Delaware Employment Law Blog

The extent to which an employer may access an employee's personal e-mail account is an unsettled issue.   Many employers have policies in place that either prohibit or significantly limit an employee from accessing personal e-mail during work hours.  Most employers have (or, if not, should have) a right-to-monitor policy, which notifies employees that the employer may actually monitor access to personal e-mail accounts if the employee is using company equipment.  A recent decision from a federal court in Florida supports the employer's position that it can compel an  employee to turn over e-mail from a personal account.    

In

(pdf), a breach of employment agreement and misappropriation of trade secrets case, an employer moved to compel production from the employee's personal Yahoo! e-mail account.  Although the employee claimed he could not produce any e-mails because he presumed they had been destroyed by Yahoo!, the only support for his position was a generic letter from Yahoo! which indicated the account at issue had been deactivated. 

Not surprisingly, the court found the employee's explanation dubious--even more so after the court learned that the employee untimely identified his personal account because, in his opinion, production of e-mails would be "impossible."  According to the employer, the employee used this specific personal account to engage in the activities upon which the entire lawsuit was based. 

Thus, given the potentially high evidentiary value of the e-mails, the court sanctioned the employee (although any potential fine is dependent upon how successful the employee is in his court-ordered attempt to obtain the e-mail from Yahoo!).  The court further cautioned that if it turns out the employee's failure to identify his personal e-mail account and obtain messages from his account results in the spoliation of evidence, the court will consider serious penalties. 

According to the AP, Larry Mendte has admitted that he hacked into Alycia Lane's e-mail and leaked her private information to a reporter from the Philadelphia Daily News.  This admission comes just two months after Mendte's home was raided by the FBI and his computers from home and work were seized.  Although not likely, Mendte could be sentenced to up to five years in prison when he is sentenced in November.

Mendte admitted that he viewed hundreds of e-mails after installing a keystroke-tracking software on her computer at work.  Lane maintains that she complained about the possibility that her e-mails were being leaked but her employer, KYW-TV, "treated her as if she was paranoid."  Lane claims that her career has been ruined as a result of Mendte's behavior.

Employee-privacy rights.  Compensation-based jealousy.  Bitter co-workers.  Electronic monitoring.  Gender discrimination.  Clash of the Gen X and Baby-Boomers, even?  The continuing saga involving former news anchors Larry Mendte and Alycia Lane has all of the makings of an employment-law thriller. 

Last we checked in with the two former news anchors, KYW-TV announced its decision to terminate long-time host, Larry Mendte, following a federal investigation and raid of Mendte's home and office.  On Monday, July 21, the U.S. Attorney's office filed a federal criminal information charging Mendte with a single felony count of intentionally accessing a protected computer without authorization.  See the full Information here: 

The allegations, as detailed in meticulous fashion in the Information, are based on the government's claim that Mendte hacked into Layne's personal e-mail accounts and released the info he stole to the press and others.  The hacking is said to have gone on for a period of two years but, last quarter alone, is alleged to have tapped into her accounts approximately 537 times.  Lane's lawyer is reported so say that Mendte was jealous of his younger co-host, who garnered lots of attention and who made $100,000 more than him a year. 

That alleged jealousy could land Mendte with a jail sentence of up to six months.

The Acting U.S. Attorney Laurie Magid, explained the government's interest in the case.  "We live in an age in which many people exchange and share personal, sensitive information by e-mail every day."

This is a great lesson for employers.  Privacy rights are on the minds of employees everywhere.  It's an already-serious issue when employers monitor their employees' e-mail and internet use.  But add to that a potential threat from co-workers and privacy paranoia seems like a very realistic possibility.

For earlier episodes in the soap opera:

More Drama at the News Desk: Co-Anchor Suspected of Snooping Through E-Mails

Pardon Me? Anchorwoman’s Cursing Caught on Live TV

What do News Anchors, Sports Figures, and Corporate Executives Have in Common? Employment Agreements and Risk-Avoidance Clauses.

