Once again, the refrain is being heard- "It's not fair, I wasn't told, I am being punished for something everybody does, my rights to privacy are being invaded, I didn't understand and its just not right." Employees are being punished, employers are upset, and a continuum proceeds.

E-mail and the internet have become incorporated into the daily life of an increasingly large segment of the population. Shopping, dating, restaurant selection, stock trading, homework help, virtual companionship, travel planning and most anything else that someone might want to inquire about is available on-line. Instant messaging, chat-room discussions, and e-mail exchanges are taking the place of the telephone for everyday intercourse. The open and free nature of the internet experience has caused individuals to believe that the only limits on what they can do with it relate to the amount of time available to them for the exercise of their whims.

As a consequence, it is no wonder that most employees fail to appreciate that the internet experience at work should be any different from what they normally do. If employees are allowed to make personal calls, why, they say, can't they search the web. What's the difference?

The traditional American work ethic is that one should work to make a living, that we should strive to do well for the employer, and that good work will be rewarded. More recently, workers have come to learn that employer loyalty to the workforce is an ephemeral concept resulting in a drop in morale and a lessening of a sense of job security. The glue that held everything together is deteriorating and a "me first" attitude is altering what was normative behavior.

Absent a uniform societal orientation, employees are largely unschooled on the subject of how carefully they have to pay attention to, and/or observe, workplace rules as they may change from time to time. While companies may pass out policies, they are often randomly enforced, unread or overlooked and are allowed to simply exist as items that people are not particularly aware of. And, for those companies with policies it is rare for them to spend meaningful time educating their individual employee's regarding the Company's policies or thoughts concerning its employee's use of the internet and/or e-mail. In the absence of a sustained effort by an employer to so inform employees, the net final result is a practice of undisciplined internet and e-mail usage.

Employees innocently search the web and send messages without thinking. In the same fashion as they previously used a work phone for personal purposes, or a piece of stationery to write a shopping list, now they are doing it online. It should therefore come as no surprise to an employer when an employee chastised for violating the employer's unilaterally declared e-mail and internet policy and/or preferences is met with a cry of foul.

Aside from issues related to the general use of e-mail and/or the internet, there is a very substantial problem caused by the ease and speed of electronic communications. When communications were sent on paper, an employee had to spend time writing the message and then delivering it to its destination. It took time and effort. The time required from beginning to end allowed for employee reflection on the communication and many communications never made it out of the planning stage. By contrast, e-mail notes are frequently spontaneously written and instantaneously sent. As a consequence, initial ideas, that under a more protracted delivery system might give way to more thoughtful comments, frequently find themselves circulating as the sender's message. These unfiltered employee thoughts, which are instantaneously transmitted by e-mail often cause employees to get into trouble. It is just too easy, and too much fun, to send and respond to electronic messages.

What should happen is employers ought to strive to educate their workforce regarding issues pertaining to e-mail and internet usage. Managers and supervisors should be specifically instructed on the policies and directed to reciprocally instruct their subordinates in detail. A written guidance in a form and style which will be easily understood by the applicable employees should be developed and periodically distributed. An annual teaching event is not sufficient. With employees, managers and supervisors regularly turning over a repeated and sustained effort at education and dissemination must be pursued.

The employer's reward for a sustained educational effort will be in having a policy that is adhered to. It will also assist in maintaining morale because an employee disciplined for violating it will be stripped of the ability to cry foul and will instead be viewed by his colleagues as having received his just desserts. When the employer is viewed as being fair, everyone benefits.

An effective and fair e-mail/internet policy should be clearly written. It should contain a policy statement explaining the concerns of the employer, the threat to the workforce and the need for control. Mention should be made of the fact that the computers and the data stored on them and the internet connections," all belong to the employer, that a record of their use is maintained and is available for review and audit by the employer, that the company reserves the right to examine the computers and to review internet and e-mail communications at any time, and that because of the employer's right of access an employee should have no expectation of privacy in connection with same. The Policy should provide a non-exclusive list of those usages which are permitted as well as those that are prohibited. Possible penalties for violations of the policies should also be mentioned. To the extent practicable it would be best for each employee to sign a form indicating his receipt, understanding of and acquiescence to the policy.

