MONITORING EMPLOYEES' USE OF COMPANY COMPUTERS AND THE INTERNET
Why Companies Should Be Concerned
Business-related use of the Internet has grown by leaps and bounds in the last few years. At the same time, more and more employees must use computers in their work at least part, if not all, of the time. All in all, this increasing use of technology has helped fuel an unprecedented expansion of the state and national economies. However, along with the benefits, there are several risks for employers. This article will examine some of the basic issues and offer some solutions to business owners who are mindful of the risks involved. First, let's look at some of the risks of the electronic revolution.
Electronic Mail Top of Page
Electronic mail, or e-mail, has become the communication medium of choice for many employees and businesses. No one doubts its time-saving qualities, but employers must consider the dangers as well:
Employers can be liable for employees' misuse of company e-mail
Sexual, racial, and other forms of harassment can be done by e-mail
Threats of violence via e-mail
Theft or unauthorized disclosure of company information via e-mail
E-mail spreads viruses very well
Internet Top of Page
The Internet is like a super-network connecting countless other computer networks around the world. Literally millions of computers are connected to this vast resource. Every imaginable type of information is available on the Internet if one knows where and how to search for it. As with any kind of resource, it has its good and bad sides. Not surprisingly, employers have had some problems with employees' use of the Internet:
Unauthorized access into for-pay sites
Sexual harassment charges from display of pornographic or obscene materials found on some sites
Trademark and copyright infringement problems from improper use or dissemination of materials owned by an outside party
Too much time wasted surfing the Internet
Viruses in downloads of software and other materials from websites
Company Computers Top of Page
Even with company computers that are not connected to the Internet, employers are finding problems with employees abusing the privilege of having computers to use at work:
Software piracy - employees making unauthorized copies of company-provided software
Unauthorized access into company databases
Use of unauthorized software from home on company computers
Sabotage of company files and records
Excessive time spent on computer games
Employees using company computers to produce materials for their own personal businesses or private use
Many employers wonder what they can do to protect themselves against these kinds of risks and to ensure that company computers and networks are used for their intended purposes. Fortunately, Texas and federal law are both very flexible for companies in that regard. With the right kind of policy, employers have the right to monitor employees' use of e-mail, the Internet, and company computers at work. Doing so successfully requires both a good policy and knowledge of how computers and the Internet work.
Policy Issues Top of Page
Monitoring employees' use of company computers, e-mail, and the Internet involve the same basic issues as come into play with general searches at work, telephone monitoring, and video surveillance. Those basic issues revolve around letting employees know that as far as work is concerned, they have no expectation of privacy in their use of company premises, facilities, or resources, and they are subject to monitoring at all times. Naturally, reason and common sense supply some understandable limitations, such as no video cameras in employee restrooms, and no forced searches of someone's clothing or body, but beyond that, almost anything is possible in the areas of searches and monitoring. Let's turn to some specifics.
Every employer needs to have a detailed policy regarding use of company computers and resources accessed with computers, such as e-mail, Internet, and the company intranet, if one exists. Each employee must sign the policy - it can be made a condition of continued employment. The policy should cover certain things:
Define computers, e-mail, Internet, and so on as broadly as possible, with specifics given, but not limited to such specifics.
Define the prohibited actions as broadly as possible, with specifics given, but not limited to such actions.
Remind employees that not only job loss, but also civil liability and criminal prosecution may result from certain actions (illegal pornography, participation in spamming operations or other scams, involvement in computer hacking (see 18 U.S.C. § 1030, among other laws)).
The company reserves the right to monitor all computer usage at all times for compliance with the policy.
The company reserves the right to inspect an employee's computer, HD, floppy disks, and other media at any time.
The company reserves the right to withdraw access to computers, Internet, and e-mail if needed.
Consider prohibiting camera phones (also called cell phone cameras); such phones have been implicated in gross invasions of other employees' privacy and in theft of company secrets.
Let employees know that they may use the company's electronic systems in order to discuss with other employees the terms and conditions of their employment, but that any such discussions should take place during non-duty times and should not interfere with any employee's assigned duties. Finally, employees must comply with a coworker's stated request to be left out of such discussions.
Make sure employees know they have no reasonable expectation of privacy in their use of the company's electronic resources, since it is all company property and to be used only for job-related purposes.
How to Monitor Compliance Top of Page
Here is where you as an employer must know at least a few things about computers and the Internet. Naturally, you will leave many of the technical details to certain trusted computer experts on your staff, or you can contract with one of any number of private computer services companies out there. However, you should be armed with some technical knowledge so that you can make better use of the experts' time and be able to tell whether your efforts are successful.
Have your information technology department or computer person set up software monitoring capabilities. Some software can only detect which computer was used on a network, not who used it. An alternative would be to set up a "proxy server" - users have to log in with their own user names and passwords. With regard to the Internet, specific sites can be blocked by Web site addresses and keywords. Some software can analyze the hard drive of each computer on a network, thus establishing who might have unauthorized software or files on their computer.
