There has been a marked increase in workplace surveillance in recent years, chiefly among Internet-related activities. Some concerns have strong internal impacts, such as the theft of important proprietary corporate data. Others have large external impacts, such as lawsuits or problems with the Federal Trade Commission if an employee engages in certain types of communication that might manipulate stock prices.
One pair of abuses high on both dimensions is the combination of pornography and sexual harassment. Sexual harassment has strong internal impacts because it can create enormous frictions in work units. Harassers whose victims complain may engage in retaliatory behavior, further compounding the situation. Often, most or all members of a work unit in which sexual harassment takes place are affected by the problems harassment creates.
External impacts can be great: if companies do not remedy harassment situations, they face large financial judgments in civil cases. They also face loss of reputation in the community as a whole and, in severe cases, difficulties in hiring.
Given these enormous liabilities, it is not surprising many companies wish to monitor email communication and Web site access to look for signatures of pornography and harassing behavior. This article looks at the legal basis for such electronic workplace monitoring for pornography and sexual harassment.
While Internet abuse at work may be a new phenomenon, sexual and racial harassment in the workplace certainly is not. U.S. Supreme Court guidance suggests employers must be vigilant and proactive of harassment in all forms. Certainly email and Internet abuse at work may lead to claims based on a hostile work environment under Title VII of the Civil Rights Act of 1964. Generally, an employer may be liable when an employee is subject to unwelcome harassment based on race or sex sufficiently severe and pervasive as to alter the conditions of employment and create a hostile or abusive working environment [7].
Discrimination law makes claims originating with supervisors easier to establish than claims based on coworker harassment. If sexual or racial harassment is attributable to a supervisor, the employer can be held strictly liable, provided the employee also suffered an "adverse tangible employment action" such as discharge, demotion, or undesirable reassignment. If the employee did not suffer a tangible employment action, then the employer may defend the claim by asserting that it took reasonable steps to protect and correct harassing misconduct of which the employee failed to take advantage to avoid harm [3].
On the other hand, if the hostile environment is created by coworkers and not by a supervisor, then the employer is liable only if the employee shows the employer was negligent, that is, that the employer knew or should have discovered and remedied the harassment. The employer's affirmative steps to detect and prevent harassing conduct are relevant evidence on a harassment claim [7].
In determining whether harassment occurred, courts consider the totality of the circumstances, including the frequency, severity, and nature of the conduct. "To be actionable ... a [racially or sexually] objectionable environment must be both objectively and subjectively offensive, one that a reasonable person would find hostile or abusive, and one that the victim did in fact perceive to be so" in light of the totality of the circumstances [3]. Offensive jokes, gestures, comments, or photographs in the workplace can create the hostile environment.
A single incident of inappropriate email is not sufficient to establish a claim, while unchecked offensive communications circulating within the workplace may constitute harassment. For instance, in Owens v. Morgan Stanley & Co [6], it was ruled that a single email message containing racist jokes circulated among white employees was insufficient evidence of a hostile work environment. However, in Strauss v. Microsoft Corporation [10], the court held that, among other remarks, several jokes and parodies of a sexual nature emailed by a supervisor to employees were admissible and relevant evidence of sexual harassment.
Thus, under Title VII of the Civil Rights Act, an employer's lax attitude toward Internet and email use and abuse may allow racially offensive or sexually explicit material to pervade the work environment and create or contribute to a hostile environment. Moreover, the failure to monitor the work environment, prevent harassment, and institute procedures to facilitate employee complaints about abuses will prevent an employer's affirmative defense against supervisory claims or will serve as evidence of negligence in coworker harassment claims. In Knox v. Indiana [4], it was ruled that an employer with actual or constructive knowledge must take prompt remedial action to eliminate sexual harassment. It therefore behooves employers who allow Internet and email access to employees to develop policies and practices that limit or restrict inappropriate material from entering the workplace and to develop procedures allowing employees to report Internet and email misconduct.
