Data and security breaches have become a fact of business life. Corporate espionage has been in play since the first proprietary design was created.
It's certainly easier to share information in a variety of ways, and it's understandable that businesses would rather keep some of that secret. Threats to your company’s reputation can certainly spread farther and faster than ever before.
But does an employer have the right to monitor electronic messages originating with employees in today’s always online world?
Why Businesses Should Monitor Electronic Messages
Email, social media, blogs, texting, and instant messaging are all easy routes for information dissemination. An employee certainly could intentionally or inadvertently transmit trade secrets or other intellectual property. An employee can also send offensive materials or threats through the company servers.
Businesses need to monitor communications, in part, to protect themselves from liability. The Doctrine of Vicarious Liability says that an employer may be held legally liable for an employee’s actions during the course of and execution of employment.
- Dissemination of adult and child pornography and sexual harassment.
- Leakage of valuable and confidential information.
- Dissemination of computer viruses.
- Loss of productivity and system inefficiency - if your company servers and computers are tied up during CyberMonday or simply due to heavy social media use by employees, company productivity will suffer.
- Reputation risk through negative publicity - if offensive or deleterious materials originate from your business or if an embarrassing email or social media post is released, your PR department will expend resources in recovery efforts that would have been used better elsewhere.
Monitoring of employee communications can appear perfectly reasonable.
The Problem with Monitoring Employee Communications
The desire for an employer to ensure employees are not sharing sensitive, offensive, or proprietary material can run up against an employee’s right to privacy. You walk a fine line when you monitor employee phone calls, email, and social media activity, even if it occurs during the course of hiring, employment, or with company property.
Overall, there is a general prohibition on intentional interception of electronic messages when the sender is unaware it is occurring or have not given permission for such messages to be intercepted. Separating liability and non-liability becomes tricky depending on the information and methods.
The first question is often, “Who owns the device the communication was sent from?”
If the employee is using a company-owned device, you may have a better case for monitoring. However, BYOD or Bring Your Own Device has become normal in many employment settings. Are you violating privacy by monitoring an employee’s personal device?
As for social media, while federal law has no prohibition on employers requesting a job candidate or employee’s social media passwords, most social media companies have stated that practice goes against their terms of service. Therefore, requesting a candidate or employee’s Facebook password or for access to a Twitter profile is clearly a violation of privacy.
Even more problematic is if you are shown to have discriminated against a candidate or employee due to information on their social media profile or activity. In such cases, the EEOC and other privacy rules govern this action.
Best Practices for Monitoring Employees’ Electronic Messages
The best thing you can do is implement an electronic communication policy to:
- Ensure your employees’ right to privacy is not unreasonably infringed
- Educate your employees on acceptable use of electronic communication
- Protect yourself from employee wrongdoing
Your policy must be clear and unambiguous, reasonable, and consistently applied. Above all, your employees must be made aware of the policy and, preferably, agree with it. You can include the policy in the employee handbook or other documentation at the time of hire, just be sure it is made clear to each employee and candidate that a signature implies consent.
In your policy, include:
- Specific definitions of work devices and messages covered by the policy
- Provision for the use of personal devices
- Provision for informing employees of the potential for monitoring
- A waiver of any expectation of confidentiality for violation of the policy
- Clearly stated consequences for violating the policy
To strengthen your stance, only search or monitor information for legitimate, specific reasons related to work and the company. Do not monitor all information flows at all times or fish for potential violations.
Disclaimers attached to emails regarding the sharing of information and filtering applications are additional tools businesses have used to prevent illegal or damaging content to pass outside the company.
So, yes, you do have a right to monitor your employees' electronic messages, but you must do so carefully and in a limited manner. Privacy laws are a backbone of citizenship in the United States. You must have adequate reason for monitoring employee communications and a policy known by employees of the potential that you may be watching.