The lines of privacy in the workplace are blurred, at best. There are lots of questions about the limits placed on employers when it comes to monitoring their employees' technology use.  We do know that employers should notify employees if the company wants to reserve the right to monitor e-mails, voicemail, and internet access.  In Delaware, this notice is mandatory.  But it is not clear whether this notice can extend to web-based, personal e-mail accounts, like G-Mail or Yahoo!, when the accounts are accessed by employees during working time on a company-provided computer, accessing the internet through the company's server.  (See my previous post, Suit Raises Tough Questions About Privacy Rights of Former Employees for a case involving these facts; and if you're still not sure, just ask the Mayor of Detroit, Is It Time to Update Your Electronic Communications Policy? If you’re the Mayor of Detroit, the answer is “Yes”). 

And that is just the tip of the iceberg.

A recent decision from the Ninth Circuit Court of Appeals has added another layer of complexity. In Quon v. Arch Wireless Operating Company, the court found that the employer-defendant violated its employee's rights by reading his text messages without his consent.  The case was brought by a police officer, whose text messages were reviewed by his boss, who had obtained them from the internet service provider.  The reason given by the officer's supervisor was fairly innocuous--to determine whether the officer was using his city-issued pager for personal communications. 

The important take-away from this case is consent, consent, consent.  The court found that the officer had a reasonable expectation of privacy in the text messages.  Had the employee consented to the employer's search, the whole suit would have been avoided. 

And how can you get an employee to consent, you ask?  Easy.   By having all employees read and sign a comprehensive electronic-monitoring policy at the time of hiring. 

Already doing that? Great.  Now get a Gen Y to read it.  Have him or her tell you about all of the types of technology you've missed.  Does your policy even cover text messages? Now's the time to check. 

Employer monitoring of employees' e-mail and internet usage is on the minds of many.  In order to monitor lawfully, employers must notify employees of their intent to monitor so that the employee does not have a legitimate expectation of privacy when sending e-mails and browsing the web at work.

Delaware employers must give such notice by law. But the N.Y. Times reports about a suit that raises a tougher question--a case in which a former employee alleging that his former employer read his private Yahoo! e-mails after the employee had been terminated.

This case, recently filed in federal district court in Connecticut, raises two fairly novel issues: (1) can employers lawfully read their employees' personal e-mails if the e-mail accounts were accessed on company time on a company computer; and (2) assuming they can, are employers able to do so after an employee has left the company--in other words, how far will that notification protect employers?

Web-based email, like Yahoo! and G-Mail, are not controlled directly by the employer.  But the employer does own the computer used to access the internet, which weighs in favor of the right to monitor personal accounts.

Perhaps the bigger question in this case is how the employer accessed the former employee's account?  They claim that he used a company computer without authorization after he was fired to send trade secrets and confidential information to his Yahoo e-mail account.  The information, according to the company's lawyer, included customer contact lists, terms of deals, brokers who'd sent business to the company, and personal employee data.  All of which, says the company, would be in violation of his employment agreement. 

It seems that there are multiple possible claims that could arise from these facts:

1. Employee vs. Employer for breach of privacy;
2. Employer vs. Employee for breach of contract (his employment agreement);
3. Employer vs. Employee for trade secret violations
4. Employer vs. Employee for violation of the Computer Fraud and Abuse Act, which has been used when employees wrongfully access their company's computer network and cause harm as a result;

3 for the Employer and 1 for the Employee, according to my count.  Of course, I could be missing some, so let me know if you think of others and I'll include them in the tally.

We'll keep you posted on what could be an important decision in the new legal territory of employees' privacy rights.

Other Posts on Electronic Monitoring in the Workplace:

Survey Says:  Employers' Policies on Technology in the Workplace

Is It Time to Update Your Electronic Communications Policy? If you’re the Mayor of Detroit, the answer is “Yes”

Blogs In the Workplace

Somebody's Watching You:  New Data on Electronic Monitoring by Employers

Employees' privacy rights.  They're everywhere.  Lately, they've been in the KYW-3 TV Newsroom.  Two former Philadelphia co-anchors have put e-mail privacy in the spotlight.  Larry Mendte, who is accused of reading and leaking Alycia Lane's private e-mail account, was fired today.  His termination comes in the middle of a federal investigation, which involved a raid of Mendte's home and office and the removal of "computer equipment," and follows just days after Lane filed her long-threatened suit against their shared former employer.

