3d 868, 878-79 (9th Cir. 2002) (employer intercepted messages that were in storage, not while they were in transmission); Steve Jackson Games Inc. v. U.S. Secret Serv., 36 F.3d 457 (5th Cir. 1994) (unopened e-mails on computer were not in transmission); but see United States v. Councilman, 418 F.3d 67, 85 (1st Cir. 2005) (en banc) (e-mails in "transient electronic storage" are intercepted while "in transmission" as defined under the statute).
FN13 The employer further accessed his Gmail and another e-mail account through information (and the password) it obtained through the Hotmail account.
FN14 No. 06-5754, 2009 U.S. Dist. LEXIS 88702 (D. N.J. Sept. 25, 2009).
FN15 529 F.3d 892 (9th Cir. 2008). Rehearing, en banc, denied, 554 F.3d 769 (9th Cir. 2009), cert. granted sub nom. City of Ontario v. Quon, 130 S. Ct. 1011 (Dec. 14, 2009) (hereafter, Quon).
FN16 See, 18 U.S.C. §2702(b)(3).
FN17 Employers may still obtain text messages through physical examination of employees' work cell phones, as the SCA only applies to electronic data stored by a "remote computing service" or "electronic communication service." 18 U.S.C. §§2701-2711.
FN18 Compare United States v. Ziegler, 474 F.3d 1184, 1190 (9th Cir. 2007) (reasonable expectation of privacy in contents of work computer); with Muick v. Glenayre Electronics, 280 F.3d 741, 743 (7th Cir. 2002) (no expectation of privacy in contents of work computer); United States v. Simmons, 206 F.3d 392, 398 (4th Cir. 2000).
FN19 See, United States v. Hatfield, No. 06-CR-0550, 2009 U.S. Dist. LEXIS 106269 (E.D.N.Y. Nov. 13, 2009) (2nd Circuit likely to uphold privilege); Curto v. Medical World Communications Inc. 03-CV-6327, 2006 U.S. Dist. LEXIS 29387 (E.D.N.Y. May 15, 2006); Geer v. Gilman Corp., 06-CV-0889, 2007 U.S. Dist. LEXIS 38852 (D. Conn. Feb. 12 2007), Orbit One Communications Inc. v. Numerex Corp., 255 F.R.D. 98, 107-8 (SDNY 2008); In re Asia Global Crossing, Ltd., 322 M/R/ 247. 259-61 (SDNY Bnkr. 2005); but see, Long v. Marubeni America Corp., No. 05 Civ. 639, 2006 U.S. Dist. LEXIS 76594 (SDNY Oct. 19, 2006); Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436 (N.Y. Supp. Ct., N.Y. Cty. 2007).
FN20 2009 U.S. Dist. LEXIS 106269, at 30 n12.
FN21 See, Curto, 2006 U.S. Dist. LEXIS 29387 at 2-3 (applying four-factor test and finding that employee did not waive privilege by maintaining documents on employer's computer); Geer, 2007 U.S. Dist. LEXIS 38852 at 3-4; Orbit One Communications Inc., 255 F.R.D. 98 at 107-8.
FN22 2009 U.S. Dist. LEXIS 106269, at 33.
FN23 Hatfield, 2009 U.S. Dist. LEXIS 106269 at 34 n14.
FN24 Stengart v. Loving Care Agency Inc., 408 N.J. Super. 54 (App. Div. 2009), aff'd, -- N.J. -- (March 30, 2010).
FN25 See, Mack v. United States, 814 F.2d 120, 123 (2d Cir. 1987); but see Brown-Criscuolo v. Wolfe, 601 F.Supp.2d 441 (D. Conn. 2009); Walston v. UPS, No. 2:07-CV-525, 2009 U.S. Dist. LEXIS 10307 (D. Utah, Feb. 11, 2009).
FN26 See, New York Labor Law §201-d.
FN27 Facebook Statement of Rights and Responsibilities (Dec. 21, 2009; last visited March 19, 2010).