As an employer, you have more authority to monitor employee communications than you might think. Of course, that power isn't unlimited. It depends in large measure on the level of privacy you have led employees to expect, whether explicitly or implicitly. Managing those expectations is the key to maintaining your rights. Here's more.
Employers have many reasons to monitor employee communications from time to time, including staying out of legal trouble. For example, if any kind of illegal discrimination or employee harassment is going on, and you allow it to continue by ignoring possible evidence of its occurrence, you could lose a lawsuit.
Or if employees are defaming your company through public social media postings — or revealing proprietary information about your products, services or strategic plans — your business could sustain serious competitive injury.
The point is simple: There are times you need to keep tabs on what employees are communicating, and doing so doesn't make you a sinister "big brother." The fact that there are so many ways employees can abuse communication systems makes the task of staying on top of it a bit trickier. For instance, your right to monitor employee emails sent from company-owned computers via the company's email system is fairly straightforward. But, of course, that's only part of the problem.
What's in Your Employee Handbook?
You may be concerned about messages an employee is sending using a personally owned smartphone. Can you monitor those messages? The answer begins with the policy you lay out in your employee handbook. As noted, in deciding employee privacy cases, courts typically consider whether the employee had a reasonable expectation of privacy. Such an expectation disappears when you spell out your policies clearly and in detail, then secure an acknowledgment that the employee has read and understood them.
Among other provisions, these policies generally should:
- Explain their purpose in terms conveying that employees all ultimately benefit from the safeguards in place. That is, the policies are intended to protect the company (and, therefore, employee paychecks) and possibly to shield all concerned from defamatory communications that other employees could initiate.
- Articulate which modes of communications are subject to employer monitoring, including emails and other forms of electronic communication on company-owned devices, including cell phones, and
- Spell out the steps you might take pursuant to the policy.
Your rights to monitor employee communication, when employees have been put on notice that you'll exercise them, might be greater than you expect. According to the Small Business Administration (SBA), "no specific laws govern the monitoring of an employee's social media activity on a company's computer" if you're looking for unauthorized posting of company content.
The SBA cautions, however, that there have been rulings against employers who fired workers for complaining on social media sites about their workplace conditions. That is generally considered "protected speech" under the National Labor Relations Act. The SBA's advice: "Provide employees with a social media policy and be sure to include information about what you consider confidential and proprietary company information that should not be shared."
What about monitoring employee emails and telephone conversations? Although the Electronic Communications Privacy Act of 1986 (ECPA) prohibits the intentional interception of "any wire, oral or electronic communication," it does include a business use exemption that permits monitoring of email and phone calls.
The SBA states, "Generally, if an employee is using a company-owned computer or phone system, and an employer can show a valid business reason for monitoring that employee's email or phone conversations, then the employer is well within his or her rights to do so." And as noted, if employees have been given a heads up and demonstrated they understand the policy, you're in a strong position.
However, the SBA advises employers to be aware that the ECPA "draws a line between business and personal email content you can monitor – business content is OK, but personal emails are private."
The latest frontier in discriminating between legitimately personal communications and employment-related ones involves employees using their own laptops and smart phones pursuant to a "bring your own device" (BYOD) policy. There are practical advantages to BYOD policies, including employee convenience and also savings in the company's IT budget. On the other side of the equation, employees using their personal devices can give them a false sense of impunity with respect to what company-related sensitive or offensive information they convey on them.
If you do have a BYOD policy, consider expanding the scope of your privacy policies to accommodate it. The policy could:
- State that you reserve the right to access, monitor and delete information from personally owned devices under specified circumstances,
- Stipulate which employee-owned devices can be used for work purposes and are eligible for tech support,
- Require the use of "mobile device management technology" to create an electronic barrier between personal and business-related data,
- Limit employee job categories eligible for using personal devices,
- Establish data security protocols, including standards for passwords, and
- Set a schedule for deleting business-related data maintained on personally owned devices.
The law governing employee privacy at a time of rapid evolution of communication technology isn't entirely clear on all counts, can vary by jurisdiction, and is constantly changing. That's why it's prudent to consult with an attorney with relevant expertise as you develop your policies to balance your legitimate interests with those of employees.