This scandal is a big deal in the Philadelphia local news.  And perhaps that has something to do with the fact that Lane had lost her sugary-sweet charm after the third or fourth scandal.  Or maybe it's because Philly is known equally just as much for relentlessly jeering unpopular sports figures as it is for brotherly love.  But maybe it's because this is a story that so many people already know.  They've lived it themselves.

Mendte is suspected of accessing Lane's account "possibly hundreds of times" and then leaking the information to their boss, the news station, or the press.

So what happens to Mendte if it's later found out that he did secretly sabotage his former partner at the news desk?  Not much.  Mendte isn't a supervisor so, unless the station is found to have known about the snooping or somehow endorsing it, the station will not be held responsible for the acts of Mendte.  Obviously, losing his long-time job, where he spent many years enjoying the favor of Philadelphians, is a big deal and probably one of the most severe consequences he could face.

And Lane could certainly sue Mendte, as well as the station.  It's unlikely that she will, though, given the low value of any possible recovery for privacy claims brought against an individual, as opposed to an employer.

But the real question is not who will be victorious in the media or in the courtroom.  The real question is whether your organization faces similar risks to the potential espionage of trade secrets and confidential information or to a Jerks-at-Work campaign where a bully secretly accesses a target-coworkers' emails with bad intentions.

What safeguards do you have in place to automatically monitor technology use of company computers?

What policies do you utilize to ensure employees' data is protected with regular password changes and by communicating that an employee who shares her password with another may be subject to serious discipline?

What about the specifics of what an employee may and may not take from the workplace, which includes sending it out of the organization and into the world wide web?  Have you expressly told employees about the consequences of such action?  Do you know what the consequences are?

Take the Mendte-Lane debacle as a cue for you to review your policies, practices, and how those messages are communicated to employees.

 

Michael Klein and John Shiffman at the Philadelphia Inquirer, have more on this story.

 

Prior Related Posts:

More Drama at the News Desk

Employee Embarrasses Employer, Who Fires Employee, Who Sues Employer

What do News Anchors, Sports Figures, and Corporate Executives Have in Common? Employment Agreements and Risk-Avoidance Clauses

Bad Boys, Bad Boys, Whatcha' Gonna Do . . . When They Work for You?

Can I read my employees' e-mails? Labor and employment attorneys get this question often. It's not as common, though, that the possible cyber-sleuth is a co-worker rather than a member of management. Recent drama at the news desk of Philadelphia's CBS 3 fits this unusual profile. 

 

The First of the Fallen Anchors

Long-time CBS news anchor, Larry Mendte, is under federal investigation.  He is suspected of reading the e-mails of former co-anchor, Alycia Lane.  After Lane was involved in several scandals of her own, her employment contract was terminated after she allegedly assaulted a plain-clothes police officer in New York City, and using a homophobic slur. See my earlier post, Bad Boys, Bad Boys, Whatcha’ Gonna Do When They Work for You?, for more details on the Alycia Lane scandal.

The Cyber-Scandal Spreads

And now attention has been turned to Lane's former colleague, Larry Mendte.  Late last week, Mendte and CBS News learned that he was being being investigated for snooping through Lane's e-mail.  Reading others' e-mails without permission or privilege is a federal crime.  (Last week we discussed Delaware's state law, which requires employers to provide written notice of their intent to monitor employees' e-mails.  See Employers' Policies on Technology in the Workplace).

Mendte's home computer was seized by the FBI as part of the probate.  CBS 3 issued the following statement yesterday:

Late last week, CBS 3 became aware of an investigation by the U.S. Attorney's Office regarding anchor Larry Mendte. CBS 3 is cooperating fully with that office in this matter. Mr. Mendte will not be on CBS 3's broadcasts pending further investigation.

