MONITORING COMPANY COMPUTERS AND THE INTERNET

MONITORING EMPLOYEES' USE OF COMPANY COMPUTERS AND THE INTERNET

Electronic Mail

Internet

Company Computers

Policy Issues

How to Monitor Compliance

Why Companies Should Be Concerned

Focus on E-Mail

Court Action

Evidence of Misconduct

Business-related use of the Internet has grown by leaps and bounds in the last few years. At the same time, more and more employees must use computers in their work at least part, if not all, of the time. All in all, this increasing use of technology has helped fuel an unprecedented expansion of the state and national economies. However, along with the benefits, there are several risks for employers. This article will examine some of the basic issues and offer some solutions to business owners who are mindful of the risks involved. First, let's look at some of the risks of the electronic revolution.

Electronic Mail    Top of Page

Electronic mail, or e-mail, has become the communication medium of choice for many employees and businesses. No one doubts its time-saving qualities, but employers must consider the dangers as well:

Internet    Top of Page

The Internet is like a super-network connecting countless other computer networks around the world. Literally millions of computers are connected to this vast resource. Every imaginable type of information is available on the Internet if one knows where and how to search for it. As with any kind of resource, it has its good and bad sides. Not surprisingly, employers have had some problems with employees' use of the Internet:

Company Computers    Top of Page

Even with company computers that are not connected to the Internet, employers are finding problems with employees abusing the privilege of having computers to use at work:

Many employers wonder what they can do to protect themselves against these kinds of risks and to ensure that company computers and networks are used for their intended purposes. Fortunately, Texas and federal law are both very flexible for companies in that regard. With the right kind of policy, employers have the right to monitor employees' use of e-mail, the Internet, and company computers at work. Doing so successfully requires both a good policy and knowledge of how computers and the Internet work.

Policy Issues    Top of Page

Monitoring employees' use of company computers, e-mail, and the Internet involve the same basic issues as come into play with general searches at work, telephone monitoring, and video surveillance. Those basic issues revolve around letting employees know that as far as work is concerned, they have no expectation of privacy in their use of company premises, facilities, or resources, and they are subject to monitoring at all times. Naturally, reason and common sense supply some understandable limitations, such as no video cameras in employee restrooms, and no forced searches of someone's clothing or body, but beyond that, almost anything is possible in the areas of searches and monitoring. Let's turn to some specifics.

Every employer needs to have a detailed policy regarding use of company computers and resources accessed with computers, such as e-mail, Internet, and the company intranet, if one exists. Each employee must sign the policy - it can be made a condition of continued employment. The policy should cover certain things:

How to Monitor Compliance    Top of Page

Here is where you as an employer must know at least a few things about computers and the Internet. Naturally, you will leave many of the technical details to certain trusted computer experts on your staff, or you can contract with one of any number of private computer services companies out there. However, you should be armed with some technical knowledge so that you can make better use of the experts' time and be able to tell whether your efforts are successful.

Have your information technology department or computer person set up software monitoring capabilities. Some software can only detect which computer was used on a network, not who used it. An alternative would be to set up a "proxy server" - users have to log in with their own user names and passwords. With regard to the Internet, specific sites can be blocked by Web site addresses and keywords. Some software can analyze the hard drive of each computer on a network, thus establishing who might have unauthorized software or files on their computer.

Where to look for unauthorized computer and Internet activity? On PCs, look in C:\Windows\ for the following folders:

On Macintosh computers, look in the folder for the ISP (Internet Service Provider), then in the folder for the Web browser, then in either "Cache f" or the above names, depending upon what browser the employee uses. The "Apple" menu on Macs also has a "Recent" folder that shows what files the employee has worked on most recently.

With the files found in the above folders, it is possible to reconstruct an employee's entire Web surfing session.

Other places on the computer may yield clues. On PCs, look in the "Recycle Bin" - some people forget to empty that folder when they delete files. Using whatever graphics application you find on the computer, click "File" and look at the recent files in use - you may be surprised at what images the employee has viewed. On Macs, look under "Recent Documents" or double-click the "Trash" icon to see deleted files.