Once established, the company should take reasonable and consistent steps to ensure compliance with the policy. Initial steps might include having supervisors remind employees about the policy and to gently say something to an employee who appears to be straying from what is acceptable. If there are going to be exceptions to the policy for some employees, they should be specifically made so that individuals for whom no exceptions have been made will not think that they are included within the ambit of the more permissive structure.

In order to ease the withdrawal aspect of internet and e-mail deprivation, employers should consider the possibility of placing company computers with internet access in the lunchroom or other locations and to allow employee access to them for personal use during breaks. Doing so will provide some relief to the internet junkie and hopefully immunize the workday from internet frolics.

Issues of morale aside, with an appropriate policy in place, an employee's expectation of privacy as to computer activity may be vitiated. Absent privacy claims, and with employee consent, the company is well positioned to access the electronic data and its trail without running afoul of applicable law.

The Electronic Communications Privacy Act of 1986, 18 U.S.C. §2510-22, §2701-07 (1986) ("ECPA") is the relevant federal law covering the interception of electronic communications. Title I of the ECPA is the Wiretap Act and covers the interception of electronic communications while they are in transit. In relevant part it provides for fines or imprisonment for "any person who intentionally intercepts...any electronic communication...". 18 U.S.C. §2511(1)(a), (1986). In addition, there is a civil right of action by persons whose electronic communications have been intercepted and the remedies include damages, punitive damages and in appropriate cases, litigation costs and attorney fees. 18 U.S.C. §2520(b).

Title II of the ECPA prohibits unauthorized access to stored communications. Specifically, "whoever intentionally accesses without authorization facility for which electronic communication service is provided...and thereby obtains, alters or prevents authorized access to a wire or electronic communication while it is in electronic storage..shall be punished...". 18 U.S.C. §2701(a)(1). A civil remedy also exists under that provision which can be obtained by those whose stored communications were violated without authorization. The remedies available include damages, punitive damages, attorney's fees and costs. Notwithstanding the breadth of the statute, it contains exceptions that employers may use in order to support their policy of monitoring electronic communications.

Both Titles I and II of the ECPA allow access to communications when one of the parties thereto has given consent. If the employer has a clearly defined policy that carefully expresses that monitoring will take place, that monitoring can take the form of reading and analyzing the stored data, and if the employee is given a copy of it and acknowledges that he has read it and understands it, then I believe that will function for purposes of consent under the ECPA. A more problematic situation arises when an employer tries to defend its action, asserting that it had the implied consent of the employee. In such a scenario a court will scrutinize the surrounding circumstances in order to render a determination thereby making the concept of implied consent a rather uncertain avenue for employers.

For example, in Williams v. Poulos, 11 F.3rd 271(1st Cir., 1993) an employer's interception of employee phone calls was found not to be within the consent exception of the law because while a corporate officer was told that employee calls would be monitored, he was not told that his calls would be monitored or the manner in which the monitoring would take place. And in Deal v. Spears, 980 F.2d 1153(8th Cir., 1992) the court would not endorse employee consent to the tape recording of phone calls simply because the employee had been warned that calls might be monitored or because a phone extension was located in the owner's home.

Title II of the ECPA provides an exception which allows the provider of a wire or electronic communication service to access stored communications. 18 U.S.C. §2701(c)(1). In Bohach v. City of Reno, 932 F.Supp. 1232 (D.Nev., 1996) the court held that the retrieval of stored communications from a computer was not a violation of the ECPA. The system in question was a software program contained on the Reno Police Department's computer system that allowed the transmission of brief messages to pagers. Users were warned that all of the messages were logged onto the network and certain types of messages were prohibited. The court found that the City of Reno was the "provider" of the electronic communications service because the terminals, computers, software and pagers belonged to the City. It therefore held that there was no liability under §2701 of the ECPA because as the provider, it had a right of access to the stored communications.

There seems to be a question about municipal liability under the E.C.P.A. In Tapley v. Collins, 41 F.Supp.2d 1366 (S.D.Ga., 1999) the court found that the City of Vidalia was liable under the theory of respondent superior for violations of the E.C.P.A. However, in Abbot v. Village of Winthrop Harbor, 205 F.3d 976 (7th Cir., 2000) the court held that the E.C.P.A. did not apply to municipalities.