While the investigation is ongoing, Mendte has been dethroned. It doesn't seem so positive.  Mendte's lawyer said yesterday, "We hope to work together with CBS 3 to reach a mutually agreeable resolution as to his status." 

That does not sound good.

Get Consent to Monitor Employees' E-Mails or Risk a Mendte-Style Result

Let this be a word of warning to any employer who may be inclined to search their employees' e-mails without complying with state and federal notice requirements.  Cyber-sleuthing has serious consequences.

And if you learn that another employee has been snooping through a co-workers electronic data, including e-mails, act quickly and seriously.  Take a page from CBS 3 and consider suspending the employee until your investigation is complete.

Employers know that e-mail between employees can be dangerous.  Employers know that the Internet can all but eliminate the productivity of their employees.  But what do employers know about Instant Messaging, weblogs, chat rooms, and wikis?  And, more importantly, what are they doing about it? HR Hero's survey gives some insight into the answers to these questions.

Survey Says . . .

HR Hero has released the results an interesting survey on policies (or lack thereof) for workplace technology.  There is a link to the full survey below but here are some highlights:

Policies for Technology Use.  Not surprisingly, most employers (89%) have policies both on employees' internet and e-mail usage.  What was surprising, to me anyway, is that there are still employers (5%) with essentially no policies on workplace technology.

E-mail Usage Policies.  Only a fraction of respondents (3%), did not put any limits on employees' use of the company's e-mail  systems.  Nearly all (80%) have policies expressly prohibiting inappropriate e-mails.  And more than half (61%) permit personal e-mail so long as it is not excessive.  A surprisingly large number (34%), of employers do not permit employees to send any personal e-mails.

Internet Usage Policies.  Like e-mail policies, nearly all employers (82%) prohibit employees from visiting websites.  28% of employers limit employees' internet access to approved websites only.  A small number of employers had either no internet usage policy at all (3%) or put no limitations on usage (3%).

 

Internet & E-Mail Monitoring Policies.  Just over half (58%) of employers that responded monitor internet use but only if they suspect abuse.  Almost the same amount (61%) did the same for e-mail.  Less than one-fifth of respondents regularly monitor e-mail use (19%) but internet monitoring seems to be more common (27%).

 

Blogging.  Most employers have not started to use blogs as part of their business activity.  Of those who have (12%), approximately equal numbers are putting blogs to work as part of their marketing (4%), and public relations (3%), efforts.  Others are blogging to communicate both internally within the company (3%), and externally with clients (1%). 

The entire survey, Technology and HR 2008, can be seen at the HR Hero website.

Special Note for Delaware Employers

Delaware employers should be aware that state law mandates that notice be given before monitoring employees' internet or e-mail usage. The law is specific in the way that notice must be given.  Although there are alternatives, the most common way is with a written consent form signed by each employee.

For more information on how to comply with Delaware's internet and e-mail monitoring law, contact any of the attorneys in YCST's Employment Law Department.

Among Delaware employers and in the world of employment law nationally, there has been much talk about Web 2.0 and the power of social networking tools.  Delaware businesses, like employers across the country, are worried about what is being said about them online.  They should be.

Many of you already know about the impact weblogs and online social networks can have on a business.  Of course, these impacts can be both good and bad. If it were all bad, I wouldn't be blogging on our department's firm-sponsored blog.  Many businesses have begun to embrace these new mediums to reach a broader audience. They've turned to social networking to communicate with a broader audience in an effort to maximize exposure to their products, their message, or their brand.

Other businesses have felt first-hand the negative impact of Web 2.0 communications.  For example, some companies felt massive financial reverberations because a popular blogger posted about his or her negative experience with the company's product or services.  The comments can spread uncontrollably on the web and employers are left without any real recourse. 