There are some warning signs for computer abuse:

Why Companies Should Be Concerned    Top of Page

Abuse of company computers, networks, and the Internet can leave a company at real risk for an employee's wrongful actions. If an employment claim or lawsuit is filed, it is standard for plaintiff's lawyers and administrative agencies to ask to inspect computer records. Deleting computer files does not completely erase the files - there are many traces left on the user's computer, and forensic computer experts can easily find such traces and use them against a company. Tools exist to make data unretrievable, but not many people are aware of such tools or of how to use them.

An employee in a large semiconductor manufacturing firm was arrested several years ago on charges relating to illicit photos of children after a coworker alerted company managers and the managers called law enforcement authorities. Upon detailed inspection, his office computer was found to have hundreds of illegal images stored on the hard drive. The company's quick action probably prevented what could have been legal problems for the employer itself. In a Central Texas county, a sheriff's department employee was fired after many sexually explicit images were found on his office computer. The department had no problem searching his computer, since it had a well-written policy regarding computer and Internet usage.

The expectation of privacy in workplace electronic systems is important even in the criminal justice context. In the case of U.S. v. Ziegler, 474 F.3d 1184 (9th Cir. 2007), en banc rehearing denied, 497 F.3d 890 (2007), the Ninth Circuit Court of Appeals found that despite an expectation of privacy in work computers (absent a clear policy to the contrary), the employer can give consent to official searches of such computers, so illegal images of children found on an employee's office computer are admissible as evidence in a criminal case. In a very similar case, U.S. v. Barrows, 481 F.3d 1246 (10th Cir. 2007), the Tenth Circuit held that the same result applies, even if the computer is the personal property of the defendant, if the defendant brought the computer to work and took no steps to shield its contents from public inspection (important facts: the defendant used the personal laptop for his work and connected it to the employer's network).

Focus on E-Mail    Top of Page

A good e-mail policy will let employees know that the company's e-mail system is to be used for business purposes only* and that any illegal, harassing, or other unwelcome use of e-mail can result in severe disciplinary action. Let employees know that monitoring will be done for whatever purposes. If unauthorized personal use is detected, note the incident and handle it as any other policy violation would be handled. Whatever you do, do not allow employees' personal e-mail to be circulated at random by curious or nosy employees. Such a practice could potentially lead to defamation and invasion of privacy lawsuits. Have your computer experts attach a disclaimer to all outgoing company e-mail that warns of the company's monitoring policy, lets possible unintended recipients know that confidential company information might be included, and disavows liability for individual misuse or non-official use of e-mail. Here is an example of such a disclaimer:

IMPORTANT MESSAGE

Internet communications are not secure, and therefore ABC Company does not accept legal responsibility for the contents of this message. However, ABC Company reserves the right to monitor the transmission of this message and to take corrective action against any misuse or abuse of its e-mail system or other components of its network.

The information contained in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying, distribution, or any action or act of forbearance taken in reliance on it, is prohibited and may be unlawful. Any views expressed in this e-mail are those of the individual sender, except where the sender specifically states them to be the views of ABC Company or of any of its affiliates or subsidiaries.

END OF DISCLAIMER

* Important note: Under recent NLRB rulings and guidance, employees have the right to use company e-mail and other messaging systems during non-duty times to discuss with coworkers their terms and conditions of employment, and policies allowing non-business use of company systems during work hours may not prohibit discussions about unions and other issues involving employment. The sample computer, e-mail, and Internet use policy in the "The A-Z of Personnel Policies" section of this book includes a note to that effect. For the latest information on how NLRB policies may affect a company’s ability to monitor employees’ use of the company’s electronic resources, see General Counsel Memo GC 23-02, “Electronic Monitoring and Algorithmic Management of Employees Interfering with the Exercise of Section 7 Rights”, on the NLRB website at https://apps.nlrb.gov/link/document.aspx/09031d45838de7e0.

Court Action    Top of Page

A significant court case in the area of e-mail is McLaren v. Microsoft Corp. (No. 05-97-00824-CV, 1999 WL 339015 (Tex.App. - Dallas 1999, no pet.)), in which a state appeals court in Dallas ruled that an employee had no claim for invasion of privacy due to the employer's review and distribution of the employee's e-mail. The court noted that having a password does not create reasonable expectation of privacy for an employee, and that since the e-mail system belonged to the company and was there to help the employee do his job, the e-mail messages were not employee's personal property. In addition, the court observed that the employee should not have been surprised that the company would look at the e-mail messages, since he had already told the employer that some of his e-mails were relevant to a pending investigation.

