For as long as I can remember, I have advised employers that they have a right to monitor employee electronic communications, including emails, if the emails are sent or received on company equipment or company time. I ask the client about whether or not they have a clear policy putting employees on notice that they have no expectation of privacy in emails or other online activity done at work or on work equipment. If such a policy is in place, the employer is generally free to monitor employee activities, with or without other advance notice. This can be important when investigations into employee misconduct or wrongdoing are necessary.
A recent New York Times article about employer email monitoring caused me to pause and reconsider my advice about this practice. According to the article, the federal Food and Drug Administration engaged in secret email monitoring and surveillance because it suspected that some of its own scientists were leaking confidential and proprietary information belonging to private companies to outside parties, including the media. The FDA used so-called spy software which tracked employee keystrokes, intercepted their personal emails, copied the documents on their personal thumb drives and even followed their messages line by line as they were being drafted. The agency also used a private document handling contractor to help with the surveillance operations, and this private vendor mistakenly posted more than 80,000 pages of confidential information gathered during the surveillance on a public website.
The agency defended its action, saying the operation was limited to five scientists suspected of leaking confidential information about the safety and design of medical devices, and pointing to its policies allowing monitoring, including a click through notice screen that the scientists saw each time they logged into work emails.
A group of scientists targeted for this surveillance have filed a lawsuit against the FDA challenging the surveillance practices and claiming retaliation for reporting claims of mismanagement and safety abuses in the agencys medical review process. The law regarding online privacy rights is unsettled, and there are legal risks for employers, including possible claims for invasion of privacy. Public employers like the FDA are also subject to the Fourth Amendment of the United States Constitution, which protects public employees from unreasonable searches and seizures, and this prohibition extends to electronic information.
The end result of my pause and consider moment? Monitoring employee work emails and online activity may involve some risk of legal claims, but it is an appropriate and lawful action if an employer is using best practices. In addition to having good policies in place, employers who want to minimize the risk of legal claims related to surveillance and monitoring should ensure that this activity is:
- done with a legitimate business interest or purpose in mind (such as investigating claims of harassment or alleged breaches of confidentiality agreements);
- limited in terms of scope, time, and people involved; carefully managed by supervisors with an understanding of the risks involved;
- if possible, conducted under the guidance and direction of legal counsel.