Morrison & Foerster : Legal Updates & News : Legal Updates : U.S. Court Affirms Employer's Right to Read Employees' Email

This article previously appeared in the World Data Protection Report published by BNA International (March 2004)

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: Advice, Counseling and Training Discrimination and Other Employment Litigation Employment and Labor Litigation Privacy and Data Security

U.S. Court Affirms Employer's Right to Read Employees' Email

August 2004

U.S. law gives employees few protections against employer surveillance of their workplace communications. Even without express employee consent, U.S. employers generally may listen to workplace telephone conversations, read messages sent to and from corporate email accounts, and record and disclose the contents of employee communications. Employees that bring legal challenges to these practices rarely succeed in U.S. courts. The recent decision of the U.S. Third Circuit Court of Appeals in Fraser v. Nationwide Mutual Insurance Company, which upholds an employer's reading of an employee's electronic mail email ("email") messages, typifies the obstacles that complaining employees face under U.S. law. [fn1]

Background of the Fraser Decision: The Electronic Communications Privacy Act ("ECPA")

In the United States, monitoring of employee communications is governed primarily by the Electronic Communications Privacy Act of 1986 ("ECPA"). [fn2] The ECPA is divided broadly into restrictions on two kinds of activity: (1) interceptions, which are acquisitions of communications in real time (e.g., while the parties to a conversation are speaking or while an email is in process of transmission); and (2) unauthorized access to communications after they have been placed in electronic storage. [fn3] Taken together, these prohibitions apply to most kinds of electronic surveillance, including listening to and recording wireline and wireless telephone calls, reading email, and use of hidden microphones to eavesdrop on oral conversations. [fn4] Both governmental and private parties are subject to ECPA restrictions.

Unlike the counterpart regulations in many European jurisdictions, the ECPA is not comprehensive. A careful reading of the ECPA, including the definitions of key terms and the statute's numerous exceptions, discloses ample scope for monitoring and recording of communications. A complete discussion of the gaps in the statute's coverage is beyond the scope of this article, but those statutory provisions with particular value to employers are worth noting.

Activities that Are not Classified as Interceptions

When an employer is accused of violating an employee's rights under the ECPA, the employer's legal position is improved if the challenged action can be classified as access to a stored communication rather than an interception. The ECPA's prohibitions against interceptions, which involve the acquisition of the contents of a communication with the aid of an electronic, mechanical or other device, are more stringent than the prohibitions against unlawful access to stored communications. [fn5] For example, as we discuss further below, courts have found that an employer that provides a communication service to its employees may read those communications, when in storage on the employer's system, for any purpose. Real-time interceptions of employee communications, however, may be unlawful unless they come within specific statutory exceptions.

The distinction between real-time interception of a communication, and access to that same communication in storage, is complicated by the technology of electronic communications in the digital era. Email systems, in particular, combine transmission and storage functions in ways that might not have been fully anticipated when the ECPA was written, and plaintiffs have tried to persuade the courts that intermediate or temporary storage of an email by the service provider should not convert the acquisition of that message from an interception to a mere acquisition of a stored communication.

An early example of this issue was the case of Steve Jackson Games, Inc. v. United States Secret Service ("Steve Jackson Games"). [fn6] In that case, the U.S. Secret Service had seized, pursuant to a search warrant, a Steve Jackson Games server that contained 162 email messages that had not been opened by their intended recipients. Among other claims, Steve Jackson Games alleged that the emails, although stored in the server, had been intercepted for purposes of the ECPA because the government had acquired the emails prior to delivery and prevented their delivery. [fn7] The district court rejected this argument on the ground that under the ECPA, an act of interception must be "simultaneous with the [communication's] transmission." [fn8] On appeal, the Court of Appeals also rejected the plaintiff's interception claim, but on the ground that the definition of "electronic communication" in the ECPA unlike that statute's definition of "wire communication" did not include an electronic communication while in electronic storage. Accordingly, by definition, acquisition of an electronic communication while in electronic storage could not be an interception of that communication. [fn9]

