Question: As a private sector employer trying to police our employees’ unauthorized use and/or abuse of our internet system, are we in danger of violating any privacy laws?
Answer: If your company tracks employee internet access in real time, there is a risk of violating the federal Electronic Communications Privacy Act (ECPA).
The ECPA is essentially an updated version of the federal anti-wiretapping laws, prohibiting the “interception of electronic communications” (as opposed to telephonic communications) while “in transit.” Courts have discovered, however, that attempting to apply laws against wiretapping to internet communications can be problematic. Generally speaking, courts have held that communications such as email can be accessed by employers on their systems (without violating the ECPA) because the emails are “stored” there. In other words, the communications are no longer “in transit.” This has held true even for email that has not been received or opened.
However, when an employer is involved in intercepting an internet communication as it is being created (e.g., through keylogging software) or other monitoring apps, at least one case has held that the employer’s effort ran afoul of the ECPA. Brahmana v. Lembo, 2009 WL 1424438.
In Brahmana, the employer was able to track an employee’s internet communications one keystroke at a time using a keylogger program. The employer allegedly used a keylogger program to discover the password to an employee’s personal email account, and then, used the password to access that personal account. The California federal court that heard the case found the employee’s claim to be viable.
Accordingly, as employers continue to strive for greater cyber security, do not forget the legal safeguards in place designed to protect employees.