Another court ruled in 2001 that an employer did not violate the federal law known as the Electronic Communications Privacy Act of 1986 (amended by the USA Patriot Act in 2001) when it retrieved an employee's e-mail sent on a company computer to a competitor company in order to encourage the competitor to go after the employer's customers (Fraser v. Nationwide Mutual Insurance Co., 135 F. Supp. 2d 623 (E.D. Pa. 2001)). The employee had sent the e-mail, the recipient at the competitor company had received it, and so the employer had not intercepted the e-mail while it was being sent, which is the only thing protected by the ECPA. On December 10, 2003, the Third Circuit Court of Appeals affirmed that part of the federal district court's judgment (352 F.3d 107).

The New Jersey Supreme Court issued a decision in March, 2010 illustrating how important the company's e-mail policy is in determining whether an employee has a reasonable expectation of privacy in e-mail communications and whether an employer steps over the line when reading or monitoring such communications. In Stengart v. Loving Care Agency, 990 A.2d 650 (New Jersey 2010), the ex-employee had used a company laptop to communicate with her attorney via a web-based e-mail system in which she had a personal, password-protected account; she did not store the password on the computer. After she left the company, the employer hired a computer forensics expert to make a mirror image of the hard drive. Inspection of the hard drive revealed the e-mails, which the company and its attorney read and used in the course of responding to the employee's lawsuit, even though they were clearly communications between the ex-employee and her attorney, and the e-mails included a standard disclaimer about unauthorized recipients being obligated to destroy the communication, not review it, and notify the sender of the error. The company had a fairly broad computer use policy, but did not define what types of e-mails might be covered, allowed "occasional" personal use of company computers without a notice that any such use would be subject to monitoring, and did not warn employees that information sent, received, or viewed on the computer is stored on the hard drive by the computer's software. Based upon the policy's ambiguity, and on the importance of upholding the principle of attorney-client privilege, the Court ruled that the company's action was an invasion of the employee's privacy and that the company's attorney could potentially be subject to discipline under rules regarding attorney conduct. For a similar case, see Pure Power Boot Camp, Inc. et al, v. Warrior Fitness Boot Camp, L.L.C., et al., 759 F.Supp.2d 417 (S.D.N.Y. 2010).

An important note here: an employer can do anything with e-mail messages sent and received on company computers, even including intercepting them during the process of transmitting or receiving, as long as it has notified employees that they have no expectation of privacy in the use of the company's computer, e-mail, and Internet systems, that all use of such systems may be monitored at any time with or without notice, and that any and all messages, files, and other information sent, relayed, or received with the company's computer, e-mail, and Internet systems are the property of the company, are stored on one or more company computers, and may be subject to company review at any time. All employees may be required to sign a policy acknowledging that they have no expectation of privacy in anything they do on work computers and authorizing the employer to monitor, view, intercept, inspect, copy, store, and further distribute any transmissions that employees send or receive using company electronic equipment or Internet access. For an example of how such a policy might be worded, see the sample policy titled "Internet, E-Mail, and Computer Usage Policy" in the "The A-Z of Personnel Policies" section of this book.

Evidence of Misconduct    Top of Page

If an employee is disciplined or discharged based upon computer or Internet problems, have your company computer experts collect both digital and printed copies of whatever e-mail messages or computer files contain evidence of the violations. The evidence can then be used to defend against various kinds of administrative claims and lawsuits, such as an unemployment claim or discrimination lawsuit.

Conclusion

For business owners, technology makes things both easier and harder. Every company has to ensure that its electronic resources are used properly and not abused by employees. The more that you as an employer know about computers and the Internet, the better off, and safer, your company will be. Due to the NLRB’s position and the evolving nature of individual state privacy laws, though, an employer should definitely consult a qualified labor and employment law attorney before implementing a company policy regarding the monitoring of the company’s electronic resources.

Go to the Employer Commissioner's Page
Go to the TWC Home Page