Subsequent decisions have confirmed the difficulty of challenging the seizure of a stored communication as an interception. Notably, in Konop v. Hawaiian Airlines, Inc., the U.S. Court of Appeals for the Ninth Circuit reviewed the case of Konop, an airline pilot who "maintained a website where he posted bulletins critical of his employer, its officers and the incumbent union . . . ." [fn10] An officer of Konop's employer, using other employees' names, gained access to the website and read Konop's critical postings. Among other claims, Konop alleged that his employer's activity violated the ECPA interception and access-to-stored communications provisions. The district court granted summary judgment for the employer on both claims, and Konop appealed.

On the interception claim, the Court of Appeals, following the rationale of Steve Jackson Games, concluded that "for a website such as Konop's to be 'intercepted' in violation of the [ECPA], it must be acquired during transmission, not while it is in electronic storage." [fn11] Accordingly, the Court of Appeals upheld the district court's grant of summary judgment for the employer on that claim. [fn12]

Not all employer efforts to monitor employees' communications, however, will fall outside the "interception" category. Where an employer listens in on or records an employee's telephone conversation, or otherwise acquires the contents of an employee communication that has not been placed in electronic storage, those actions will be characterized as interceptions under the ECPA. Even where an employer's actions fall within the "interception" category, however, certain exceptions to liability may be available to the employer. The principal such exceptions are discussed below.

Permitted Interceptions: the Business Extension Exception

One important gap in the ECPA's interception restrictions is known popularly as the "business extension" exception. Specifically, a call is not intercepted for purposes of the ECPA if the device by which the contents of a conversation are acquired is a "telephone instrument or facility, or any component thereof . . . furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business." [fn13] This language is generally interpreted to mean that an employer acting in the ordinary course of its business, and using an extension telephone or other device provided by the telephone company or other communications service provider, may listen to and perhaps even record employee conversations that take place on the employer's business premises.

However, the business extension exception is not absolute. Notably, not every recording or interception device an employer might use will qualify as a permitted "telephone instrument or facility" under the business extension exception. As a general rule, employers are more likely to qualify for the exception if they monitor employee communications by means of extension telephones or other equipment normally provided by telephone companies, rather than specialized surveillance and recording equipment. [fn14] Also, employers relying on the business extension exception must demonstrate that their use of interception or recording equipment was "in the ordinary course of business." [fn15] In interpreting this language, the courts distinguish employees' business calls, which may be extensively monitored if necessary to serve the employer's business purpose, and personal calls, which ordinarily may be monitored only to the extent necessary to ascertain that those calls are, in fact, personal. [fn16]

Permitted Interceptions: the "One Party Consent" Exception

Unlike the statutes of some of the states, the ECPA permits a communication to be intercepted so long as "one of the parties to the communication has given prior consent to such interception." [fn17] Accordingly, under federal law, an employee's consent to the employer's interception of a communication, even where the consent of the other party to that communication is lacking, may immunize the employer from liability. [fn18]

In order to take advantage of an employee's consent to interception of his or her communications, however, the employer should make the employee's consent to interception an express condition of employment, and should state that policy clearly in employee handbooks and other corporate communications as appropriate. Courts have denied employer claims of employee consent where the policy had been not been stated with sufficient clarity. [fn19]

Permitted Interceptions: Protection of the Employer's Rights or Property

Interceptions of employee communications also are permitted where the employer is the "provider of a wire or electronic communication service" over which the communications are transmitted, and interception is "a necessary incident to the rendition of [the] service or to the protection of the rights or property" of the employer. [fn20] This exception is especially useful where an employee is suspected of communicating trade secrets or other proprietary information of the employers, or is engaging in other activities that harm the employer's business interests. [fn21] Where those circumstances apply, an interception may be permitted even where the business telephone or one-party consent exceptions are unavailable.