Another common scenario involves blogging employees.  With the explosion of the blogosphere, employees have taken to the web to share their personal stories of triumph and tragedy.  Sometimes their stories include not-so-nice commentary about their workplace. The employer is put into a very difficult situation.  If they terminate the blogger, they may be able to at least cut off the blogger's supply of "material" that can be put online.  But termination is not without risk. The terminated employee may respond with more hostile posts than ever before.  And, as newly unemployed, the blogger has plenty of time on his hands to post, and post, and post.

So what to do? We counsel our employment-law clients to institute a blogging policy if they haven't done so already. This is not to say that, as employment lawyers, we advocate for a flat-out ban on employee blogging.  But, at the very least, there should be a policy in place providing that any employee whose blog posts include the company's confidential information or trade secrets, will be subject to discipline, up to and including termination.

A different approach used by some employers could be described as the, "If you can't beat 'em, join 'em policy."  Some companies may go so far as to hire a Chief Blogger In Residence.  The CBR's job is to post like crazy about the positive aspects of the company, its employees, or its products. The Chief Blogger also scans the web to monitor what others are saying and provide an appropriate response. 

Given the cost, CBRs are not exactly commonplace.,  As an alternative, an employer can use online notification tools like Google Alerts, which will search the web for your company's name. When new "hits" are discovered, you recieve an e-mail alert with a link to the site where the company's name was found.  Searching for yourself or your company is known as a "reputation search."

There is now a new product designed to do conduct "professional" reputation searches.  Trackur promotes itself as an "online reputation monitoring and brand tracking tool.  It has been described as "Google Alerts on steroids," according to the Trackur website.  And what makes this pay-for-play, subscription-based tool better than the free Google one?   Having not tried it myself, I'll leave it up to you to decide. 

The plans are not cheap.  A monthly subscription to have just one search saved and run twice daily is $18 per month.  Jump to 5 saved searches and you're up to $88 per month.  I have no experience with Trackur so I can't say what value it actually has.  But even if Trackur isn't met with fabulous success, I'd be willing to wager that similar monitoring tools are not far behind.  Any employer concerned with what its employees are saying about the company, and any business concerned with its online reputation would have good reason to consider an "online reputation-monitoring tool."

***Prior posts on blogging include: Blogs In the Workplace and Somebody’s Watching You: New Data on Employers' Electronic Monitoring

Workplace privacy concerns aren't limited to technology.  There's been lots of buzz about GPS tracking of employees, use of biometric data in time and attendance programs, and, of course, electronic monitoring of employees' e-mails, and Internet usage. As the case below demonstrates, privacy concerns don't require hi-tech equipment or software.  Just a whole lot of nosey.

A Sordid Affair

The story centers around a Wal-Mart supervisor who had engaged in an improper affair with a co-worker.  Not only was the affair illicit but it also violated Wal-Mart's anti-fraternization policy.  The supervisor was terminated when the company discovered the relationship.  Now, the termination alone might raise a few eyebrows.  But, policy is policy, and the supervisor's relationship was in violation of policy (as well as really bad managerial skills), the company can and should take disciplinary action. 

I Spy (well, Wal-Mart spied, actually)

Where the story becomes truly noteworthy, though, is exactly how Wal-Mart came to first learn about the "violation."  It hired a private investigator to track the couple.  The investigator did just that; following them all the way to a rendezvous hideaway in Central America.

And Then Came the Lawsuit

The romantic and unemployed supervisor filed suit in Arkansas state court alleging violation of contract and wrongful termination based on public policy.  The contract claim was swiftly rejected.  The termination claim, based on the allegation that he was fired in retaliation for reporting Wal-Mart's failure to comply with it's own internal policies regarding factory certification, was equally unpersuasive.  Summary judgment was granted in favor of Wal-Mart, which was subsequently affirmed by the Arkansas Court of Appeals. 

The legal claims asserted in the lawsuit were pretty blasé when compared with the sordid facts that got him terminated in the first place.  Based on the appellate court's decision, the claims seem doomed from the start.  I have to wonder whether the plaintiff wouldn't have been better off asserting a state-law privacy claim. 