How do courts balance an employer's legitimate concerns regarding the work environment, employee productivity, and the use and abuse of its own equipment with employee privacy concerns? Courts have largely, but not uniformly, supported an employer's right to monitor and control an employee's use of company-provided email and Internet access. Certainly this right is most clearly supported when the employer promulgates clear policies and regulations and the employee gives prior consent to monitoring because to do so reduces the employee's expectations of privacy on the workplace computer.
Employers should be aware that provisions of the Electronic Communications Privacy Act (ECPA) of 1986 may affect their right to intercept email messages, depending on whether the interception takes place during transmission or from storage after transmission, and whether an exception may apply. The ECPA generally makes it unlawful to intentionally intercept electronic communication, or to access "electronic communication while it is in electronic storage."
However, case law has interpreted ECPA to allow a "provider" of the "electronic communications service" (the employer providing the terminals, computer, and software) to "do as they wish when it comes to accessing communications in electronic storage" after it has been sent and received and has moved to post-transmission storage because post-transmission storage is not within the technical definition of electronic storage under the ECPA [4].
Moreover, exceptions to the ECPA may also apply in the employment context to provide safe harbor to the employer [1]. Where the employer provides the system, the "system provider exception" to the ECPA gives "the employer broad license to monitor, intercept, and disclose messages." There is also a "prior consent" exception that gives employers broader power if employees consent to being monitored. However, with limited judicial interpretations of the Act's application to email, employers must be cautious in assuming the applicability of such exceptions.
A single incident of inappropriate email is not sufficient to establish a claim, while unchecked offensive communications circulating within the workplace may constitute harassment.
Accessing workplace email in the absence of a clear policy that allows employer access may expose an employer to liability under state common law for invasion of privacy. The few courts considering these claims are somewhat divided on how much privacy employees should expect when using email on a company email system.
For example, in Smyth v. Pillsbury (1996), a federal court in Pennsylvania held that an employer could discipline and discharge an employee for sending inappropriate email and, at least in Pennsylvania, the employer may do so, even in contravention of a promise not to monitor email. In Smyth's case, an employee made threatening comments about his superiors and coworkers in two email messages, which were intercepted by the employer and resulted in the employee's termination. Smyth, an "at-will" employee (one who can be terminated or quit without cause) filed suit to regain his job. Smyth claimed the employer both violated his privacy and broke its promise not to monitor email use. The court ruled that under Pennsylvania law the employer did not invade Smyth's privacy because he had no reasonable expectation of privacy in that email. "Once plaintiff communicated the alleged unprofessional comments to a second person (his supervisors) over an email system, which was apparently utilized by the entire company, any reasonable expectation of privacy was lost."
On the other hand, in Restuccia v. Burk Technology, Inc. [8], a Massachusetts court reached a contrary result in denying an employer's motion for summary judgment. In this case, the employer had no policy against personal messages, "although there was a policy against excessive chatting." Employees "were not specifically told their computer files, including email messages were automatically saved on back-up files to which supervisors had access." When a supervisor was told that an employee was "spending a lot of time using the email system," he accessed the back-up system and read employee files, including personal messages and terminated the employee for excessive email use. With regard to the invasion of privacy claim, the court held that "plaintiffs had a reasonable expectation of privacy in their email messages and whether Burk's reading of the email messages constituted an unreasonable, substantial or serious interference with plaintiff's privacy" remained a question of fact for trial.
It seems fairly clear employees have little privacy interest in the data they store on their computers or how they use the Internet on their employer's equipment. Recently, professors at public colleges and universities in Virginia challenged a state statute that restricted public employees from accessing sexually explicit materials on computers owned or leased by the state, unless required in conjunction with a university-approved research project or undertaking. Although a federal district court held that the statute violated the First Amendment and academic rights of the professors, the Court of Appeals for the Fourth Circuit disagreed, holding the statute constitutional (see [7]).