Employer Access to Stored Employee Communications

As noted earlier, the ECPA provisions concerning access to stored communications are more lenient, as applied to employers that provide communications capabilities to their employees, than the interception provisions. Specifically, those provisions expressly do not apply to "conduct authorized . . . by the person or entity providing a wire or electronic communications service." [fn22] To the extent employee communications are stored on the employer's server, therefore, the employer may read those communications regardless of whether they were acquired through use of a business extension, or whether any party to the original communication consented to such access, or whether such access is necessary in order to provide the service or protect the employer's rights or property.

The Fraser Decision

The most recent appellate decision concerning employer access to employee communications involves Richard Fraser, an independent insurance agent for Nationwide Mutual Insurance Company ("Nationwide") until he was fired in September 1998 for disloyalty. About a month before his termination, the company learned that Fraser had drafted letters to two competing companies expressing dissatisfaction with Nationwide and seeking to determine whether the competitors would be interested in acquiring certain of his policyholders. After learning about these letters, Nationwide became concerned that Fraser might be revealing company secrets to its competitors. In an effort to determine whether Fraser had actually sent letters to any of its competitors, Nationwide searched its main file server for any emails to or from Fraser that showed improper behavior. The email search confirmed Fraser's disloyalty, and his contract with the company was terminated.

Unwilling to accept his termination, Fraser brought suit against Nationwide alleging various claims, including violation of his privacy rights under the ECPA and a parallel state statute. Fraser claimed that the company's actions in accessing his email without his permission violated the interception provisions of ECPA Title I. He also claimed that the company's search of his email violated Title II of the ECPA, which creates liability for accessing, without authorization, electronic communications in electronic storage. The district court disagreed, and granted summary judgment in favor of Nationwide. Fraser appealed.

Fraser Court Finds No "Interception" of Employee's Email

The primary issue in Fraser's Title I claim was whether Nationwide had "intercepted" an electronic communication when it accessed Fraser's email in storage. The district court had found that the company's actions did not constitute an unlawful "interception," but reached that conclusion under a questionable interpretation of the law that would, if accepted by other courts, have limited the ability of employers to argue that certain acquisitions of stored email are not interceptions. Specifically, the district court relied on its own interpretation of the ECPA definition of "electronic storage," which includes any "temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof" and "any storage of such communication . . . for purpose of backup protection of such communication." [fn23] In the district court's view, the definition's reference to "temporary, intermediate" storage must mean storage of a message before it has been retrieved by the addressee, and the reference to "backup protection" must mean temporary storage that "protects the communication in the event the system crashes before transmission is complete." [fn24] Accordingly, in the district court's view, both forms of electronic storage refer only to storage of a message during transmission, and cannot refer to post-transmission storage. This gloss on the statutory definition of "electronic storage" determined the district court's view of Fraser's ECPA claims.

On the Title I interception claim, the district court opined that interceptions can occur only during transmission and not when a communication is in post-transmission storage. Because the employer acquired Konop's email "after the email had already been received by the recipient," the email had not been acquired from intermediate or back-up storage, but merely from post-transmission storage, and therefore had not been intercepted in the course of transmission as required for a Title I violation. [fn25]

Although the district court ruled for the employer on the interception issue, the court's rationale had a downside for employers in future cases. According to the district court's narrow definition of "electronic storage," had Konop's employer retrieved the email after it was sent, but before the intended recipient had opened it, the employer would have "intercepted" an electronic communication. On this rationale, employers would be protected from interception claims only when they retrieved employees' emails from intermediate or back-up storage, rather than post-transmission storage as defined by the district court.

On appeal, the Third Circuit affirmed that there was no interception, but did so without endorsing the district court's idiosyncratic reading of "electronic storage." Adopting the reasoning of Steve Jackson Games, the Third Circuit agreed that an "intercept" under the ECPA cannot be accomplished by acquisition of messages in electronic storage. Because the company did not monitor the messages in real time as they were transmitted, the Third Circuit found here, as the Fifth Circuit had found in Steve Jackson Games, that Nationwide did not "intercept" Fraser's emails. Accordingly, Nationwide's search did not violate Title I of the ECPA.