In US v. Smith, 155 F.3d 1051 (9th Cir., 1998) the court suppressed evidence of a voicemail recording in an insider trading case. One employee accessed the coded voicemail of another and recorded an incriminating statement that was stored on voicemail. The court found the actions of the recording employee to be in violation of the law and therefore, the evidence was suppressed. Following the thinking of this case, an employer's policy should also give warning to employees that where people have password protected security, that access is intended to be limited to people authorized to have the password, and that others will be disciplined if they breach the policy. Many people think that surreptitiously learning and using a co-worker's password is a harmless act and would be surprised to know that there are possible civil and penal consequences.

A common claim by employees whose computers have been accessed is that their right to privacy has been violated. Such claims are premised on state law and the analysis will be jurisdictionally specific. The principal inquiry will be whether the employee had a reasonable expectation of privacy or not. In this regard, an effective employer policy will often prove to be dispositive.

In McLaren v. Microsoft Corporation, 1999 WL 339015 (Tex.App., May 28, 1999) the court was asked to recognize a cause of action for the invasion of privacy where the employer reviewed e-mails stored in password protected folders on the employee's computer. The employee argued that by the employer allowing him to store information in personal folders that were password protected on the company's computers that gave him a reasonable expectation that the data would be free from employer scrutiny. Microsoft responded by saying that the information in the folders were part of a Microsoft e-mail system that was administered by Microsoft and available to the employee solely in connection with his employment by Microsoft. The court noted that e-mail is transmitted over a network, that during transmission it exists in unencrypted plain text which is available for review by the computer system's administrator and that the communications are initially stored on a server. The court held that there was no reasonable expectation of privacy even though the data was password protected.

However, in Restuccia v. Burk Technology, Inc., 1996 WL 1329386 (Mass.Super., August 13, 1996) the Superior Court of Massachusetts found that there was a material issue of fact regarding whether the Plaintiffs had a reasonable expectation of privacy in their e-mail and therefore denied summary judgment. In that case, the computer system required a password to log in, employees had individual passwords, the employees were reminded to change their passwords periodically and there was no policy against using the system for personal e-mail messages. While the supervisors had the ability to override passwords, the employees were not told that the supervisors could access their systems or that their files, including e-mail, were automatically backed up and that the supervisors had access to the back-up files. In Restuccia after the president of the company reviewed eight hours worth of e-mails, which included nick names for the President and references to an extra-marital affair he was having, he fired the two employees, justifying it by saying that they spent too much time sending e-mail. The Plaintiffs sued, saying that the reason for the firing was the content of their communications and that inter alia the president violated their right to privacy. The court found no problem with the employer's backing up and storing the communications in the "ordinary course of business" but was concerned about the privacy issue under the state's law.

An employee of a division of the Central Intelligence Agency also did not fare well on a claim of privacy. In U.S. v. Simons 206 F.3rd 392 (4th Cir., 2000) a company hired to monitor the computer system for inappropriate use found that a search for the word "sex" had a large number of hits coming from one employee's computer. On accessing that employee's computer remotely it was found to contain child pornography and evidence that many such pornographic sites had been visited on the internet from that employee's computer. A remote copy of the hard drive was made and then the copy was substituted for the original on the employee's computer. The original hard drive was turned over to the authorities for a criminal investigation. The employee argued that the remote search and the taking of the hard drive were done in violation of the Fourth Amendment and should therefore be suppressed. The court noted that the employer had a policy regarding internet usage, that it specifically prohibited certain kinds of uses and that the employer would periodically audit the usage "as being appropriate". The policy placed employees on notice that the internet activity would not be private. The court also found that the taking of the hard drive was an action that a reasonable employer might do and that therefore, the employees's rights were not violated.

