by Mike Spykerman, CEO Red Earth Software

This article discusses the legal aspects surrounding email monitoring and advises companies how to monitor employees' emails without violating privacy rights.

According to a survey by Quicktake, 42% of employers monitor their employees' emails. However, Michael Overly (author of E-policy1) found that only 60% of the employers who monitor emails actually have an adequate written policy in place. By monitoring emails without warning, employers are arguably infringing on an individual's privacy and therefore susceptible to workplace privacy lawsuits. With a 3000% increase in privacy lawsuits filed over the paste decade2, it is a very real possibility that a disgruntled employee might try to seek compensation from your company in this way. However, as can be concluded from the court cases discussed below, employers can successfully protect themselves from these claims by implementing a sound email policy and taking uniform measures.

It is important to make two distinctions concerning the legality of email monitoring:

Federal and state law
The first distinction is one between federal law, which tends to be more biased towards the employer, and state law, which is usually the opposite. Under federal law the Electronic Communications Privacy Act (ECPA) allows companies to monitor employees' emails when one of three provisions are met: one of the parties has given consent, there is a legitimate business reason or the company needs to protect itself. Even though the ECPA requires a provision to be met, under federal law companies are generally allowed to monitor employees' email. However, companies need to be aware that this act might be subject to change. In July 2000 legislators proposed the Notice of Electronic Monitoring Act in which employers would be required to notify new employees of any electronic monitoring and provide annual notice to all employees. Employers that failed to inform employees of email monitoring would face civil suit damages of up to $20,0003. However, since September 2000 there has been no further mention of this act. Even without the introduction of this new bill, employees can seek compensation through state law, where the legality of electronic monitoring is not so clear cut as it is under federal law. If your company has no email policy in place, an employee could argue that he or she had a reasonable expectation of privacy. However, if the company has implemented a written email policy where employees are informed about the possibility of email monitoring and warned that they should have no expectation of privacy, the company is protected from this type of privacy claim.

Email auditing and email interception
A second distinction to make is the difference between email auditing (sometimes called email monitoring), where email is checked after the actual transmission, and email interception (sometimes called email filtering), where email is intercepted and checked during transmission.

Several court cases have upheld that checking email after transmission is legal (i.e. email auditing), since it is viewed as no different than searching through a file in an employee's drawer. For instance in a criminal case against a CIA employee charged with receiving inappropriate emails (United States v. Mark L. Simmons), the court ruled that the viewing of personal email did not violate federal wiretapping laws, since the email was not viewed while it was being transferred but was obtained from storage.

Email interception is not as clear cut as email auditing. However, cases in the United States have proven that most forms of email interception are permitted if this is done in a reasonable manner and is backed up by an email policy, as proven by the Nissan and Pillsbury case: In 1991, Nissan Motor Corporation fired two employees after they had been caught sending sexually explicit emails. The employees took Nissan to court (Bourke v. Nissan) claiming unfair dismissal and violation of privacy. However, since the company had an email policy in place and had explicitly stated that employees' emails would be monitored, the court ruled in favor of Nissan. In another case (Smyth v. Pillsbury Company) an employee was fired for communicating unprofessional comments over the company's email system. The email allegedly contained threats to "kill the backstabbing bastards" in sales management, and referred to the upcoming holiday party as a "Jim Jones Koolaid affair". When the employee claimed that the company had violated privacy laws, the court concluded that no reasonable person would consider the interception to be a highly offensive invasion of privacy, and that the company's interest in preventing inappropriate or unprofessional comments or illegal activity outweighed any privacy interest.

Email policy
So, does this mean that email monitoring is legal? Basically the answer is yes, IF your company has implemented a written email policy in which employees are warned that their emails can be monitored and that they should have no expectation of privacy. Not only will the existence of an email policy help you in a court of law, it will also educate your employees in the usage of email and may prevent many of the issues you were trying to stop by monitoring email. Make sure that the email policy is properly communicated to all staff and that any updates are circulated amongst all employees. It is preferable to have employees sign the email policy, including any additions to it, to prove that the employee has agreed to abide by the rules. Furthermore, email monitoring must be applied as uniformly as possible, since singling out an individual without a clear reason to do so could subject the company to discrimination claims.

Not obliged to monitor
It is important to include a note in your email policy stating that although the company might perform monitoring, it is not obliged to monitor emails. Failure to include this clause could be interpreted as a commitment from your company to protect your employees from all harmful and inappropriate emails. Were an inappropriate email to slip through, an employee could technically sue your company for failure to protect him or her from offensive communications.

Take reasonable action
Remember though that even if email monitoring is allowed, employers must still take care when taking action based on email monitoring results. The City of Scottsdale faced paying out damages of $300,000 after it dismissed an officer for sending out a sexually offensive email to a colleague. The officer had just received a promotion and had sent an email to a female coworker asking if she would sleep with him now that he was promoted. Even though the recipient was a close friend of the officer and found the message amusing instead of offensive, the police department removed the officer from the promotions list and after several disputes ended up firing him. The officer sued the police department and was awarded $300,000 in damages.

Bottom line
If you perform email monitoring and do not yet have en email policy in place, it is strongly advisable to implement a policy without delay. Not only will this protect you from privacy claims, it makes good sense to document your company rules and communicate these to your employees. After all, how can you expect employees to know how to behave if you don't tell them what you deem to be appropriate usage of your system? If your company does not monitor email, nor have an email policy in place, it is time to seriously consider using these measures. Without them, any company that provides their employees with email access faces serious legal and business threats.

About the author
Mike Spykerman is CEO of Red Earth Software, a software development company that specializes in email policy enforcement software. The company's current products include Policy Patrol, an Exchange server and Lotus Notes add-on for blocking spam, viruses, offensive content, attachment quarantining, adding disclaimers and much more. Red Earth Software are Microsoft Certified Partners.