Fraser Finds No Violation of ECPA Title II

Fraser also alleged that Nationwide violated Title II of the ECPA when it retrieved, without authorization, Fraser's email from electronic storage on the company's server. The district court rejected this argument, relying again upon the fact that the email in question was obtained from post-transmission storage. According to the district court, because the email in question was neither in "temporary, intermediate storage" nor in "backup" storage, it was not unlawfully acquired from electronic storage for purposes of Title II of the ECPA.

On appeal, the Third Circuit expressed appropriate skepticism about the district court's reading of the "electronic storage" definition, then affirmed the district court's decision on different grounds. Specifically, the court relied on the holding in Bohach v. City of Reno [fn26] to find that Nationwide's search of Fraser's email fell within the service provider exception to Title II. Under this exception, a provider of an electronic communications service may access communications in electronic storage on its system without violating the ECPA. As noted earlier, in Bohach, the court held that the Reno police department could retrieve pager text messages stored on the police department's computer system because the department is the provider of the service and "service providers [may] do as they wish when it comes to accessing communications in electronic storage." [fn27] Because Fraser's emails were stored on a system administered by Nationwide, the Third Circuit held that the company's search likewise fell within the provider exception. [fn28] Accordingly, Nationwide's search did not violate Title II of the ECPA.

Conclusion

The Fraser decision demonstrates the continuing disadvantages faced by U.S. employees who challenge their employers' workplace surveillance practices. Against this background, the best advice an American attorney can give an employee client is to assume that none of his or her workplace communications is private.

Footnotes

1: Fraser v. Nationwide Mutural Insurance Company, 352 F.3d 107 (3d Cir. 2003).

2: 18 U.S.C. § 2510 et seq. In addition to the ECPA, monitoring of employee emails is also governed by the electronic surveillance laws in each of the individual states in which the employer does business, or with which employees are likely to have online contact. In assessing their rights to engage in, or challenge, any particular surveillance activity under U.S. law, employers and employees should consult applicable state privacy laws, including state wiretap/eavesdropping statutes and common-law causes of action such as invasion of privacy. Detailed discussion of these state law theories is beyond the scope of this article.

3: The interception and access-to-stored-communications restrictions often are referred to, respectively, as Title I and Title II of the ECPA.

4: The ECPA applies to wire, oral and electronic communications, and the statute defines each of these categories in highly technical terms. At the risk of some over-simplification, wire communications contain the human voice, in analog or digital form, and may be carried over wireline or wireless facilities. 18 U.S.C. § 2510(1). Oral communications generally are ordinary, acoustically-transmitted human conversations that occur under conditions disclosing a reasonable expectation that those conversations will not be intercepted. Id. § 2510(2). Electronic communications may be wireline or wireless and include, but are not limited to, email and other online communications. Id. sec. 2510(12).

5: "Intercept" for purposes of the ECPA is "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." Id. sec. 2510(4).

6: Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994).

7: Id., 36 F.3d at 460.

8: Id.

9: The USA PATRIOT ACT, enacted several years after the Steve Jackson Games decision, erased this distinction between wire and electronic communications by amending the definition of "wire communication" to exclude such communications in electronic storage. Pub. L. No. 107-56, 115 Stat. 272, sec. 209 (2001).

10: Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002), cert. denied, 2003 U.S. LEXIS 1186 (Feb. 24, 2003).

11: Id., 302 F.2d at 878.

12: See also United States v. Steiger, 318 F.3d 1039, 1048-49 (11th Cir. 2003); Wesley College v. Pitts, 974 F. Supp. 375 (D. Del. 1997), summarily aff'd, 172 F.3d 861 (3d Cir. 1998).

13: Id. sec. 2510(5)(a).