While some violations of a policy may justify termination, others will not. In Curran v. Unemployment Compensation Board of Review, 752 A.2d 938 (Comm.Pa., 2000) an employee who violated an employer's internet policy set forth in an employee handbook was held to have been terminated for misconduct and was denied unemployment insurance benefits. However, in Schnaars v. Copiague Union Free School District, 713 N.Y.S.2d. 84 (2d. Dept., 2000) an employee with thirteen years of unblemished service who was terminated for using school computers to access pornographic websites during the night shifts had his termination rescinded. The court found the termination to be "...so disproportionate to the offense as to be shocking to one's sense of fairness...". i.d. 713 N.Y.S.2d at 85. And in Bertolini v. Whitehall City School District Board of Education, 2000 WL 1376455(Ohio App.10th.Dist., 2000) the court reversed the termination of an associate superintendent who sent an employee romantic e-mail messages after their romance ended. In that case, the evidence showed that the school board's policy allowed the use of personal e-mail messages and that the conduct at issue did not rise to the level which would warrant termination.

Where employees are protected by collective bargaining agreements or civil service rules, it appears that a mere violation of an internet/e-mail policy will not suffice to support a termination. Rather, as with all other conduct that an employer contends warrants discipline, an analysis will be made and the reviewing authority will feel free to substitute its judgment for the employer's. Though at will employees do not have the same protection, consideration of these cases, and how they are treated, may serve to remind employers that even in situations involving internet and/or e-mail abuse, progressive discipline for at will employees should be considered and implemented.

Having reviewed e-mail privacy for employees, a question arises regarding the use of e-mail communication by counsel. While not uniformly accepted, most states that have considered the subject, including the American Bar Association, have concluded that in the ordinary course of events, an attorney may communicate with clients using unencrypted e-mail. ABA Formal Op. 99-413, Alaska Op. 98-2; Arizona Op. 97-04; Connecticut Op. 99-52; D.C. Bar Op. 281 (1998); Florida Op. 00-4; Illinois Op. 96-10; Iowa Op. 1997-1; Kentucky Op. E-403; Minnesota Op. 19 (1999); New York State Bar Association Op. 709 (1998); Association of the Bar of the City of New York Op. 1998-2; North Carolina RPC 215 (1995); North Dakota Op. 97-09; Ohio Op. 99-2 and 99-9; Pennsylvania Op. 97-130; South Carolina Op. 97-08; Utah Op. 00-01; and Vermont Op. 97-5.

Questions of privilege are not so quickly decided. If Plaintiff's counsel sends an e-mail to an employee's mailbox on an employer's computer system, the employee may not have a reasonable expectation of privacy to the content of his mailbox, and a breach of the attorney client privilege may take place. Likewise, if Plaintiff's counsel sends an e-mail to an employee at his private internet address, then if that employee accesses that e-mail message on his employer's computer, and if the employer's computer maintains a record of that communication, then again there may be an inadvertent breach of the attorney client privilege. And, if management counsel sends an otherwise privileged communication to a managerial employee on the employer's computer system, a question arises regarding whether the privilege is lost because the communications may be accessed by the company's system administrative personnel. Additionally, if privileged e-mails are stored on an employee's laptop, do the communications lose their privilege when the employee allows others access to his laptop in circumstances where the privileged communications are not kept in password protected areas?

Is anyone out there concerned about the errant e-mail? We have read a lot about faxes with privileged material that are inadvertently sent to opposing counsel. Isn't the risk of sending material to the wrong e-mail address even more troublesome. All it takes is a click of the mouse and before you know it something is going where it shouldn't. This month along I received e-mails for two lawyers that were sent to me by mistake. One message simply confused me with my cousin. As for the other, the author said he was the victim of a virus. Let's all be careful.

The Bar Associations and other bodies that have considered e-mail communications, have been troubled by the possibility of third party access. Nevertheless, and in recognition of its widespread use, they have almost uniformly endorsed it. As systems become more sophisticated, we can expect to see more rules which regulate e-mail use. Systems are being developed which cause e-mail to self destruct after a certain number of days. Such communications will allow the recipient to print a hard copy to preserve it; otherwise the stored message will be destroyed. This will reduce the likelihood of inadvertent disclosure during an audit or system monitoring.

Likewise, when traditional e-mail systems are enhanced to allow for the insertion of codes so that communications can only be read by the intended recipient, we can expect such coding to be required for all attorney client e-mail communications. While such systems are not readily available to the average user, or are too cumbersome to use, we can expect them to be incorporated into basic systems of the future, at which point some of the problems we are discussing today should evaporate.

October 30, 2000