Employee privacy and workplace abandonment

Many SMBs (small and medium-sized businesses) are not aware of the Federal Electronic Communications Privacy Act (“ECPA”). ECPA addresses the interception and monitoring of electronic communications: telephone conversations, voicemail, email, instant message chats, and other online interactions fall under ECPA’s purview. ECPA violations are punishable by fines or imprisonment of up to five years; Anyone harmed by a violation of ECPA may seek equitable relief covering damages and attorneys’ fees of up to $10,000. Since many SMBs monitor and intercept their employees’ electronic communications, understanding ECPA’s business use exceptions can reduce the risk of legal exposure to ECPA claims brought by employees.

ECPA extends federal protection over employee communication in the workplace, but this protection is limited. Presumably, employers would want to monitor electronic communications to ensure quality control and protect intellectual property, investigate incidents of wrongdoing, etc., and ECPA provides “commercial use exceptions” to allow the employer to do these things.

A couple of rules related to the interception of transmissions and monitoring of employees in the workplace:

One party consent. Interception and tracking are permitted if the sender or recipient consents before it occurs.

Ordinary course. The business use exceptions under ECPA dictate that the interception or control be carried out in the normal course of the employer’s business and that the subject matter be one in which the employer has a personal interest. Employers should be aware that if a voice conversation becomes personal, the employer may lose their exemption because they are no longer authorized to monitor such conversations.

Team restriction. Employers can monitor and bug only equipment they own and that is used in the normal course of the employer’s business.

Email. Employers have the right to monitor and access employee email communications stored on their assets (workstations and client servers). This is complicated because employers do not have the right to control or access email hosted by a third party (such as AOL or MSN), even though such communication may traverse the company network.

Suggestions for the SMB to remain in compliance with ECPA revolve around creating good management controls (policies) to govern employee expectations. Example:

1. Employees must be offered some type of notification, either through a statement, a written policy signed at the time of employment, or a recording through the telephone system.

2. Employers must introduce a policy to prohibit personal use of communication assets (telephones, cell phones, computers, private email systems, and instant messaging) that would establish acceptable use practices to restrict employee use to communications strictly commercial.

3. An acceptable use policy that prohibits the use of personal communications and storage equipment (MP3 players, digital cameras or recorders, cell phones, USB flash drives) to conduct company business.

4. A privacy policy should be designed to identify nonpublic personal information (PPI) collected about employees that defines how that PPI is used and maintained.

ECPA compliance in SMBs is more relevant today than ever: employees’ personal devices, software and protected communications constantly interact with company assets, wirelessly and effortlessly. The combination of protected communications and devices can expose a company’s assets to harm and restrict the legal forms of corrective action that can be taken to protect them.

Compliance with ECPA is generally policy-driven: As long as the employer establishes good management policies that define expectations in advance and understand what is and isn’t allowed under ECPA’s business use exceptions, then compliance is fairly straightforward. . . It starts with management’s intent to create a good acceptable use policy.