Where to look for unauthorized computer and Internet activity? On PCs, look in C:\Windows\ for the following folders:
Cookies - contains "cookies" left on the employee's computer during visits to Web sites - cookies are little files that let Web sites know whether someone has visited the site before
History - this records the name and Web address of every site visited by the employee
Temporary Internet Files - this folder contains a copy of every Web page, graphic image, button, and script file found in or on each Web page visited by the employee
Start Menu: "Documents" - this shows what is in the user's "Recent" folder (recently-opened or recently-used files)
On Macintosh computers, look in the folder for the ISP (Internet Service Provider), then in the folder for the Web browser, then in either "Cache f" or the above names, depending upon what browser the employee uses. The "Apple" menu on Macs also has a "Recent" folder that shows what files the employee has worked on most recently.
With the files found in the above folders, it is possible to reconstruct an employee's entire Web surfing session.
Other places on the computer may yield clues. On PCs, look in the "Recycle Bin" - some people forget to empty that folder when they delete files. Using whatever graphics application you find on the computer, click "File" and look at the recent files in use - you may be surprised at what images the employee has viewed. On Macs, look under "Recent Documents" or double-click the "Trash" icon to see deleted files.
There are some warning signs for computer abuse:
the employee spends a lot of time online, more than is reasonably needed for the job, yet is strangely non-productive
you hear a lot of hurried clicking as you approach, and the employee greets you with a red face
the Temporary Internet Files folder is filled to capacity
the employee's computer crashes more than anyone else's - viruses and excessive demands on RAM
an increase in spam e-mail from employees leaving their addresses all over the Internet ("spam" is unsolicited commercial e-mail).
Why Companies Should Be Concerned Top of Page
Abuse of company computers, networks, and the Internet can leave a company at real risk for an employee's wrongful actions. If an employment claim or lawsuit is filed, it is standard for plaintiff's lawyers and administrative agencies to ask to inspect computer records. Deleting computer files does not completely erase the files - there are many traces left on the user's computer, and forensic computer experts can easily find such traces and use them against a company. Tools exist to make data unretrievable, but not many people are aware of such tools or of how to use them.
An employee in a large semiconductor manufacturing firm was arrested several years ago on charges relating to illicit photos of children after a coworker alerted company managers and the managers called law enforcement authorities. Upon detailed inspection, his office computer was found to have hundreds of illegal images stored on the hard drive. The company's quick action probably prevented what could have been legal problems for the employer itself. In a Central Texas county, a sheriff's department employee was fired after many sexually explicit images were found on his office computer. The department had no problem searching his computer, since it had a well-written policy regarding computer and Internet usage.
The expectation of privacy in workplace electronic systems is important even in the criminal justice context. In the case of U.S. v. Ziegler, 474 F.3d 1184 (9th Cir. 2007), en banc rehearing denied, 497 F.3d 890 (2007), the Ninth Circuit Court of Appeals found that despite an expectation of privacy in work computers (absent a clear policy to the contrary), the employer can give consent to official searches of such computers, so illegal images of children found on an employee's office computer are admissible as evidence in a criminal case. In a very similar case, U.S. v. Barrows, 481 F.3d 1246 (10th Cir. 2007), the Tenth Circuit held that the same result applies, even if the computer is the personal property of the defendant, if the defendant brought the computer to work and took no steps to shield its contents from public inspection (important facts: the defendant used the personal laptop for his work and connected it to the employer's network).
Focus on E-Mail Top of Page
A good e-mail policy will let employees know that the company's e-mail system is to be used for business purposes only* and that any illegal, harassing, or other unwelcome use of e-mail can result in severe disciplinary action. Let employees know that monitoring will be done for whatever purposes. If unauthorized personal use is detected, note the incident and handle it as any other policy violation would be handled. Whatever you do, do not allow employees' personal e-mail to be circulated at random by curious or nosy employees. Such a practice could potentially lead to defamation and invasion of privacy lawsuits. Have your computer experts attach a disclaimer to all outgoing company e-mail that warns of the company's monitoring policy, lets possible unintended recipients know that confidential company information might be included, and disavows liability for individual misuse or non-official use of e-mail. Here is an example of such a disclaimer:
IMPORTANT MESSAGE
Internet communications are not secure, and therefore ABC Company does not accept legal responsibility for the contents of this message. However, ABC Company reserves the right to monitor the transmission of this message and to take corrective action against any misuse or abuse of its e-mail system or other components of its network.
The information contained in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying, distribution, or any action or act of forbearance taken in reliance on it, is prohibited and may be unlawful. Any views expressed in this e-mail are those of the individual sender, except where the sender specifically states them to be the views of ABC Company or of any of its affiliates or subsidiaries.
