Articles Posted in Electronic Monitoring

The Wall Street Journal recently reported some eye-opening results of a survey regarding information theft by employees.  Here are some of the most disturbing (though not surprising) findings from the survey:

  • 50 percent of employees kept confidential information post-separation;
  • 40 percent plan to use confidential information in their future employment; and

Employee resigns. But before her last day of work, Employee copies thousands of emails and documents from Employer’s computer.  Off goes Employee into the sunset.

How often is this scenario?  I bet most employers think this never happens in their workplace. I’d be willing to bet that it happens in almost every workplace.  It happens with such regularity, yet most employers are absolutely stunned to discover that it’s happened to them.3d thief cracks safe_thumb

If you think it doesn’t happen pretty much all of the time, check out this post at the uber-popular website, Lifehacker.com, titled, How Can I Save All My Work Emails for a Personal Backup?  A reader submitted the following question:

Michigan is the latest State to pass a “Facebook-privacy” law. The law, called the Internet Privacy Protection Act, was signed by Gov. Rick Snyder last Friday. The law prohibits employers and educational institutions from asking applicants, employees, and students for information about the individual’s social-media accounts, reports The Detroit News.

The Michigan law contains four important exceptions. Specifically, the law does not apply when:

1. An employee “transfers” (i.e., steals) the employer’s “proprietary or confidential information or financial data” to the employee’s personal Internet account;

Under the Computer Fraud and Abuse Act (CFAA), an individual who wrongfully accesses information stored on a computer can be held civilly and/or criminally liable. Employers have attempted to use the CFAA to prosecute employees who steal the company’s confidential information. Different jurisdictions have come down differently on the question of whether the CFAA can be used in the employment context.

What many employers do not know, though, is that almost every State, including Delaware, has a statute similar to the federal CFAA. And some such laws, including Delaware’s, have provisions with even more severe penalties than their federal counterpart. Here’s an unusual example of a State statute similar to the CFAA applied in the employment context.

State ex rel Oklahoma Bar Ass’n v. Olmstead, is a case of lawyer discipline. The lawyer was an elected judge in Harper County, Oklahoma, when he downloaded a “tremendous” volume of adult pornography on his State-issued computer. When the conduct was discovered, the judge resigned and was charged with 19 felony counts under Oklahoma’s Computer Crimes Act, which would have required a prison sentence of between 30 days and 10 years for each count. The lawyer pleaded no contest to a single violation of the statute and was given a one-year deferred sentence.

You can, according to Joe Cocker, leave a light on. But, if you want a second opinion, I’d suggest that you be sure you log out before you leave the computer room. The case of discussion in today’s post, Marcus v. Rogers, was brought by a group of New Jersey public-school teachers. The District made computers with Internet access available for teachers to use during breaks. One of the teachers was in the “computer lab” (my phrase) to check his email when he bumped the mouse connected to the computer next to the one he was using, turning off the screensaver. On the screen, the teacher saw the Yahoo! inbox of a colleague, who had, apparently, failed to log out of her email account before she left.

The teacher recognized his own name in the subject lines of several of the emails. Too curious to resist the temptation, he opened, read, and printed the emails that made reference to him planning to use them at an upcoming staff meeting.

When his colleague learned that her emails had been discovered, she filed suit. The case was tried before a jury, who found in favor of the nosy teacher-defendant. The colleague-plaintiff appealed the decision. On appeal, the question before the court was whether the defendant was acting “without authorization” or whether his access of the emails had “exceeded [his] authorization.”

BYOD (short for “bring your own device”), is all the rage these days. Well, at least you’d think so based on all of the on-line talk about it. See, e.g., this post on the WSJ Blog, CIO Report. The basic idea is that employees are using their own electronic devices, such as smartphones and laptops, for work-related purposes. The causes of the BYOD movement are not entirely clear but one explanation is that employees are dissatisfied with the technology provided by their employer, so they just “bring their own” technology with them.

In any event, the reality is that, even in workplaces where no one brings their own device to work, many of us bring our employer-provided devices home with us. For example, it’s not uncommon for an employee to have just one smartphone, through which he access both his personal and work email accounts. If the employer pays for or subsidizes the cost of the device and/or the monthly charges, there is an argument to be made that the employer may have some rights to access all data stored on the phone.

FDA officials developed “a wide-ranging surveillance operation” against a group of its own employees, according to the N.Y. Times. The federal agency is said to have surreptitiously captured “thousands of emails” that disgruntled employee-scientists sent to members of Congress, lawyers, labor officials, and journalists.

