Digital privacy: ready or not, here it comes
The IT director walks into your office with printouts of an employee’s e-mails and Facebook postings. The IT director explains that these documents prove what he has feared for a few months – the employee is taking confidential information he or she accesses on a company laptop and is making negative remarks about the company’s products and management. You want to fire the employee and file suit to protect the business, but your attorney tells you that the company, and you personally, may be in trouble for violating the employee’s digital privacy rights.
Is there really any privacy in the digital age? Despite what you may think at first, the answer is, unequivocally, yes. In fact, the consequences for violating someone’s digital privacy rights are severe, even criminal.
Facebook is a phenomenon, no doubt. It has over 500 million users, about half of whom access their accounts on mobile devices. But digital privacy is not just a Facebook issue. The entire social media movement is implicated: YouTube, Twitter, Flickr, LinkedIn, and on and on. The massive use of e-mail – not only company e-mail but also webmail like Yahoo!, Gmail, Hotmail, etc. – and the rapid adoption of devices like iPhones and Droids also adds significant fuel to the fire.
But attorneys have only a patchwork of federal and state statutes and cases to use to advise clients. Digital privacy is a reality now, and the law and business compliance need to catch up quickly.
The most significant digital privacy laws are the federal Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA). The ECPA prohibits the unauthorized interception of electronic communications, like e-mail, texts and instant messages. However, this statute is limited because it is inapplicable if electronic communications are not in transit from sender to recipient.
The SCA picks up where the ECPA leaves off, in part. It prohibits unauthorized access to electronic communications stored in certain computer systems. The SCA also is limited because it only covers electronic communications, not other data, and (understandably) does not prohibit the entity that hosts the system from accessing the communications.
Most states have laws that afford some additional protection. As a result, an individual or employee may have a claim against an employer or another individual for “invasion of privacy” if the individual or employee had a reasonable expectation that the data accessed was private.
Applying this patchwork is difficult given the complexities of technology. For example, in the situation discussed above, the company could recover screenshots of the Gmail accessed by the employee from the laptop hard drive, but would be in violation of the SCA if it used the employee’s Gmail password (which also is often recoverable from the hard drive) to gain access to the Gmail account on the Internet.
Moreover, while the company is safe under the SCA to recover data from the hard drives of its computers (and its servers and other company-owned electronic devices), the company still may face a claim of invasion of privacy if it did not implement an appropriate electronic use policy. Such a policy informs employees that:
• All electronic data communicated or stored on company-owned electronic devices is the property of the company, not the employee.• Employees should not have any expectation of privacy with respect to data stored, communicated, or accessed using company-owned electronic devices.• The company can and, when appropriate, will monitor and review data that is stored, communicated, or accessed using company-owned electronic devices.What about the Facebook postings? Since it would violate the SCA to use the employee’s password to access the Facebook account, could the IT Director have set up an alias on Facebook, and induce the employee to “friend” the IT director in order to gain access to the postings? That would likely be an invasion of privacy. Also, depending on the purpose or content of the employee’s online communications, such conduct could lead to a claim under whistleblower laws or the National Labor Relations Act.
Although we’ve highlighted just a few digital privacy potholes, it is a navigable roadway with appropriate care and counsel. Businesses should invest the time necessary to learn about these issues and consult with an experienced attorney to get into compliance, particularly since the law in this area is still evolving.
Cameron Shilling, a shareholder at McLane, Graf, Raulerson & Middleton, where he is a member of the Litigation Department and the Employment Law Group, can be reached at 603-628-1351 or firstname.lastname@example.org.