August 15, 2016
Employers seeking to discover what their employees are doing and writing on the internet will can find themselves out of the reach of federal wiretap laws (under the Electronic Communications Privacy Act [“ECPA”] and the Stored Communications Act [“SCA”]) so long as they limit their efforts to intercepting and accessing emails and web activity conducted or stored on company-operated networks. Reaching for forbidden apples from the Tree of the Knowledge of Good and Evil — employee email accounts or websites operated by third-party servers — can throw them out of this happy garden and into the cursed land of civil liability and even prison time. First, wiretap law basics: Federal wiretap laws provide different levels of immunity to electronic communications service providers for accessing third-party communications, based on whether the communication is in-progress or “stored.” (Fn1) Communications are considered stored regardless of whether the storage is temporary, intermediate, incident to impending transmission or more permanent storage for backup purposes. For example, in Konop v. Hawaiian Airlines, 302 F.3d 868, 874 (9th Cir. 2002), the 9th Circuit held that email messages stored on an electronic bulletin board system, but not yet received by the intended recipients, were stored, not in-progress communications. In-progress communications, which are governed by the ECPA (18 U.S.C. §§ 2510 et seq.), are subject to a greater level of access restrictions. Stored communications, which are governed by the SCA (18 U.S.C. § 2701 et seq.) are subject to lesser access restrictions. In-progress communications may not be intercepted unless the employer meets one of two exceptions: Exception 1: The employer provides the electronics communications service and interception is a “necessary incident” to the rendition of the communication service provider’s business or “to the protection of the rights or property of the provider of that service.” An employer can use the “necessary incident” exception to intercept employee emails or internet communications only if its equipment provides the communications services — not if it merely has its employees subscribe to a third-party ISP to get email and internet access services. 18 U.S.C. § 2511(2)(a)(1). Exception 2: The employer is “a party to the communication” or one of the parties to the communication has given prior consent to the interception. 18 U.S.C. § 2511. An employer can use the “consent” exception if it gets express or implied consent. Courts have found that employee consent to interception has been implied where an employer has clearly informed its employees that their communications will be monitored and explained the manner in which the monitoring would be conducted. (Fn2) 18 U.S.C. § 2511(c). To be safe, put your monitoring policy in the employee handbook — and get the employees to sign a consent form. Stored communications may not be accessed if the employer intentionally accesses or exceeds his authority to access the facility through which the electronic communications service is provided. 18 U.S.C. § 2701(a). However, there are big exceptions to this rule: Exception 1: The SCA provides broad immunity from civil and criminal liability for “conduct authorized . . . by the person or entity providing a wire or electronic communications service.” 18 U.S.C. § 2701(c)(1). So if the employer provides the equipment on which the stored electronic communications reside, it will be immune from liability if it and its agents access these stored communications. For example, in BI3 v. Hamor, U.S.D.C., Northern District of Illinois, No. 08C2384 (July 15, 2009), an Illinois District Court judge found that the chairman of the board and president of an internet search and campaign management company was authorized under this exception to access emails sent through this system to an employee. The Court stated that “it is impossible to conceive that [the chairman’s] access to the internet service could be unauthorized — who but [he] would authorize or refuse authorization for such access?” See also Bohach v. City of Reno, 932 F.Supp. 1232, 1236 (D. Nev. 1996) (police department immune from suits by its officers for accessing their text messages where the department provided “the terminals, computer and software” on which the text messages were stored). To qualify for this exception, the employer must the provider of the communications service used to store the employee emails or other data at issue. For example, in Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F.Supp.2d 548, 557 (S.D.N.Y. 2008), the Court found that an employer who viewed employee Hotmails and Gmails was not the service provider for those emails, and hence not entitled to immunity under this exception, even though the employer accessed the emails through its own computers. (Fn3) Exception 2: The SCA also provides broad immunity for “conduct authorized . . . by a user of [a wire or electronics communication] service with respect to a communication of, or intended for, that user.” 18 U.S.C. § 2701(c)(2). This seems to mean that if a member of a private website gives an employer access to that group, the employer is immune for accessing that website. But, not so fast. A common scenario is for employees to create a MySpace or Facebook page, in which they vent complaints and coarse jests about their employer and its management minions. Maddened by curiosity, the employer will wheedle one of the website members to give it access. Whereupon, after reading with horror the many baseless lies told about it on the site, it metes out reprisals against the shameless website operators. Despite the manifest injustices it has suffered by way of the website, courts considering this fact pattern have often refused to find that the employer is entitled to the “conduct authorized by a user” exception. In Konop v. Hawaiian Airlines, 302 F.3d 868, 880 (9th Cir. 2002), the plaintiff created a website that was critical of the airline. The plaintiff then authorized several pilots to use the website. Two of these pilots gave their passwords to a Hawaiian Airlines Vice President, at his request, who then accessed the site. The Court found that the employer was not entitled to immunity, on the basis that there was no evidence in the record that the two pilots who provided Hawaiian Airlines with access had actually used the site themselves. In Pietrylo v. Hillstone Restaurant Group, d/b/a Houston’s, U.S.C.D., District of New Jersey, Case No. 06-5754 (July 24, 2008), a server at a Houston’s in Hackensack, New Jersey created a MySpace.com group whose purpose was to let employees vent about issues they faced at Houston’s. In his first posting, Pietrylo stated “This group is entirely private, and can only be joined by invitation.” Among the people that Pietrylo invited to join the group was Karen St. Jean, a greeter at the restaurant. St. Jean accessed the MySpace site, and then showed the site to a Houston’s manager. After this, another Houston’s manager pressured St. Jean to provide him with a password to the site, which she did. Houston’s management subsequently terminated Pietrylo based on negative statements about management and customers found on the site. Once again, the Court was skeptical about the restaurant’s entitlement to the “conduct authorized by a user” exception. The Court focused on whether Ms. St. Jean’s authorization to view the site had been voluntary. The Court concluded that “If her consent was only given under duress, then Defendants were not ‘authorized’ under the terms of the [SCA]”. So, if you are employer, and you wish to screen your employees emails or web use, you are on safer ground if you limit your screening to communications made or stored on your own equipment, and if you get employee consent to such screening. However, courts will look less kindly on attempts to screen or gain access to communications made or stored on third party services.