U.S. v. Simons [11], a criminal case, provides some guidance by analogy regarding this reduced expectation of privacy, especially when company policy warns employees their use will be monitored and certain uses prohibited. In Simons, a government employer warned employees to use their computer for work purposes only and that monitoring and auditing could occur. The employer was alerted to an employee's use of government equipment to download pornography when, during an electronic audit, a security company entering the keyword "sex" into the firewall database discovered excessive hits on the employee's computer. Further investigation and search of the employee's computer revealed the employee downloaded child pornography and a criminal investigation ensued.
Charged and convicted, the employee appealed, alleging the initial search and seizure during the audit were unlawful. But the court rejected his argument, holding that while public employees have some expectation of privacy in their offices or parts of their offices such as desks or file cabinets, a government employer also has an interest in the "efficient and proper operation of the workplace" and policies, practices, and regulations that allow inspection to reduce legitimate privacy expectations. In fact, the court opined, "In the final analysis, U.S. v. Simons involves an employee's supervisor entering the employee's government office and retrieving government equipment in which the employee had absolutely no expectation of privacy—equipment the employer knew contained evidence of crimes committed by the employee in the employee's office. We consider the FBI's intrusion into the employee's office to retrieve his hard drive is one in which a reasonable employer might engage."
Sexual and racial harassment case law makes clear that an employer must actively protect employees from discrimination and harassment at work or risk liability under Title VII of the Civil Rights Act. When an office email system is used to disseminate offensive messages, it contributes to a hostile and discriminatory work environment. Moreover, even apart from Title VII liability, employers have legitimate interests in the productivity of employees and the proper use of employer-provided equipment.
Yet, employees also have privacy interests in email and Internet activities that courts must weigh and balance against an employer's legitimate supervisory interests. With regard to accessing employee email, courts are divided as to the extent of privacy an employee enjoys under state law. However, employees have little expectation of privacy where an employer has previously informed employees of its intent to monitor email and limit computer use to company business.
Case law interpreting the ECPA, which restricts companies' interception of email, is still developing. What seems clear is that with regard to email, accessing post-transmission storage files on a company's system is within the employer's rights. Additionally, some exemptions may apply to employer activities, although the precise parameters of these statutory exceptions have not been interpreted by case law. In light of the prior consent exception, employers will be well served by a clear company policy that informs employees of such activities and consistent application of that policy. Requiring employees to acknowledge such a policy in writing as well as frequent reminders that their computer activities are subject to monitoring may be appropriate as well.
Finally, in order to avoid claims that an employer arbitrary or illegally discriminated against an employee, an employer should apply its policies uniformly and avoid an appearance that it singled out or targeted a certain employee.
1. Blcakowicz, J. Email disclosure to third parties in the private sector workplace., 7 B.U. J. Sci. Tech. L. 80, 89 (2001).
2. Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2511 et seq. (Wiretap Act); 18 U.S.C. § 2701 et seq. (Stored Communications Act).
3. Faragher v. City of Boca Raton, 524 U.S. 775 (1998).
4. Fraser v. Nationwide Mutual Insurance Co., 135 F. Supp. 2d 623, 635 (E.D. Pa. 2001).
5. Knox v. Indiana, 93 F3d 1327 (7th Cir. 1996).
6. Owens v. Morgan Stanley & Co., 1997 WL 403454, at *2 (S.D.N.Y.).
7. Mason v. Southern Illinois University at Carbondale, 233 F.3d 1036, 1043 (7th Cir. 2000).
8. Restuccia v. Burk Technology, Inc., 1996 WL 1329386 (Mass. Super.).
9. Smyth v. Pillsbury Co., 914 F.Supp. 97 (E.D. Pa 1996).
10. Strauss v. Microsoft Corporation, 1995 WL 326492, at *3 (S.D.N.Y.).
11. United States v. Mark L. Simons, 206 F.3d 392 (4th Cir. 2000).
©2002 ACM 0002-0782/02/0100 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2002 ACM, Inc.
No entries found