Employee Privacy and Abandonment in the Workplace
Many SMEs (small and medium-sized businesses) are unaware of the Federal Electronic Communications Privacy Act (“ECPA”). ECPA addresses the interception and monitoring of electronic communications: Telephone conversations, voice mail, email, instant messaging chats, and other online interactions fall under ECPA’s scope. ECPA violations are punishable by fines or imprisonment for up to five years; Anyone harmed by a violation of ECPA may seek an equitable relief covering damages and attorneys’ fees up to $10,000. Since many SMBs monitor and intercept their employees’ electronic communications, understanding ECPA’s business use exceptions can reduce the risk of legal exposure to ECPA claims filed by employees.
ECPA extends federal protection over employee communication in the workplace, but this protection is limited. Presumably, employers would want to monitor electronic communications to ensure quality control and protect intellectual property, investigate incidents of wrongdoing, etc., and ECPA provides “commercial use exceptions” to allow the employer to do these things.
A couple of rules related to the interception of transmissions and the monitoring of employees in the workplace:
Consent of a single party. Interception and tracking is permitted if the sender or recipient consent before it occurs.
Ordinary course. The commercial use exceptions under ECPA dictate that the interception or control take place within the normal course of the employer’s business and that the subject matter be one in which the employer has a vested interest. Employers should be aware that if a voice conversation becomes personal, the employer may lose their exemption because they are no longer authorized to monitor such conversations.
Equipment restriction. Employers may monitor and bug only equipment that they own and that is used in the normal course of the employer’s business.
Email. Employers have the right to control and access employee email communications stored on their assets (client workstations and servers). This is complicated because employers do not have the right to control or access email hosted by a third party (such as AOL or MSN), even though such communication may traverse the company network.
Suggestions for the SMB to remain ECPA compliant revolve around creating good administrative controls (policies) to govern employee expectations. Example:
1. Employees must be offered some form of notice, either through a statement, a written policy signed at the time of employment, or a recording through the telephone system.
2. Employers must submit a policy to prohibit personal use of communication assets (phones, cell phones, computers, private email and instant messaging systems) that would establish acceptable use practices to restrict employee use to communications strictly commercial.
3. An acceptable use policy that prohibits the use of personal storage and communications equipment (MP3 players, digital cameras or recorders, cell phones, USB flash drives) to conduct company business.
4. A privacy policy must be designed to identify personally identifiable information (PPI) collected about employees that defines how that PPI is used and maintained.
ECPA compliance in SMBs is more relevant today than ever: Employee personal devices, software, and protected communications constantly interact with company assets, wirelessly and effortlessly. The combination of protected communications and devices can expose a company’s assets to damage and restrict the legal forms of corrective action that can be taken to protect them.
ECPA compliance is generally policy driven – as long as the employer puts in place good administrative policies that define expectations up front and understands what is and is not allowed under the ECPA commercial use exceptions, then compliance is pretty straight forward. . It starts with management’s intent to create a good acceptable use policy.