The surveillance began as a workplace investigation of a possible leak of confidential information. The investigation was limited to five scientists. But it developed into a far broader-ranging endeavor, eventually culminating in 80,000 pages of documents. The massive surveillance was an effort to curb the “collaboration” of the agency’s opponents, according to the report.

This story is interesting on several levels. First, on the most basic level, the idea that an employer the size of the FDA determined that a massive surveillance endeavor was the best way to stop what it perceived to be disparaging or antagonist commentary between employees and outsiders. I don’t know what the culture has to be or what the level of negative murmurs has to be to prompt an employer to consider this type of effort in the first instance, nevertheless what it takes to push it to cross that line.

A new decision from the Third Circuit Court of Appeals provides public employers with some additional guidance regarding employee internet activity. In the case of Beyer v. Duncannon Borough, police officer Eric Beyer was terminated from his position after he posted anonymous online comments, critical of the Duncannon Borough Council. More specifically, Beyer criticized the Council for its opposition to the purchase of new AR-15 rifles for the police department.security camera

Upon his termination, Beyer filed a lawsuit against the Borough, alleging violation of his  First Amendment rights. Pursuant to the U.S. Supreme Court’s decision in Garcetti v. Ceballos, a public employee’s speech is only protected by the First Amendment if the employee (1) speaks as a citizen (2) on a matter of public concern. Applying this standard, the District Court dismissed Beyer’s claim, holding that he was speaking in his official capacity as a police officer, not in his private capacity as a citizen. Beyer appealed the dismissal to the Third Circuit.

In reviewing Beyer’s appeal, the Third Circuit placed significant emphasis on the nature of Beyer’s speech–anonymous internet posts. The Court found that anonymous posting supported both prongs of the Garcetti analysis. First, the Court indicated that anonymous online postings are inconsistent with conduct performed in an official capacity. As a result, the Court found that it was more likely that Beyer was speaking as a private citizen. Second, the Court found that the broad dissemination of Beyer’s statements over the internet supported the argument that he was speaking on a matter of public concern. Based on the foregoing, the Court reversed the District Court’s dismissal.

When a former employee sues his former employer, an immediate issue of concern is how to preserve all electronically stored information (ESI) that may be relevant to the claim. Failure to do so may result in a claim of spoliation, sanctions against the employer and its legal counsel, or even an adverse ruling. Good employment counsel understands these consequences and how to avoid them in the first instance.

One of the most common steps is to have the employee’s computer forensically imaged by an expert. The expert will also preserve the employee’s company e-mail account. But this does not address the possibility that the employee may have sent e-mails from his work computer via a web-based e-mail service, such as Yahoo or G-mail. The law is not clear on this point and the defensibility of this practice can vary depending on the content of the e-mails—which, of course, the employer will not know until it looks.

There are several laws that employers risk violating by accessing an employee’s “personal” or web-based e-mail account. The federal Stored Communications Act is one such law and is the one that seems to result in more liability than others. A decision from late last year provides a recent example.

An appeals court in California recently decided that emails sent by an employee from her work email address to her attorney are not protected by the attorney-client privilege. In the case of Holmes v. Petrovich Development Company, LLC, an employee sued her employer for wrongful termination. Prior to filing her lawsuit, she had exchanged emails with her attorney, using her office email account. The employer used the emails in its defense, and the employee objected, claiming that they were protected by attorney-client privilege.

The Court disagreed and found that the emails were not protected by the privilege.  The court relied on the fact that the employer’s handbook expressly stated that an employee’s emails might be monitored. Such a warning, the Court concluded, made the employee’s emails akin a conversation held in the company’s conference room, with the door open, speaking in a loud voice. The California Court’s decision is in keeping with the Supreme Court’s 2010 decision in City of Ontario v. Quon, in which the Court held that an employee did not have an expectation of privacy in his text messages, sent using an employer-provided pager. This case, however, takes Quon to its logical conclusion, holding that in the absence of a reasonable expectation of privacy, the attorney-client privilege cannot attach.

As Delaware employers should know, they are required by statute to inform employees prior to monitoring an employee’s telephone, email, or internet use. 19 Del. C. § 705. Thus, under the California Court’s logic, any Delaware employee who has received notice of email monitoring under Delaware law has waived the attorney-client privilege as to any emails exchanged with the employee’s attorney, using his or her work email account. It is important to remember that the Delaware courts have not ruled on the issue of attorney-client privilege for work emails. However, this case is a valuable reminder that electronic communications are rarely as private as they appear, and we should all conduct ourselves accordingly.

Contact Information