 

The case is Lynn v. Wal-Mart Stores, Inc., No. 07-384 (Ark. App. Ct. Mar. 19, 2008), and a hat tip to the Workplace Profs Blog, who spotted this one back in April.

Delaware businesses must have a written electronic-monitoring policy if they want to monitor phone, e-mail, or computer usage by employees. Delaware law requires employers to get either a signed consent from employees or to have a message conveying the policy that is shown to the employee each time he logs on to the computer. And even in states without such laws, unless you have a written policy that communicated to employees, you stand to risk a privacy claim. The key is to ensure that your employees do not have a "legitimate expectation of privacy" in their use of your electronic systems.

And that's where your policy comes in. Current is the key. The modern trend in electronic-communications policies has been to include provisions specific to blogging, cell-phones, and text messaging. We often counsel clients to improve their policies to reflect the state of technology. It seems that we have a lot in common with the Mayor of Detroit, Maybe Kwame Kilkpatrick.

Mayor Kilpatrick has implemented a new policy that text messages sent on city-owned devices are considered private. As you may recall, Kilpatrick and his ex-top aide face perjury charges for testimony they gave during a whistleblowers' trial that they didn't have a romantic relationship. Sexually explicit text messages have contradicted that testimony. Kilpatrick's lawyers say federal law protects the release of such communications. The policy began Thursday, April 16, 2008.

Past policy had been that electronic communications were public. The mayor's office said in a statement Thursday that city policies are always subject to change. Hmmm. I suppose that employers might want to ensure privacy in electronic communications is preserved instead of eliminated Especially if they have something to keep very private.

Go to source web page: Crain's Detroit Business

Employee-privacy advocates are not in favor of biometrics in the workplace. But many employers do not share the concern. Biometrics are being used in workplaces across the country for purposes ranging from security to timekeeping and attendance.

What are Biometrics?

You may not know it, but you have probably seen biometrics in use numerous times. Catch any modern spy movie and there is sure to be a scene where the main character accesses the inevitable Restricted Area using the fingerprint of a dead man via a "borrowed" digit. Or maybe the triple-secret bank vault can be opened only via a a retina scan of the bank's Very Important President. You get the idea.

Biometrics run the gamut from simple to NASA-level technology. Biometrics on the most basic level could include simple ID badges with the employee's mug-shot style photograph. Signatures are even included in biometrics that are used as a security measure. Today, employers utilize password-management systems that require employees to regularly change their personal passwords in order to access the company's network.

The term "biometrics" refers to a method of authenticating the identity of an individual using enduring physical or behavioural characteristics. Any system that utilizes biometrics relies on the use of biometric identifiers. Also known as "BIs," biometric identifiers are select pieces of information that relay an encrypted picture of some unique feature of the person's biological makeup. Common BIs include fingerprints, retinal scans and voice scans.

Other identifiers that have been suggested and used include: hands, feet, faces, ears, teeth, veins, voices, signatures, typing styles (keystroke), gaits and odors.

How Effective Are Biometrics?

In the employment context, biometrics are used as an authentication tool. The BI is compared to the authenticated BI, which is stored in a database. Used this way, biometrics offer a nearly infallible security system. Unlike traditional security measures, like passwords or security badges, biometrics cannot be shared, lost, forgotten, stolen, or recreated.

But there are security risks for the user. For example, the authenticating, or original, data must be kept as secure as possible, which usually means not being sent wirelessly. And, if it is sent across a network, encryption should be at a maximum. As a compromise, systems often provide for a larger margin of error. And, unlike passwords and security questions, biometrics cannot be changed or revoked when the employment relationship ends.

What Else Could Go Wrong?

Well, lots, actually. Unauthorized access to highly sensitive personal information raises very legitimate concerns about identity theft--a problem that already has employers on high alert for potential liability. And, without any regulatory system in place, what about the potential privacy implications? Surely, employees will want to know what other information can be obtained should the wrong person have access to the database.