END OF DISCLAIMER
* Important note: Under recent NLRB rulings and guidance, employees have the right to use company e-mail and other messaging systems during non-duty times to discuss with coworkers their terms and conditions of employment, and policies allowing non-business use of company systems during work hours may not prohibit discussions about unions and other issues involving employment. The sample computer, e-mail, and Internet use policy in the "The A-Z of Personnel Policies" section of this book includes a note to that effect. For the latest information on how NLRB policies may affect a company’s ability to monitor employees’ use of the company’s electronic resources, see General Counsel Memo GC 23-02, “Electronic Monitoring and Algorithmic Management of Employees Interfering with the Exercise of Section 7 Rights”, on the NLRB website at https://apps.nlrb.gov/link/document.aspx/09031d45838de7e0.
Court Action Top of Page
A significant court case in the area of e-mail is McLaren v. Microsoft Corp. (No. 05-97-00824-CV, 1999 WL 339015 (Tex.App. - Dallas 1999, no pet.)), in which a state appeals court in Dallas ruled that an employee had no claim for invasion of privacy due to the employer's review and distribution of the employee's e-mail. The court noted that having a password does not create reasonable expectation of privacy for an employee, and that since the e-mail system belonged to the company and was there to help the employee do his job, the e-mail messages were not employee's personal property. In addition, the court observed that the employee should not have been surprised that the company would look at the e-mail messages, since he had already told the employer that some of his e-mails were relevant to a pending investigation.
Another court ruled in 2001 that an employer did not violate the federal law known as the Electronic Communications Privacy Act of 1986 (amended by the USA Patriot Act in 2001) when it retrieved an employee's e-mail sent on a company computer to a competitor company in order to encourage the competitor to go after the employer's customers (Fraser v. Nationwide Mutual Insurance Co., 135 F. Supp. 2d 623 (E.D. Pa. 2001)). The employee had sent the e-mail, the recipient at the competitor company had received it, and so the employer had not intercepted the e-mail while it was being sent, which is the only thing protected by the ECPA. On December 10, 2003, the Third Circuit Court of Appeals affirmed that part of the federal district court's judgment (352 F.3d 107).
The New Jersey Supreme Court issued a decision in March, 2010 illustrating how important the company's e-mail policy is in determining whether an employee has a reasonable expectation of privacy in e-mail communications and whether an employer steps over the line when reading or monitoring such communications. In Stengart v. Loving Care Agency, 990 A.2d 650 (New Jersey 2010), the ex-employee had used a company laptop to communicate with her attorney via a web-based e-mail system in which she had a personal, password-protected account; she did not store the password on the computer. After she left the company, the employer hired a computer forensics expert to make a mirror image of the hard drive. Inspection of the hard drive revealed the e-mails, which the company and its attorney read and used in the course of responding to the employee's lawsuit, even though they were clearly communications between the ex-employee and her attorney, and the e-mails included a standard disclaimer about unauthorized recipients being obligated to destroy the communication, not review it, and notify the sender of the error. The company had a fairly broad computer use policy, but did not define what types of e-mails might be covered, allowed "occasional" personal use of company computers without a notice that any such use would be subject to monitoring, and did not warn employees that information sent, received, or viewed on the computer is stored on the hard drive by the computer's software. Based upon the policy's ambiguity, and on the importance of upholding the principle of attorney-client privilege, the Court ruled that the company's action was an invasion of the employee's privacy and that the company's attorney could potentially be subject to discipline under rules regarding attorney conduct. For a similar case, see Pure Power Boot Camp, Inc. et al, v. Warrior Fitness Boot Camp, L.L.C., et al., 759 F.Supp.2d 417 (S.D.N.Y. 2010).
An important note here: an employer can do anything with e-mail messages sent and received on company computers, even including intercepting them during the process of transmitting or receiving, as long as it has notified employees that they have no expectation of privacy in the use of the company's computer, e-mail, and Internet systems, that all use of such systems may be monitored at any time with or without notice, and that any and all messages, files, and other information sent, relayed, or received with the company's computer, e-mail, and Internet systems are the property of the company, are stored on one or more company computers, and may be subject to company review at any time. All employees may be required to sign a policy acknowledging that they have no expectation of privacy in anything they do on work computers and authorizing the employer to monitor, view, intercept, inspect, copy, store, and further distribute any transmissions that employees send or receive using company electronic equipment or Internet access. For an example of how such a policy might be worded, see the sample policy titled "Internet, E-Mail, and Computer Usage Policy" in the "The A-Z of Personnel Policies" section of this book.
Evidence of Misconduct Top of Page
If an employee is disciplined or discharged based upon computer or Internet problems, have your company computer experts collect both digital and printed copies of whatever e-mail messages or computer files contain evidence of the violations. The evidence can then be used to defend against various kinds of administrative claims and lawsuits, such as an unemployment claim or discrimination lawsuit.
Conclusion
For business owners, technology makes things both easier and harder. Every company has to ensure that its electronic resources are used properly and not abused by employees. The more that you as an employer know about computers and the Internet, the better off, and safer, your company will be. Due to the NLRB’s position and the evolving nature of individual state privacy laws, though, an employer should definitely consult a qualified labor and employment law attorney before implementing a company policy regarding the monitoring of the company’s electronic resources.
Go to the Employer Commissioner's Page
Go to the TWC Home Page