Although the workforce’s heavy reliance on email and other electronic resources is not new, many employers are still grappling with how to address the ever changing ways in which employees utilize the company’s computer systems for personal purposes. One of the primary challenges created by employees’ personal use of company systems is exposure to invasion of privacy claims. These claims can arise in the event the company intercepts, monitors, or attempts to use personal information or communications that employees have transmitted using the company system.
A Florida federal court recently addressed this increasingly complicated area and provided a road map for employers to follow in protecting themselves from employee privacy claims. In Leor Exploration & Production, LLC v. Aguiar, 2009 WL 3097207 (S.D. Fla. Sept. 23, 2009), the Court addressed whether a company’s CEO had a reasonable expectation of privacy in email communications that were sent to his personal attorney through the company’s email system. The company had an employee handbook which included a general warning that, “[e]mployees should have no expectation of privacy in communications made over [the company’s] systems.” Although the CEO did not dispute the existence of that provision, he argued that it did not apply to him because, among other reasons, a company representative had authorized an exception to this policy for the CEO.
In confronting these issues, the Court noted that the mere existence of a no-privacy provision in an employee handbook is generally not determinative of an employee privacy claim. Instead, the Court adopted the following four factor test to determine whether an employee has a reasonable expectation of privacy in computer files or email:
- Does the corporation maintain a policy banning personal or other objectionable use?
- Does the company monitor the use of the employee’s computer or email?
- Do third parties have a right of access to the computer or emails?
- Did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?
Id. at *4 (quotation omitted).
Applying those factors, the Court in Leor concluded that the CEO had no expectation of privacy. In addition to the general privacy disclaimer language above, the company’s policy further stated that the company “may access and monitor the use of its systems and equipment from time to time” and that “employees should not use [the company’s] communications systems to communicate, receive, or store information that they wish to keep personal or private.” The Court found this sufficient to satisfy the factors above, and held that the CEO had no expectation of privacy. As a result, the Court held that even emails sent to the CEO’s attorney using the company system were fair game for the company to access, review, and use.
The Court also rejected the CEO’s argument that the company had agreed to exempt the CEO from this policy. The Court found that there was no evidence that the company made any “assurances” that the CEO could disregard the company’s policy. Although the CEO’s exception argument was rejected in this case, the Court’s analysis suggests that it may be possible for executives or employees to oppose “no privacy” policies by establishing that they were assured the policy would not apply to them.
The Leor case provides several important lessons for employers. First, for those employers who do not have a “no privacy” policy, this case makes it clear that it will be difficult for employers to defend against certain invasion of privacy claims. Second, for those employees who only have a general “no privacy” policy, the Court’s reasoning strongly suggests their policies should be updated to clearly state that the company has the right to monitor and access all employee files and communications, similar to the language employed by Leor. Third, the CEO’s claim of purported “assurances” that the policy did not apply to him, even though unsuccessful in the Leor case, suggests that employers should further state that there shall be no exceptions to said policies unless they are written, clearly define the scope of the exception, and are signed by an appropriate company representative (such as the head of Human Resources) with corporate authority to grant such exceptions.
Although these measures may not completely avoid employee privacy claims, they should substantially limit employer’s exposure in this regard.