14: In Williams v. Poulos, for example, the First Circuit Court of Appeals found that alligator clips placed on a telephone line on the employer's premises were not devices of the kind contemplated by the business extension exception. Williams v. Poulos, 11 F.3d 271 (1st Cir. 1993). Similarly, in Deal v. Spears, the Eighth Circuit Court of Appeals found that a recording device connected to the employer's extension telephone did not qualify for the exception. Deal v. Spears, 980 F.2d 1153, 1158 (8th Cir. 1992). However, in Epps v. St. Mary's Hospital of Athens, Inc., the Eleventh Circuit Court of Appeals held that an employer's use of a double-reeled tape recorder, attached to an ambulance dispatch console on which emergency telephone calls were terminated, qualified under the exception. Epps v. St. Mary's Hospital of Athens, Inc., 802 F.2d 412 (11th Cir. 1986).

15: 18 U.S.C. sec. 2510(5)(a).

16: Watkins v. L.M. Berry & Co., 704 F.2d 577, 581 (11th Cir. 1983). In Ali v. Douglas Cable Communications, for example, the court found that an employer that listened in extensively on its sales representatives' business conversations in order to "monitor [representatives] in the use of proper skills and to assist the [representatives] with difficult customers" acted in the ordinary course of business within the exception. Ali v. Douglas Cable Communications, 929 F.Supp. 1362, 1373 (D. Kan. 1996). In Deal v. Spears, however, the court found that an employer's interest in preventing use of its telephones for personal calls might justify limited monitoring, but did not support "recording twenty-two hours of calls" and listening to all of them. Deal v. Spears, supra, 980 F.2d at 1158. Similarly, in United States v. Harpel, the court found "as a matter of law that a telephone extension used without authorization or consent to surreptitiously record a private conversation is not used in the ordinary course of business." United States v. Harpel, 493 F.2d 346, 351 (10th Cir. 1974).

17: 18 U.S.C. sec. 2511(2)(d).

18: This exception, where available, has obvious advantages over the business extension exception. Notably, where the employee's consent to interception has been obtained, the employer need not prove that the device it used to make the interception was of the kind ordinarily provided by the telephone company. Also, the one party consent exception does not require proof that the interception was in the ordinary course of the employer's business.

19: One court, for example, rejected an employer's consent defense on the ground that the employee was not "informed (1) of the manner - i.e., the intercepting and recording of telephone conversations - in which this monitoring was conducted; and (2) that he himself would be subjected to such monitoring." Williams v. Poulos, supra, 11 F.3d at 281. Similarly, a court rejected a defense based upon consent when the employee was not informed "that [the employer was] monitoring the phone, but only the [the employer] might do so . . ." Deal v. Spears, supra, 980 F.3d 1153, 1157 (8th Cir. 1992)(emphasis added).

20: 18 U.S.C. sec. 2511(2)(a)(i).

21: See United States. v. Mullins, 992 F.2d 1472 (9th Cir. 1993), cert. denied, 510 U.S. 1994; United States v. McLaren, 957 F. Supp. 215 (M.D. Fla. 1997); United States v. Christman, 375 F. Supp. 1354 (N.D. Cal. 1974).

22: 18 U.S.C. sec. 2701(c)(1). See Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996), in which the court found that the plaintiffs' employer, the City of Reno, Nevada, was the "provider" of an electronic communications service used by the employees. Accordingly, both the City and its employees were permitted to "do as they wish[ed] when it [came] to accessing communications in electronic storage" on that service. Id.,932 F. Supp. at 1236.

23: 18 U.S.C. sec. 2510(17).

24: Fraser v. Nationwide Mutual Insurance Company, 135 F. Supp. 2d 623, 636 (E.D. Pa. 2001).

25: Id., 135 F. Supp. 2d at 635 (E.D. Pa. 2001). The district court's reasoning is contrary to the rationale of Steve Jackson Games and other decisions that hold that there can be no interception of an electronic communication in electronic storage because electronic communications, by definition, do not include such communications in electronic storage.

26: Bohach v. City of Reno, supra, 932 F. Supp. at 1236-1237.

27: Id. at 1236.

28: But see Fischer v. Mt. Olive Lutheran Church, Inc., 207 F. Supp. 2d 914, 924-926 (W.D. Wis. 2002) (holding that plaintiff's Hotmail email was protected by Title II of the ECPA because it was in "electronic storage" on a third-party, web-based server).